summary refs log tree commit diff stats
path: root/results/classifier/118/review/2582
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/review/2582')
-rw-r--r--results/classifier/118/review/258283
1 files changed, 83 insertions, 0 deletions
diff --git a/results/classifier/118/review/2582 b/results/classifier/118/review/2582
new file mode 100644
index 000000000..0120f43a9
--- /dev/null
+++ b/results/classifier/118/review/2582
@@ -0,0 +1,83 @@
+semantic: 0.962
+virtual: 0.882
+kernel: 0.874
+architecture: 0.842
+ppc: 0.828
+device: 0.784
+graphic: 0.771
+PID: 0.707
+permissions: 0.687
+vnc: 0.674
+KVM: 0.625
+VMM: 0.561
+debug: 0.546
+risc-v: 0.511
+network: 0.506
+performance: 0.504
+register: 0.501
+socket: 0.498
+TCG: 0.370
+hypervisor: 0.359
+files: 0.355
+boot: 0.327
+peripherals: 0.302
+arm: 0.292
+assembly: 0.274
+x86: 0.263
+mistranslation: 0.252
+i386: 0.186
+user-level: 0.160
+--------------------
+kernel: 0.973
+KVM: 0.942
+virtual: 0.940
+hypervisor: 0.589
+assembly: 0.562
+debug: 0.470
+semantic: 0.152
+TCG: 0.073
+register: 0.063
+files: 0.035
+PID: 0.020
+device: 0.020
+socket: 0.013
+x86: 0.010
+architecture: 0.008
+network: 0.006
+vnc: 0.005
+performance: 0.005
+boot: 0.003
+VMM: 0.003
+user-level: 0.002
+peripherals: 0.002
+graphic: 0.002
+risc-v: 0.002
+permissions: 0.002
+i386: 0.001
+mistranslation: 0.001
+arm: 0.000
+ppc: 0.000
+
+CR4.VMX leaks from L1 into L2 on Intel VMX
+Description of problem:
+In a nested virtualization setting, `savevm` can cause CR4 bits from leaking from L1 into L2. This causes general-protection faults in certain guests.
+
+The L2 guest executes this code:
+
+```
+mov rax, cr4  ; Get CR4​
+mov rcx, rax  ; Remember the old value​
+btc rax, 7    ; Toggle CR4.PGE​
+mov cr4, rax  ; #GP! <- Shouldn't happen!​
+mov cr4, rcx  ; Restore old value
+```
+
+If the guest code is interrupted at the right time (e.g. via `savevm`), Qemu marks CR4 dirty while the guest executes L2 code. Due to really complicated KVM semantics, this will result in L1 CR4 bits (VMXE) leaking into the L2 guest and the L2 will die with a GP:
+
+Instead of the expected CR4 value, the L2 guest reads a value with VMXE set. When it tries to write this back into CR4, this triggers the general protection fault.
+Steps to reproduce:
+This is only an issue on **Intel** systems.
+
+#
+Additional information:
+See also this discussion where we discussed a (flawed) approach to fixing this in KVM: https://lore.kernel.org/lkml/Zh6WlOB8CS-By3DQ@google.com/t/