RE: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue

[Duan, Zhenzhong]

>-----Original Message-----
>From: Sean Christopherson <seanjc@xxxxxxxxxx>
>Sent: Wednesday, September 8, 2021 8:08 AM
>To: Duan, Zhenzhong <zhenzhong.duan@xxxxxxxxx>
>Cc: kvm@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
>pbonzini@xxxxxxxxxx; vkuznets@xxxxxxxxxx; wanpengli@xxxxxxxxxxx;
>jmattson@xxxxxxxxxx; joro@xxxxxxxxxx
>Subject: Re: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask
>issue
>
>On Mon, Sep 06, 2021, Zhenzhong Duan wrote:
>> Host value of TSX_CTRL_CPUID_CLEAR field should be unchangable by
>> guest, but the mask for this purpose is set to a wrong value. So it
>> doesn't take effect.
>
>It would be helpful to provide a bit more info as to just how bad/boneheaded
>this bug is.  E.g.
>
>  When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry,
>  clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i].
>  Modifying guest_uret_msrs directly is completely broken as 'i' does not
>  point at the MSR_IA32_TSX_CTRL entry.  In fact, it's guaranteed to be an
>  out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior
>  loop.  By sheer dumb luck, the fallout is limited to "only" failing to
>  preserve the host's TSX_CTRL_CPUID_CLEAR.  The out-of-bounds access is
>  benign as it's guaranteed to clear a bit in a guest MSR value, which are
>  always zero at vCPU creation on both x86-64 and i386.
Sorry for late response, I missed this mail by a wrong mail rule.
Your comment is more clear, I'll use it in v2.

Thanks
Zhenzhong