Prevent access to remote data, improve remote page faults

fwsGonzo · fwsGonzo · commit 4fcc6bf24802 · 2025-09-16T11:05:20.000+02:00
diff --git a/lib/tinykvm/amd64/builtin/interrupts.asm b/lib/tinykvm/amd64/builtin/interrupts.asm
@@ -239,17 +239,8 @@ ALIGN 0x10
 .vm64_remote_disconnect:
 	out 0, eax
 	;; RAX contains the original FSBASE of this VM
-	stac
 	;; Write to FSBASE MSR
-	push rcx
-	push rdx
-	mov ecx, 0xC0000100  ;; FSBASE
-	mov rdx, rax
-	shr rdx, 32
-	wrmsr
-	pop rdx
-	pop rcx
-	clac
+	wrfsbase rax
 	;; Reset pagetables
 	mov rax, cr3
 	mov cr3, rax
@@ -268,6 +259,7 @@ ALIGN 0x10
 	push rax
 	push rdi
 	mov rdi, cr2 ;; Faulting address
+	mov eax, [rsp + 16] ;; Error code
 	out 128 + 14, eax
 	invlpg [rdi]
 	pop rdi
@@ -281,24 +273,19 @@ ALIGN 0x10
 .vm64_remote_page_fault:
 	;; RAX: Remote FSBASE
 	;; Write to FSBASE MSR
+	wrfsbase rax
 	push rcx
-	push rdx
-	mov ecx, 0xC0000100  ;; FSBASE
-	mov rdx, rax
-	shr rdx, 32
-	wrmsr
 
 	;; Make the next function call return to a custom system call location
 	;; Get remote-disconnect syscall address
 	mov rax, [INTR_ASM_BASE + .vm64_remote_return_addr]
 	;; Get original stack pointer
-	mov rcx, [rsp + 24 + 32] ;; Original RSP
+	mov rcx, [rsp + 16 + 32] ;; Original RSP
 	;; Overwrite the return address
 	stac
 	mov [rcx], rax ;; Return address
 	clac
 
-	pop rdx
 	pop rcx
 	pop rax
 	add rsp, 8 ;; Skip error code
diff --git a/lib/tinykvm/amd64/builtin/kernel_assembly.h b/lib/tinykvm/amd64/builtin/kernel_assembly.h
@@ -1,5 +1,5 @@
 unsigned char interrupts[] = {
-  0x50, 0x01, 0xc2, 0x02, 0x48, 0x03, 0x08, 0x00, 0xca, 0x02, 0x00, 0x00,
+  0x50, 0x01, 0xc2, 0x02, 0x30, 0x03, 0x08, 0x00, 0xca, 0x02, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x00, 0x00, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -29,9 +29,9 @@ unsigned char interrupts[] = {
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   0x66, 0x3d, 0x9e, 0x00, 0x74, 0x39, 0x66, 0x3d, 0xe4, 0x00, 0x0f, 0x84,
   0xee, 0x00, 0x00, 0x00, 0x83, 0xf8, 0x09, 0x0f, 0x84, 0x40, 0x01, 0x00,
-  0x00, 0x3d, 0x77, 0xf7, 0x01, 0x00, 0x0f, 0x84, 0x7f, 0x01, 0x00, 0x00,
+  0x00, 0x3d, 0x77, 0xf7, 0x01, 0x00, 0x0f, 0x84, 0x6c, 0x01, 0x00, 0x00,
   0x3d, 0x78, 0xf7, 0x01, 0x00, 0x0f, 0x84, 0x51, 0x01, 0x00, 0x00, 0x3d,
-  0x07, 0xf7, 0x01, 0x00, 0x0f, 0x84, 0x72, 0x01, 0x00, 0x00, 0xe7, 0x00,
+  0x07, 0xf7, 0x01, 0x00, 0x0f, 0x84, 0x5f, 0x01, 0x00, 0x00, 0xe7, 0x00,
   0x48, 0x0f, 0x07, 0x0f, 0x01, 0xcb, 0x56, 0x51, 0x52, 0x48, 0x81, 0xff,
   0x02, 0x10, 0x00, 0x00, 0x75, 0x1b, 0xb9, 0x00, 0x01, 0x00, 0xc0, 0x89,
   0xf0, 0x48, 0xc1, 0xee, 0x20, 0x89, 0xf2, 0x0f, 0x30, 0x48, 0x31, 0xc0,
@@ -59,30 +59,28 @@ unsigned char interrupts[] = {
   0x83, 0xf8, 0xff, 0x74, 0x0e, 0x0f, 0x01, 0xcb, 0x50, 0x0f, 0x20, 0xd8,
   0x0f, 0x22, 0xd8, 0x58, 0x0f, 0x01, 0xca, 0x48, 0x0f, 0x07, 0xb8, 0x60,
   0x00, 0x00, 0x00, 0xe7, 0x00, 0xc3, 0xb8, 0xc2, 0x02, 0x00, 0x00, 0xc3,
-  0xe7, 0x00, 0x0f, 0x01, 0xcb, 0x51, 0x52, 0xb9, 0x00, 0x01, 0x00, 0xc0,
-  0x48, 0x89, 0xc2, 0x48, 0xc1, 0xea, 0x20, 0x0f, 0x30, 0x5a, 0x59, 0x0f,
-  0x01, 0xca, 0x0f, 0x20, 0xd8, 0x0f, 0x22, 0xd8, 0x48, 0x0f, 0x07, 0x0f,
-  0x20, 0xd8, 0x0f, 0x22, 0xd8, 0x48, 0x0f, 0x07, 0x48, 0x0f, 0x07, 0x50,
-  0x57, 0x0f, 0x20, 0xd7, 0xe7, 0x8e, 0x0f, 0x01, 0x3f, 0x5f, 0x85, 0xc0,
-  0x75, 0x07, 0x58, 0x48, 0x83, 0xc4, 0x08, 0x48, 0xcf, 0x51, 0x52, 0xb9,
-  0x00, 0x01, 0x00, 0xc0, 0x48, 0x89, 0xc2, 0x48, 0xc1, 0xea, 0x20, 0x0f,
-  0x30, 0x48, 0x8b, 0x04, 0x25, 0x0a, 0x20, 0x00, 0x00, 0x48, 0x8b, 0x4c,
-  0x24, 0x38, 0x0f, 0x01, 0xcb, 0x48, 0x89, 0x01, 0x0f, 0x01, 0xca, 0x5a,
-  0x59, 0x58, 0x48, 0x83, 0xc4, 0x08, 0x48, 0xcf, 0xe7, 0xa1, 0x48, 0xcf,
+  0xe7, 0x00, 0xf3, 0x48, 0x0f, 0xae, 0xd0, 0x0f, 0x20, 0xd8, 0x0f, 0x22,
+  0xd8, 0x48, 0x0f, 0x07, 0x0f, 0x20, 0xd8, 0x0f, 0x22, 0xd8, 0x48, 0x0f,
+  0x07, 0x48, 0x0f, 0x07, 0x50, 0x57, 0x0f, 0x20, 0xd7, 0x8b, 0x44, 0x24,
+  0x10, 0xe7, 0x8e, 0x0f, 0x01, 0x3f, 0x5f, 0x85, 0xc0, 0x75, 0x07, 0x58,
+  0x48, 0x83, 0xc4, 0x08, 0x48, 0xcf, 0xf3, 0x48, 0x0f, 0xae, 0xd0, 0x51,
+  0x48, 0x8b, 0x04, 0x25, 0x0a, 0x20, 0x00, 0x00, 0x48, 0x8b, 0x4c, 0x24,
+  0x30, 0x0f, 0x01, 0xcb, 0x48, 0x89, 0x01, 0x0f, 0x01, 0xca, 0x59, 0x58,
+  0x48, 0x83, 0xc4, 0x08, 0x48, 0xcf, 0xe7, 0xa1, 0x48, 0xcf, 0x90, 0x90,
   0xe7, 0x80, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x81, 0x48, 0xcf,
   0x90, 0x90, 0x90, 0x90, 0xe7, 0x82, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90,
   0xe7, 0x83, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x84, 0x48, 0xcf,
   0x90, 0x90, 0x90, 0x90, 0xe7, 0x85, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90,
   0xe7, 0x86, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x87, 0x48, 0xcf,
-  0x90, 0x90, 0x90, 0x90, 0xe7, 0x88, 0xeb, 0x83, 0x90, 0x90, 0x90, 0x90,
-  0xe7, 0x89, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x8a, 0xe9, 0x70,
-  0xff, 0xff, 0xff, 0x90, 0xe7, 0x8b, 0xe9, 0x68, 0xff, 0xff, 0xff, 0x90,
-  0xe7, 0x8c, 0xe9, 0x60, 0xff, 0xff, 0xff, 0x90, 0xe7, 0x8d, 0xe9, 0x58,
-  0xff, 0xff, 0xff, 0x90, 0xe9, 0x42, 0xff, 0xff, 0xff, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0xe7, 0x88, 0xeb, 0x8c, 0x90, 0x90, 0x90, 0x90,
+  0xe7, 0x89, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x8a, 0xe9, 0x79,
+  0xff, 0xff, 0xff, 0x90, 0xe7, 0x8b, 0xe9, 0x71, 0xff, 0xff, 0xff, 0x90,
+  0xe7, 0x8c, 0xe9, 0x69, 0xff, 0xff, 0xff, 0x90, 0xe7, 0x8d, 0xe9, 0x61,
+  0xff, 0xff, 0xff, 0x90, 0xe9, 0x47, 0xff, 0xff, 0xff, 0x90, 0x90, 0x90,
   0xe7, 0x8f, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x90, 0x48, 0xcf,
-  0x90, 0x90, 0x90, 0x90, 0xe7, 0x91, 0xe9, 0x38, 0xff, 0xff, 0xff, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0xe7, 0x91, 0xe9, 0x41, 0xff, 0xff, 0xff, 0x90,
   0xe7, 0x92, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90, 0xe7, 0x93, 0x48, 0xcf,
   0x90, 0x90, 0x90, 0x90, 0xe7, 0x94, 0x48, 0xcf, 0x90, 0x90, 0x90, 0x90,
-  0xe9, 0x4f, 0xff, 0xff, 0xff
+  0xe9, 0x4d, 0xff, 0xff, 0xff
 };
-unsigned int interrupts_len = 1013;
+unsigned int interrupts_len = 989;
diff --git a/lib/tinykvm/vcpu_run.cpp b/lib/tinykvm/vcpu_run.cpp
@@ -281,6 +281,13 @@ long vCPU::run_once()
 						this->handle_exception(intr);
 						Machine::machine_exception("Remote VM page fault while already connected", intr);
 					}
+					/* Check that the error code is instruction fetch failed */
+					const uint32_t errcode = regs.rax;
+					if ((errcode & 0x10) == 0) {
+						// Not an instruction fetch, something is fishy
+						this->handle_exception(intr);
+						Machine::machine_exception("Remote VM page fault", intr);
+					}
 					/* Remote VM page fault */
 					uint64_t retstack; machine().unsafe_copy_from_guest(&retstack, regs.rsp + 16 + 32, 8);
 					uint64_t retaddr; machine().unsafe_copy_from_guest(&retaddr, retstack, 8);
