本文主要是对CVE-2018-12207做相关的background补充。原文写的相当好,建议详读。

Description of errata

Software sequences that may lead to machine check error code 0150H can be summarized as follows:

  1. Code is fetched from a linear address translated using a 4 KB translation cached in the ITLB.
  2. Software modifies the paging structures so that the same linear address is translated using a large page (2 MB, 4 MB, or 1 GB) with a different physical address or memory type.
  3. After the paging structure modification, but before software invalidates any ITLB entries for the linear address, code fetch happens again on the same linear address.
  4. This may cause a machine-check error (IA32_MCi_STATUS.MCACOD=150H), which can result in a system hang or shutdown.

extension1

The VMM can use Extended Page Tables (EPT) to enforce that each guest physical address is 4 KB in size and that guest software cannot change the hardware page size for translations.

For correctness, the TLB must consider the page size for a given translation to be the smaller of the nested and guest page sizes.

From ASPLOS’08 《Accelerating Two-Dimensional Page Walks》2.4 Large Page Size。

extension2

The sequence above requires bit 10 (Execute access for user-mode linear address) to be treated in the same manner as bit 2 when mode-based execution controls are active (the mode-based execute control for EPT feature is present and the VM execution control is set to 1).

  • 各级页表项的第2位为X (eXecute),取1表示可执行

    • 若Secondary Processor-Based VM-Execution Controls.Mode-based execute control for EPT[bit 22]取1,则该位取1仅表示对于Guest的内核页可执行,不表示对于Guest的用户页可执行

  • 各级页表项的第10位为XU (eXecute for User),取1表示对于Guest的用户页可执行

    • 仅当Secondary Processor-Based VM-Execution Controls.Mode-based execute control for EPT[bit 22]取1时有效,否则该位会被忽略

From Intel SDM Chapter 28: VMX Support for Address Translation