cpuarch/vmsa: fix soundness issue with GuestVMExit

Previously, it was possible for a guest to exit with an exit code undefined in the GuestVMExit enum, leading to undefined behavior. As suggested by @Freax13 in coconut-svsm#359, we can replace this by a tuple struct, allowing unknown values. Signed-off-by: Thomas Leroy <[email protected]>
p4zuu · Oct 10, 2024 · fdca366 · fdca366
1 parent 0242978
commit fdca366
Showing 1 changed file with 56 additions and 35 deletions.
diff --git a/cpuarch/src/vmsa.rs b/cpuarch/src/vmsa.rs
@@ -6,43 +6,64 @@
 
 use bitfield_struct::bitfield;
 
+#[derive(Clone, Copy, Debug, PartialEq)]
+#[allow(dead_code, non_camel_case_types)]
+pub struct GuestVMExit(u64);
+
+macro_rules! guest_vmexits {
+    (
+        $(
+            ($exit:ident, $value:expr);
+        )+
+    ) => {
+        impl GuestVMExit {
+        $(
+            pub const $exit: Self = Self($value);
+        )+
+        }
+    };
+}
+
+impl Default for GuestVMExit {
+    #[inline]
+    fn default() -> Self {
+        Self::INVALID
+    }
+}
+
 // AE Exitcodes
 // Table 15-35, AMD64 Architecture Programmer’s Manual, Vol. 2
-#[repr(u64)]
-#[derive(Clone, Copy, Default, Debug)]
-#[allow(dead_code, non_camel_case_types)]
-pub enum GuestVMExit {
-    MC = 0x52,
-    INTR = 0x60,
-    NMI = 0x61,
-    SMI = 0x62,
-    INIT = 0x63,
-    VINTR = 0x64,
-    PAUSE = 0x77,
-    HLT = 0x78,
-    SHUTDOWN = 0x7F,
-    EFER_WRITE_TRAP = 0x8F,
-    CR0_WRITE_TRAP = 0x90,
-    CR1_WRITE_TRAP = 0x91,
-    CR2_WRITE_TRAP = 0x92,
-    CR3_WRITE_TRAP = 0x93,
-    CR4_WRITE_TRAP = 0x94,
-    CR5_WRITE_TRAP = 0x95,
-    CR6_WRITE_TRAP = 0x96,
-    CR7_WRITE_TRAP = 0x97,
-    CR8_WRITE_TRAP = 0x98,
-    CR9_WRITE_TRAP = 0x99,
-    CR10_WRITE_TRAP = 0x9a,
-    CR11_WRITE_TRAP = 0x9b,
-    CR12_WRITE_TRAP = 0x9c,
-    CR13_WRITE_TRAP = 0x9d,
-    CR14_WRITE_TRAP = 0x9e,
-    CR15_WRITE_TRAP = 0x9f,
-    NPF = 0x400,
-    VMGEXIT = 0x403,
-    #[default]
-    INVALID = 0xffffffffffffffff,
-    BUSY = 0xfffffffffffffffe,
+guest_vmexits! {
+    (MC, 0x52);
+    (INTR, 0x60);
+    (NMI, 0x61);
+    (SMI, 0x62);
+    (INIT, 0x63);
+    (VINTR, 0x64);
+    (PAUSE, 0x77);
+    (HLT, 0x78);
+    (SHUTDOWN, 0x7F);
+    (EFER_WRITE_TRAP, 0x8F);
+    (CR0_WRITE_TRAP, 0x90);
+    (CR1_WRITE_TRAP, 0x91);
+    (CR2_WRITE_TRAP, 0x92);
+    (CR3_WRITE_TRAP, 0x93);
+    (CR4_WRITE_TRAP, 0x94);
+    (CR5_WRITE_TRAP, 0x95);
+    (CR6_WRITE_TRAP, 0x96);
+    (CR7_WRITE_TRAP, 0x97);
+    (CR8_WRITE_TRAP, 0x98);
+    (CR9_WRITE_TRAP, 0x99);
+    (CR10_WRITE_TRAP, 0x9a);
+    (CR11_WRITE_TRAP, 0x9b);
+    (CR12_WRITE_TRAP, 0x9c);
+    (CR13_WRITE_TRAP, 0x9d);
+    (CR14_WRITE_TRAP, 0x9e);
+    (CR15_WRITE_TRAP, 0x9f);
+    (NPF, 0x400);
+    (VMGEXIT, 0x403);
+    (INVALID, 0xffffffffffffffff);
+    (BUSY, 0xfffffffffffffffe);
 }
 
 #[bitfield(u64)]