Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3693328ybv; Mon, 10 Feb 2020 04:50:03 -0800 (PST) X-Google-Smtp-Source: APXvYqyj4q5K3or5jxT7ehdwCGk0mEGchFqjaPrkvgwkonJEfJPhx8LhEjJ6wq4lsTfdXYmwpo+P X-Received: by 2002:a9d:5786:: with SMTP id q6mr896361oth.164.1581339003118; Mon, 10 Feb 2020 04:50:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581339003; cv=none; d=google.com; s=arc-20160816; b=PMEHdj7cMe1uWLJ7xTgwjByTn9Z0Pev+K4mtVA0L9n4pO9zsEGvzW5JHkSLDEx5GL3 0wdmIYKjj6q2ZUqF0pSmoEig6F9wnnObnIvQrrWcVWrnx207B+tW8oWnKCMggrD3IJwS n34HSFxfirlxU6lxwg5iNXDgnf3Zt8QjMEplZVzAUA8dezbux92xA88+piIbpUTFnjjI DZtcoSPfznkmTUNpp9FmVfV+gEqnV7SD0txB3EH4HezdKExDeMBx7FGTRKPLD9E/qGe9 9WaeTmjatOd01Yf2jVYKMjkUte3N6SNRv3sX5ImZSGrUfR6zlaEZFMzxzUjJsuWnjc/+ ZE+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o91RXpUs1js+lYTrvrbk7uFtIi18uHTGXAGVJOIJyTM=; b=uIFYarv0gkJu/livUPW9EXzI5wZZ0OrSDHMOGg1SbCt6CaQRSEROBn9qIqlUU0sFSW lqJUZewsecdU3fHPBOExER3WcazlvTV+2K3Gpu7E/FJtp46iuggAGb04ZFj329i1pDRB QitrrWykI0UoDTJt7svVT+TsmgHl1zZ1DqnXD8UpH0e3si7Yi4mB3xztrYaSZHmtDdgX 5nVKHVnpILwiggNQDc9tPbYb/CNIit6HpU2oypkp3ciQZj0/l8unYXnV3W24AoQTxBh1 hCwbhxKUX7DYJ+JF1/zxKIFq9/DCZCnbZylt4tU2Uj2kX36/RZFG6O2m3VGweEhu2hSn dWoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dN4+wIxD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a25si149971otr.39.2020.02.10.04.49.51; Mon, 10 Feb 2020 04:50:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dN4+wIxD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730636AbgBJMqe (ORCPT + 99 others); Mon, 10 Feb 2020 07:46:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:44390 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729774AbgBJMll (ORCPT ); Mon, 10 Feb 2020 07:41:41 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A3D920873; Mon, 10 Feb 2020 12:41:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338499; bh=Tb2jPBPSRqUAgGFfFZZEU3pNq6LWTLvg9mFA+YbC4kg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dN4+wIxDhDu6jr2u/hgdUoW9IVrZzwPt7/FslLZ3gXAlp94cYM/zd6Nk8w0OlO4UK hk4OCujjMaEVbnw3ZbEbTO+9ZJk6KdDfIu4b1BLVhAft47A20NpMfkq/ElsF+2XJSk PzHCvT/NcCcWuqQ+61nhO8YIfOckTbdcfd6o6uuo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jun Nakajima , Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.5 252/367] KVM: x86: Dont let userspace set host-reserved cr4 bits Date: Mon, 10 Feb 2020 04:32:45 -0800 Message-Id: <20200210122447.613164170@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit b11306b53b2540c6ba068c4deddb6a17d9f8d95b upstream. Calculate the host-reserved cr4 bits at runtime based on the system's capabilities (using logic similar to __do_cpuid_func()), and use the dynamically generated mask for the reserved bit check in kvm_set_cr4() instead using of the static CR4_RESERVED_BITS define. This prevents userspace from "enabling" features in cr4 that are not supported by the system, e.g. by ignoring KVM_GET_SUPPORTED_CPUID and specifying a bogus CPUID for the vCPU. Allowing userspace to set unsupported bits in cr4 can lead to a variety of undesirable behavior, e.g. failed VM-Enter, and in general increases KVM's attack surface. A crafty userspace can even abuse CR4.LA57 to induce an unchecked #GP on a WRMSR. On a platform without LA57 support: KVM_SET_CPUID2 // CPUID_7_0_ECX.LA57 = 1 KVM_SET_SREGS // CR4.LA57 = 1 KVM_SET_MSRS // KERNEL_GS_BASE = 0x0004000000000000 KVM_RUN leads to a #GP when writing KERNEL_GS_BASE into hardware: unchecked MSR access error: WRMSR to 0xc0000102 (tried to write 0x0004000000000000) at rIP: 0xffffffffa00f239a (vmx_prepare_switch_to_guest+0x10a/0x1d0 [kvm_intel]) Call Trace: kvm_arch_vcpu_ioctl_run+0x671/0x1c70 [kvm] kvm_vcpu_ioctl+0x36b/0x5d0 [kvm] do_vfs_ioctl+0xa1/0x620 ksys_ioctl+0x66/0x70 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x4c/0x170 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc08133bf47 Note, the above sequence fails VM-Enter due to invalid guest state. Userspace can allow VM-Enter to succeed (after the WRMSR #GP) by adding a KVM_SET_SREGS w/ CR4.LA57=0 after KVM_SET_MSRS, in which case KVM will technically leak the host's KERNEL_GS_BASE into the guest. But, as KERNEL_GS_BASE is a userspace-defined value/address, the leak is largely benign as a malicious userspace would simply be exposing its own data to the guest, and attacking a benevolent userspace would require multiple bugs in the userspace VMM. Cc: stable@vger.kernel.org Cc: Jun Nakajima Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -93,6 +93,8 @@ u64 __read_mostly efer_reserved_bits = ~ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE); #endif +static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS; + #define VM_STAT(x, ...) offsetof(struct kvm, stat.x), KVM_STAT_VM, ## __VA_ARGS__ #define VCPU_STAT(x, ...) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU, ## __VA_ARGS__ @@ -879,9 +881,38 @@ int kvm_set_xcr(struct kvm_vcpu *vcpu, u } EXPORT_SYMBOL_GPL(kvm_set_xcr); +static u64 kvm_host_cr4_reserved_bits(struct cpuinfo_x86 *c) +{ + u64 reserved_bits = CR4_RESERVED_BITS; + + if (!cpu_has(c, X86_FEATURE_XSAVE)) + reserved_bits |= X86_CR4_OSXSAVE; + + if (!cpu_has(c, X86_FEATURE_SMEP)) + reserved_bits |= X86_CR4_SMEP; + + if (!cpu_has(c, X86_FEATURE_SMAP)) + reserved_bits |= X86_CR4_SMAP; + + if (!cpu_has(c, X86_FEATURE_FSGSBASE)) + reserved_bits |= X86_CR4_FSGSBASE; + + if (!cpu_has(c, X86_FEATURE_PKU)) + reserved_bits |= X86_CR4_PKE; + + if (!cpu_has(c, X86_FEATURE_LA57) && + !(cpuid_ecx(0x7) & bit(X86_FEATURE_LA57))) + reserved_bits |= X86_CR4_LA57; + + if (!cpu_has(c, X86_FEATURE_UMIP) && !kvm_x86_ops->umip_emulated()) + reserved_bits |= X86_CR4_UMIP; + + return reserved_bits; +} + static int kvm_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) { - if (cr4 & CR4_RESERVED_BITS) + if (cr4 & cr4_reserved_bits) return -EINVAL; if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVE) && (cr4 & X86_CR4_OSXSAVE)) @@ -9369,6 +9400,8 @@ int kvm_arch_hardware_setup(void) if (r != 0) return r; + cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data); + if (kvm_has_tsc_control) { /* * Make sure the user can only configure tsc_khz values that