Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3326258pxf; Mon, 5 Apr 2021 09:06:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7eddVfJNSL2tHq3Tu+yz10Jkd2E91DSJEzNd+3E834EnGJgahEV1nptVPVlNrGVpqUU/0 X-Received: by 2002:a05:6402:4301:: with SMTP id m1mr33298764edc.210.1617638765009; Mon, 05 Apr 2021 09:06:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617638765; cv=none; d=google.com; s=arc-20160816; b=EeGErzLibEucT43DaRcic6jYSjOkgGBAhH5mlhWXerbJ7PFzyUkw2eKsKyBaOl3kLt KvTlefe2MecezYWp9OTVZUUaM+r2Uxhhw2GF18tH1XAK+AtYegXz8rqLXEe7Ja5zPQ54 iwKtxCLXKsfUjrKsnyvsw5Izqmqzpt6+lY8w47pHxZ+W9QdnhNTR+el14ZKrVxxWOz+c DD7SEP+xWNaeXbvaodY+jR1LF0ystTxiODENL/7nNOJlgHm1zRtoptIS5q2FaTLqcrdo wJ5PtiJNarFLlpt9medvEOP5G41mia0XtVKpkreqZxDQIpndRD4LBkRWON69hRcmbXkm wHDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QDQ2qE5N6NbOeUhyXwsNx36X4PW7jPy/euAGMGC00lE=; b=miyvRDEvRJ7E1UqjLFFdcnfCRBRu55dr/8JIFL62HmYKFF4W6EEAhs+LvyDxfMaCv4 AAGQPysqb3ZqUBNn35KjYHrUIuZU9qs0w6i/5eP1711iClyrVh3uOZzvU8zk0eOhMYk7 Upk4pD4cDSvnjbjT0fHxwtnBf7p1A13WKixj9X1slG3owRlVI9MmuqT2brI7uMoFVYvD 2zrxXiEXzPzg0mTJklVXms3Y+fv935UmmVIIJOtLsI7P8rqBg+k3D9Zf9c4FXHdK8tqR zAaLw95gIXzo4Em+J2Krdv3DFepxg1qRWfRBCM+CyYfLahm0oBU55ofSC5pyqJ6hK7xY 7+mA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XvdS8Iw+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y12si14696477eda.74.2021.04.05.09.05.41; Mon, 05 Apr 2021 09:06:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XvdS8Iw+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239013AbhDEJLq (ORCPT + 99 others); Mon, 5 Apr 2021 05:11:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:54548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238546AbhDEJIo (ORCPT ); Mon, 5 Apr 2021 05:08:44 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3164061398; Mon, 5 Apr 2021 09:08:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617613718; bh=EFlZX130TRgZWvw5J0PA2eaRxZjNLbQbMdSnzDH8e04=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XvdS8Iw+D+kVll48GjjdBLarBQtwVYQgckVMTigyqX+GYMt2RGgYWyq/KcqmNYlMG DcF3xMVjEKQwUPsg5OiNaT2qero7JQhF51Y6XswcSlQrqZHNSuXTCRdcYAiPewkk3N AycX1+Sb8eJvJyNz46ntGE+78G6PDlrvbu3kyTpA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Felix Wilhelm , Paolo Bonzini Subject: [PATCH 5.10 065/126] KVM: SVM: load control fields from VMCB12 before checking them Date: Mon, 5 Apr 2021 10:53:47 +0200 Message-Id: <20210405085033.210655053@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210405085031.040238881@linuxfoundation.org> References: <20210405085031.040238881@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Bonzini commit a58d9166a756a0f4a6618e4f593232593d6df134 upstream. Avoid races between check and use of the nested VMCB controls. This for example ensures that the VMRUN intercept is always reflected to the nested hypervisor, instead of being processed by the host. Without this patch, it is possible to end up with svm->nested.hsave pointing to the MSR permission bitmap for nested guests. This bug is CVE-2021-29657. Reported-by: Felix Wilhelm Cc: stable@vger.kernel.org Fixes: 2fcf4876ada ("KVM: nSVM: implement on demand allocation of the nested state") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm/nested.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -246,7 +246,7 @@ static bool nested_vmcb_check_controls(s return true; } -static bool nested_vmcb_checks(struct vcpu_svm *svm, struct vmcb *vmcb12) +static bool nested_vmcb_check_save(struct vcpu_svm *svm, struct vmcb *vmcb12) { struct kvm_vcpu *vcpu = &svm->vcpu; bool vmcb12_lma; @@ -271,7 +271,7 @@ static bool nested_vmcb_checks(struct vc if (kvm_valid_cr4(&svm->vcpu, vmcb12->save.cr4)) return false; - return nested_vmcb_check_controls(&vmcb12->control); + return true; } static void load_nested_vmcb_control(struct vcpu_svm *svm, @@ -454,7 +454,6 @@ int enter_svm_guest_mode(struct vcpu_svm int ret; svm->nested.vmcb12_gpa = vmcb12_gpa; - load_nested_vmcb_control(svm, &vmcb12->control); nested_prepare_vmcb_save(svm, vmcb12); nested_prepare_vmcb_control(svm); @@ -501,7 +500,10 @@ int nested_svm_vmrun(struct vcpu_svm *sv if (WARN_ON_ONCE(!svm->nested.initialized)) return -EINVAL; - if (!nested_vmcb_checks(svm, vmcb12)) { + load_nested_vmcb_control(svm, &vmcb12->control); + + if (!nested_vmcb_check_save(svm, vmcb12) || + !nested_vmcb_check_controls(&svm->nested.ctl)) { vmcb12->control.exit_code = SVM_EXIT_ERR; vmcb12->control.exit_code_hi = 0; vmcb12->control.exit_info_1 = 0;