Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3365177pxf; Mon, 5 Apr 2021 10:06:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqtkKFESIN0s9ax+I90HC8tZ6gyz1c9merEBZeMNQzJTqQ1vDt77u+gcTqXCgPR7Syt6Fg X-Received: by 2002:a17:906:fa93:: with SMTP id lt19mr6234413ejb.182.1617642378251; Mon, 05 Apr 2021 10:06:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617642378; cv=none; d=google.com; s=arc-20160816; b=iq5Xxu3ryYqgbvIeALvzIbMkVPmhssHo2KOX7DxpIdMlh0d5QbI0BZspUhqGHSRJ5u up1w8NocjnBZ9zWqlRj0qWovO6JvNRVqkLGkEzEyVdciEwAyL4OJynwoadJD5b74j/x6 vcd/wSqnbroz8iq+cnL5Tdeps/WnFFRn5lVJ1ChVeG4BDmrhLh1Sb095L061GuPjkC0R tfQHlX8fF/KNK+iXvmDE6Dfso0pc95RTS2uRs2bGmWzcBRG1hj1MLgsIKP+hcEFvXcay 9inM08yV5gfrKdm5YmaXHMQW1JWmxIIK2JRK9b4FxY5ZNVtXlxwRqYsJeyry7PaTRXlD Fz3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2O41KUzwrIkf7+ejxDheZftV1SHbSm4YbKZhuEnaevQ=; b=zFVbzvJaqoSSSdC7M7WzXCxS8ERtDIvWsljNPHakUlbW6o2LN1yWf5qTN5BbSqCOXW TNwZNX3rdmCTEP66j7dkq34aL8eruRRkImZH7lT+L14cI4czrxJZDiXA5FP3ouMxkw82 nLcij88TtG/8zv01gDkoVU/iKJBrfCWcSFLe2QhLYRRdsSTy8V40KSCpLpFUJsdvV94R uUN4Lv3x5KNUHBDaVCwxNC0m8E/Us/hg98R5fOxKiRxWcuoI12kq++wSMOXPCAUV+Ewg hFm+zw/3yXpX1t1fDmT2qveegT3Ae20/hxDTGPK0fE+Jbqza8Fy7uYwzFNgk1eTeqKZ3 r7RQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=laUxCYql; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z9si12990603edb.10.2021.04.05.10.05.53; Mon, 05 Apr 2021 10:06:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=laUxCYql; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240309AbhDEJSj (ORCPT + 99 others); Mon, 5 Apr 2021 05:18:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:34270 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240199AbhDEJOw (ORCPT ); Mon, 5 Apr 2021 05:14:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id F3E3760FE4; Mon, 5 Apr 2021 09:14:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617614086; bh=bLCPzUJasUZIGZ/f79RDoHGS2eIMg2+ukTiUtJC/zMY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=laUxCYqlQj+AaNN2JqTY34dyY9GXhoZIv5ob/ep9n0t4nHIbH5+ZJNfMWl8omNVQo 0ScR9IZ6Lek9LjbbRvE5LVPd+GRfxa5jepQgsq4rDynPp/OniuzNeCgcGsz4o7ef3W KB1M9eRrKfV/A2xmHpVO76Hcv7uNR336VPYsIuw8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Felix Wilhelm , Paolo Bonzini Subject: [PATCH 5.11 079/152] KVM: SVM: load control fields from VMCB12 before checking them Date: Mon, 5 Apr 2021 10:53:48 +0200 Message-Id: <20210405085036.827533637@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210405085034.233917714@linuxfoundation.org> References: <20210405085034.233917714@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Bonzini commit a58d9166a756a0f4a6618e4f593232593d6df134 upstream. Avoid races between check and use of the nested VMCB controls. This for example ensures that the VMRUN intercept is always reflected to the nested hypervisor, instead of being processed by the host. Without this patch, it is possible to end up with svm->nested.hsave pointing to the MSR permission bitmap for nested guests. This bug is CVE-2021-29657. Reported-by: Felix Wilhelm Cc: stable@vger.kernel.org Fixes: 2fcf4876ada ("KVM: nSVM: implement on demand allocation of the nested state") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm/nested.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -246,7 +246,7 @@ static bool nested_vmcb_check_controls(s return true; } -static bool nested_vmcb_checks(struct vcpu_svm *svm, struct vmcb *vmcb12) +static bool nested_vmcb_check_save(struct vcpu_svm *svm, struct vmcb *vmcb12) { struct kvm_vcpu *vcpu = &svm->vcpu; bool vmcb12_lma; @@ -271,7 +271,7 @@ static bool nested_vmcb_checks(struct vc if (!kvm_is_valid_cr4(&svm->vcpu, vmcb12->save.cr4)) return false; - return nested_vmcb_check_controls(&vmcb12->control); + return true; } static void load_nested_vmcb_control(struct vcpu_svm *svm, @@ -454,7 +454,6 @@ int enter_svm_guest_mode(struct vcpu_svm int ret; svm->nested.vmcb12_gpa = vmcb12_gpa; - load_nested_vmcb_control(svm, &vmcb12->control); nested_prepare_vmcb_save(svm, vmcb12); nested_prepare_vmcb_control(svm); @@ -501,7 +500,10 @@ int nested_svm_vmrun(struct vcpu_svm *sv if (WARN_ON_ONCE(!svm->nested.initialized)) return -EINVAL; - if (!nested_vmcb_checks(svm, vmcb12)) { + load_nested_vmcb_control(svm, &vmcb12->control); + + if (!nested_vmcb_check_save(svm, vmcb12) || + !nested_vmcb_check_controls(&svm->nested.ctl)) { vmcb12->control.exit_code = SVM_EXIT_ERR; vmcb12->control.exit_code_hi = 0; vmcb12->control.exit_info_1 = 0;