Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4707139pxj; Wed, 12 May 2021 11:20:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx86B/AN62yshNVws/gD7CmQYIKrNiZ/LkWd9tu7pQoIleDl3U+TZ1HTexaFZyWq813WrDq X-Received: by 2002:a17:906:18b2:: with SMTP id c18mr6637223ejf.160.1620843646436; Wed, 12 May 2021 11:20:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620843646; cv=none; d=google.com; s=arc-20160816; b=DYEZKJc+xObARx/ySfGUMo15EEp7TWmxZuVx6tCEayx+kagFaBxjr+vxSc1v+P3+1Z bJpBvcI2Ymv/QkVOQmdiEoqnGlm4TEIdq5UhLi9uKuHJeF87B2/xYKGQRMbKBFIHCclt jY11cycFn6ETBuQYRhcbt2PNogRFmvtGq1FQKs5C3/DPwov7+u7ex6SUncHckE1em+4e 15gyHcGVHwdKrvIGebpxuQO6U+bLufETYR/nhe4MKDqxE3RRhAuzEEub4iAMSbonUtth zF/aWE7L5uaRyHcn97lH2yAfsDDxdQGOQ8N/EuNtKamr/10qmd5AdVTjLWKIDz/UZ9LJ 5rlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/HOJ2n81hPKbdY3m/SyguCMCKYkVz6J17QOv3JGniA4=; b=bZzBv//DViPqUc/Px1sVzGR2bNT1dO/76zn+vrNwz3m9MQdT21UtUKq5jCpjKPo+fy HwRHPIM/a1DFBj6S7J6jSRNLY6sbmGkVwTErbMb8T7MI0U5J1PxWfD9H9Foddil1j+qx mi5NpWZ02cQ+BKf2UpZwydpwykSpIR9tHaMlcpxspMXzK7b2vU7rCx0aefHCAByVKF5s PoSXQD+6lfB0Nntl4UIRvfbjOTQlyS9Ao0QwKgeSLOA5LzXslgOwriqsbAGWTiRhHKgu 0uTc0IFPn9MsHzgWKXGvbAAUGenoOH9u9keYD+DrLNe1iznaIjxVIVu4P5jSRZWuCUXt vlaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eNcMyDEx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si536692ejb.212.2021.05.12.11.20.22; Wed, 12 May 2021 11:20:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eNcMyDEx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350998AbhELSKi (ORCPT + 99 others); Wed, 12 May 2021 14:10:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:40962 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241660AbhELQ1q (ORCPT ); Wed, 12 May 2021 12:27:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7B8FE61446; Wed, 12 May 2021 15:54:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620834897; bh=VMYFnsJK3wMja7DJnsSZzJXMs/jaHb+mBoWOaUk4RPY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eNcMyDExMI4BdCPyBS3RP3YXEkpqotHNwPsWtkH+MlTaooJ29ifTkIXgaO2tQRoa+ K44Xkzg1PAYmAOSomccKArNui/EEWIEhIYLzaj3U58JpS/gRURwXFCz+sPvNXIEXLS i1Ci6b879wwgHxIGetfC4tXh2bQnZuvmRbnNp/X4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.12 110/677] KVM: x86: Check CR3 GPA for validity regardless of vCPU mode Date: Wed, 12 May 2021 16:42:36 +0200 Message-Id: <20210512144840.873266670@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144837.204217980@linuxfoundation.org> References: <20210512144837.204217980@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit 886bbcc7a523b8d4fac60f1015d2e0fcad50db82 upstream. Check CR3 for an invalid GPA even if the vCPU isn't in long mode. For bigger emulation flows, notably RSM, the vCPU mode may not be accurate if CR0/CR4 are loaded after CR3. For MOV CR3 and similar flows, the caller is responsible for truncating the value. Fixes: 660a5d517aaa ("KVM: x86: save/load state on SMM switch") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210422022128.3464144-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1072,10 +1072,15 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, u return 0; } - if (is_long_mode(vcpu) && kvm_vcpu_is_illegal_gpa(vcpu, cr3)) + /* + * Do not condition the GPA check on long mode, this helper is used to + * stuff CR3, e.g. for RSM emulation, and there is no guarantee that + * the current vCPU mode is accurate. + */ + if (kvm_vcpu_is_illegal_gpa(vcpu, cr3)) return 1; - else if (is_pae_paging(vcpu) && - !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3)) + + if (is_pae_paging(vcpu) && !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3)) return 1; kvm_mmu_new_pgd(vcpu, cr3, skip_tlb_flush, skip_tlb_flush);