Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3849885pxv; Mon, 19 Jul 2021 10:12:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxMP8zSgAsy49SJLOWI1yiKEvsDXH5JyFbQ/kilP4Tj0X6Bmu+pp82xxTxNPN99yDUrSJow X-Received: by 2002:a02:93a7:: with SMTP id z36mr22438459jah.112.1626714766634; Mon, 19 Jul 2021 10:12:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626714766; cv=none; d=google.com; s=arc-20160816; b=NLJb5wZywc0yBeqHRmhnv0dLqU0hLAYca1hV2Ykpxtlu40BsIDUDPBUEJupZfhLgQT H9xzNAw0ovQ6QCpqvFUql4upUo91Ha2JH9QPNzW78i/YDT7IuFAc56rdeC34VqjZLzD6 wQ2z3S/dghJrtaBaOtRbhDnshKTJzpbzKgGMVaNDunZmgmpXLHkmiFg3YiQ40bcDYeF3 lBbYWUpbA/v7coFardUongV6UL7ylyK5OfxazPb+Tl6QGGCSB0liLqjmP4SQ9HhyvfxR ffSe8h4Wn08ZHzXdagjXs8l6fdzwB82YKfyUashZ29CEr7GIgZVbxM5A6O9TGEtNTPyk ivZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F0aGJzCsfiMV6z+aH1b9/JMBCqxZLxDNyd3aMru/ByA=; b=g9C2WVWi56p5pq/8Z4CY0VkGpNdSYuoYLPj6vU/KUdJayeOKMk5FXpBnKp8ILgytY2 JZnyAODD/TDIJi+AN5PoktEVC0J79kaR60PfHE7nE+Pb8EkzewTezMXaa2lTrPD7VOXk +IjtsPe6c9hrH882hkELtQpH44H3dvc93XNJha1XEYzkBgURSlwlDmSVz9XjvWPcedHH Llhsw3VX7TeyrYjCrbjNajbaECtrdcP5yPh0sgbJcvW5nAODnghGpQsENFMDp6VCN9XJ K8wFdRoFuBT5yZVS6vlo3ojpq9V9ptHIkUeco7ABT8hMZf4KAzVBALzNaW3D9Dl+vMJf P8bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lLsoHjFq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x6si11544182jas.60.2021.07.19.10.12.34; Mon, 19 Jul 2021 10:12:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lLsoHjFq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350792AbhGSQbL (ORCPT + 99 others); Mon, 19 Jul 2021 12:31:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:48530 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346087AbhGSPNi (ORCPT ); Mon, 19 Jul 2021 11:13:38 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D35AB61289; Mon, 19 Jul 2021 15:53:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626710009; bh=T49AR+kJ2q2WC2F3KtBXT8xCUovaXKymZ/JOmA72lmE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lLsoHjFqCEBPRqPg9FqOWyNJsZ1/rDrnBrYc4YCTuhZ15VJDYmDUQdMy0VfI65Zlc crynAUecooThsvIpJqAtc3+FurVv04kjg51FpP7jxUFciI+iHweb6RyIe5xrfwq4KA fmJYURtadveoqDEt7f3M+CxduD7KNKOeOLCGWEo8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vitaly Kuznetsov , Maxim Levitsky , Paolo Bonzini Subject: [PATCH 5.10 006/243] KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA Date: Mon, 19 Jul 2021 16:50:35 +0200 Message-Id: <20210719144941.127411233@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144940.904087935@linuxfoundation.org> References: <20210719144940.904087935@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vitaly Kuznetsov commit fce7e152ffc8f89d02a80617b16c7aa1527847c8 upstream. APM states that #GP is raised upon write to MSR_VM_HSAVE_PA when the supplied address is not page-aligned or is outside of "maximum supported physical address for this implementation". page_address_valid() check seems suitable. Also, forcefully page-align the address when it's written from VMM. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210628104425.391276-2-vkuznets@redhat.com> Cc: stable@vger.kernel.org Reviewed-by: Maxim Levitsky [Add comment about behavior for host-provided values. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm/svm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2745,7 +2745,16 @@ static int svm_set_msr(struct kvm_vcpu * svm_disable_lbrv(vcpu); break; case MSR_VM_HSAVE_PA: - svm->nested.hsave_msr = data; + /* + * Old kernels did not validate the value written to + * MSR_VM_HSAVE_PA. Allow KVM_SET_MSR to set an invalid + * value to allow live migrating buggy or malicious guests + * originating from those kernels. + */ + if (!msr->host_initiated && !page_address_valid(vcpu, data)) + return 1; + + svm->nested.hsave_msr = data & PAGE_MASK; break; case MSR_VM_CR: return svm_set_vm_cr(vcpu, data);