Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2916690pxb; Tue, 24 Aug 2021 10:32:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwfzycgLwcNQVHfQL/zJ3Oi2eXf8e1e0YS+0ESISs4+BIfJrykL2GhUOYO+F1eo1sHsnqwb X-Received: by 2002:a05:6e02:961:: with SMTP id q1mr28638425ilt.76.1629826320973; Tue, 24 Aug 2021 10:32:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629826320; cv=none; d=google.com; s=arc-20160816; b=xN4svV9LniwNCmhLpU3pHQw16BrNsIpokWElfx2EOGKKTjnle74Bk18Ghff8S6XmcL wlx/JWboERuDzYmZMugAW9YRnsCsRKHVBsQB4dcRpr5B3lf5a9cILtUlogCbr7TgmnoC goIY9MvJEKE2//JXH5raf5W8E/khTN+LWBS+tIjUszoeSbmu3hADB2gnevPmo/3MVv7h A2B6Gj+agy7nhY/tcwwwdqGdDReoVZ/cWnL6fMeH2d48CPzZdC8racclD8h4Mb3gXf+S rmZTwV/i7ALQjgHPsvMq5T8SFdsH02pp2veWAbt69S6SnbHqB+wFTwBhdwKSFqZLLN3F 0htQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FqFeqhiYGUzm/hxbhcaYlVhITPFB6B2OMGDfhLjs0r8=; b=lDnyCaj4ragfrUz12e1YoqdADOM6IVH9+YkeP7yMz5ybqmi1mCHM2xu5AuLh1zqcAd ty8Dlmzhnl2OW9K5x6ab+47AZIZmNEFIV8+RtwMtEefgCWP3nVxQGwTEn09umKEqAP0c JT2enydjt8IpcyQCMAZgFFS6yYBf20CBPmuw6sVwoRPNyG4Ufr5m9/Y1qEgPw5P2BClD /l1b+53FaifFf10nMeoW6tnVH2kS+Pjav4JqQYcHaFqQDN6bIzpWcSH82dwG3uDNrELH 8oh+4/0nVJVUVid1wYyadntZm4To5mBUdWdRAcL3ZeXskczea2BTDcST/uQv60TMxKgJ pMig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gvv4XOeh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s10si16713396ioo.6.2021.08.24.10.31.47; Tue, 24 Aug 2021 10:32:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gvv4XOeh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240280AbhHXRbs (ORCPT + 99 others); Tue, 24 Aug 2021 13:31:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:34250 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241335AbhHXR3M (ORCPT ); Tue, 24 Aug 2021 13:29:12 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 49C2A61B7F; Tue, 24 Aug 2021 17:05:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629824728; bh=HpCp40ZguHPf2ujtZv3vO4JX3znQ3Ym866F4PkQRaqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gvv4XOeh9CjiGh4V9nF2H83KjH3n2yp2jQ0Q/ribBlltZry5S8zqlq8sDpu+DJmY4 VmZn8ErANbbhMdsYMx+lGQRUEeP67IqNsISuseFSU7AwmqWB/blmIdEMtvbNGyiVT1 +gutqFHVILWxzoEd2VDnqp68peu6tnc2cho2EexLiSOdU6efRLtWWEp3KCGLOYn/iL 2KKDwv2uqISRmWu4Vl8HEIKJ5AcjhgkIJL6iA9WK3tatLZ+VA1z0mKXO7lnn63ChDe hOqt2G8YNRwHWfXCqvbb90FxiislQjXKhio1n3bSz0vgxicmhLBCcjjL86ApsEg6ZU r8GhserlH3O9A== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Maxim Levitsky , Paolo Bonzini , Greg Kroah-Hartman Subject: [PATCH 4.14 31/64] KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) Date: Tue, 24 Aug 2021 13:04:24 -0400 Message-Id: <20210824170457.710623-32-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210824170457.710623-1-sashal@kernel.org> References: <20210824170457.710623-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.245-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-4.14.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 4.14.245-rc1 X-KernelTest-Deadline: 2021-08-26T17:04+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maxim Levitsky [ upstream commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc ] If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only possible by making L0 intercept these instructions. Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, and thus read/write portions of the host physical memory. Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") Suggested-by: Paolo Bonzini Signed-off-by: Maxim Levitsky Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 3571253b8690..0e6e158b8f8f 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -389,6 +389,9 @@ static void recalc_intercepts(struct vcpu_svm *svm) c->intercept_dr = h->intercept_dr | g->intercept_dr; c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions; c->intercept = h->intercept | g->intercept; + + c->intercept |= (1ULL << INTERCEPT_VMLOAD); + c->intercept |= (1ULL << INTERCEPT_VMSAVE); } static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm) -- 2.30.2