Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1875194pxb;
        Mon, 13 Sep 2021 07:21:14 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwSoT59BSNrnzVz+U9q+MTSSBIid4WF8WIOr+DJdRoWFIRTNMR3E+POB4J4wZk29/x1ipCX
X-Received: by 2002:a92:d752:: with SMTP id e18mr8593805ilq.254.1631542874613;
        Mon, 13 Sep 2021 07:21:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631542874; cv=none;
        d=google.com; s=arc-20160816;
        b=D9N2XyXEJvom/svWaO1qe8Igfrb01/pGwD7WXHRuUFWLnkIf2ZrKrjRnJAcl0Lqxp7
         SONij8o/yRE0TxVepEMJOh/aovi+WQwd1bMZ1Qw8LGmRZGDwvqvHBNyiwLVS+2hP91a0
         sr2W8FPrak2XaLfbOsbmc4tH+eOAxluMXEDeCmNhXb5JhMnEUbx/Y2dNZL5qLSkXixt3
         pvMKbvIRAWWKKVGrpcumSHAloNKaDuZxj57Ee4Ni9pYVTFgqPsZhq6UjCV6zCVI2J9RW
         8rLYT2vyklx6VoWosivsk2EQEeLwuBJp0Asn/6Q2cNF3S/WvtCiLzHN/ZYv/Dxz3PoAR
         4rbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9D34umT7ZFtPZOBhM4u9wmtG6vjRdVYaQMPCFBc+Teg=;
        b=Sxt2Ag06o2WwziVVIXvoPVMwzB/uzpVfstN2op3BtZ2bh4GerzG5gCWIw154yxOiST
         /w51H3Ra2g08ikew6AJCK5TTGRJZ1YB0hs4PgtBnkWXuW+qAqb51yOSM51f7sPsC/SMZ
         8J6Uu1bPb3ylIOmfwcdFEfaABqgI90qj/yQhs9Z6ovTGqpGXkK8csanacm8Tj2ZImjPp
         pqZrCp4k/uSlqi62mnUPkpLdRG2iCh+Dh8ic4V7MtZtTOf7lsk7JqdlmQfA/rrylVqmO
         g+HLA44q0pf60DraaVQC0ivuKoC9olpENIf5fbEXJqMRsciUxlG0gFfDJ4auGe5V31M5
         /gaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IEw+HF9y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t6si5219309jaa.130.2021.09.13.07.21.01;
        Mon, 13 Sep 2021 07:21:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IEw+HF9y;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345539AbhIMOTu (ORCPT <rfc822;lkml.email@gmail.com>
        + 99 others); Mon, 13 Sep 2021 10:19:50 -0400
Received: from mail.kernel.org ([198.145.29.99]:37126 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S235366AbhIMOPM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Sep 2021 10:15:12 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 11E8861AF9;
        Mon, 13 Sep 2021 13:44:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1631540649;
        bh=AX3YYzFoNC2gxVGNkkMstn19t1hNZpB4Dg+zGPX71YI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=IEw+HF9yrqBrc23b/i2QEyEgSN1wpSQMJADtDOQZuuOvaGN//webyT1Kk5YbdWxzP
         DuX8Fd23kVYV9de09+le8aOLECRKyk4R3GnsXWuoYozmwt6M9N8WDJ259aqvQ634Kg
         oGaph6nhxp32PKW1jRMv+agcz+kUQJld0jz95p18=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+200c08e88ae818f849ce@syzkaller.appspotmail.com,
        Sean Christopherson <seanjc@google.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.13 280/300] Revert "KVM: x86: mmu: Add guest physical address check in translate_gpa()"
Date:   Mon, 13 Sep 2021 15:15:41 +0200
Message-Id: <20210913131118.808141235@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210913131109.253835823@linuxfoundation.org>
References: <20210913131109.253835823@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit e7177339d7b5f9594b316842122b5fda9513d5e2 upstream.

Revert a misguided illegal GPA check when "translating" a non-nested GPA.
The check is woefully incomplete as it does not fill in @exception as
expected by all callers, which leads to KVM attempting to inject a bogus
exception, potentially exposing kernel stack information in the process.

 WARNING: CPU: 0 PID: 8469 at arch/x86/kvm/x86.c:525 exception_type+0x98/0xb0 arch/x86/kvm/x86.c:525
 CPU: 1 PID: 8469 Comm: syz-executor531 Not tainted 5.14.0-rc7-syzkaller #0
 RIP: 0010:exception_type+0x98/0xb0 arch/x86/kvm/x86.c:525
 Call Trace:
  x86_emulate_instruction+0xef6/0x1460 arch/x86/kvm/x86.c:7853
  kvm_mmu_page_fault+0x2f0/0x1810 arch/x86/kvm/mmu/mmu.c:5199
  handle_ept_misconfig+0xdf/0x3e0 arch/x86/kvm/vmx/vmx.c:5336
  __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6021 [inline]
  vmx_handle_exit+0x336/0x1800 arch/x86/kvm/vmx/vmx.c:6038
  vcpu_enter_guest+0x2a1c/0x4430 arch/x86/kvm/x86.c:9712
  vcpu_run arch/x86/kvm/x86.c:9779 [inline]
  kvm_arch_vcpu_ioctl_run+0x47d/0x1b20 arch/x86/kvm/x86.c:10010
  kvm_vcpu_ioctl+0x49e/0xe50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3652

The bug has escaped notice because practically speaking the GPA check is
useless.  The GPA check in question only comes into play when KVM is
walking guest page tables (or "translating" CR3), and KVM already handles
illegal GPA checks by setting reserved bits in rsvd_bits_mask for each
PxE, or in the case of CR3 for loading PTDPTRs, manually checks for an
illegal CR3.  This particular failure doesn't hit the existing reserved
bits checks because syzbot sets guest.MAXPHYADDR=1, and IA32 architecture
simply doesn't allow for such an absurd MAXPHYADDR, e.g. 32-bit paging
doesn't define any reserved PA bits checks, which KVM emulates by only
incorporating the reserved PA bits into the "high" bits, i.e. bits 63:32.

Simply remove the bogus check.  There is zero meaningful value and no
architectural justification for supporting guest.MAXPHYADDR < 32, and
properly filling the exception would introduce non-trivial complexity.

This reverts commit ec7771ab471ba6a945350353617e2e3385d0e013.

Fixes: ec7771ab471b ("KVM: x86: mmu: Add guest physical address check in translate_gpa()")
Cc: stable@vger.kernel.org
Reported-by: syzbot+200c08e88ae818f849ce@syzkaller.appspotmail.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210831164224.1119728-2-seanjc@google.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/mmu/mmu.c |    6 ------
 1 file changed, 6 deletions(-)

--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -257,12 +257,6 @@ static bool check_mmio_spte(struct kvm_v
 static gpa_t translate_gpa(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access,
                                   struct x86_exception *exception)
 {
-	/* Check if guest physical address doesn't exceed guest maximum */
-	if (kvm_vcpu_is_illegal_gpa(vcpu, gpa)) {
-		exception->error_code |= PFERR_RSVD_MASK;
-		return UNMAPPED_GVA;
-	}
-
         return gpa;
 }