Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5843297pxb; Mon, 14 Feb 2022 08:53:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJwE+Lwx90pgz+Q6GmJX2+BbkBKtA/pDIgtpBrfESLjbHH6S4k1joqdjfF2J2L+DhXbNS5OW X-Received: by 2002:aa7:82d9:: with SMTP id f25mr333015pfn.76.1644857586584; Mon, 14 Feb 2022 08:53:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644857586; cv=none; d=google.com; s=arc-20160816; b=chmlVXLGH8/R1X16WCR9C73+YYnIF5fc+Cg5PyozhtQrOGsClXRUIWHokomHeM0ptg o/Xc2HznF61lo8TbpuAhyA9SMxI9wUYGyny6oBYY5r7fimLS/oqp5R64eVOz35jKGkAQ yLLVTMComd4320MJ6Kk4vXZc+7aiPG9q6BivDcbu3rFLtvOUkfs5XHZ0TKZAFPuAfzIu mMBjRD8LCo4nHTOef+ExGwnhBCcVFspDng3RlhLnI5vsAxZV/WVPxmKEtU3IIcC8/gSm uGvaMoaCfllh51UqOXu3SlAxoqYxg7F/98/1gJq372IE3Dbsa6s5+lk5J+kCupWPotK6 fp2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GIQA3k1P5uMwx9JyWxwlj2RJfQ0zmkT87RK6iA5gLfk=; b=dU8nGlF2T8TT03tF9tSdtn9dKKAwadAxTVaWqz6M2mcCFLSKK9Be1LJgPFcPFMVyU+ +jM3MrE7GCe0mxJj2eNfkR67cAvEVMeRj2o00spU7IflgBq82lapIUSDgUGxXeHfedgZ sGXQv9yg5mUiIf+WKY1T3x8lIJjtsiiMALE0Ny/g8dHLgV0zJEIfy/1P010q/mU1VJtE Sh4zq9uJ8h/5WN7pucwsveWPL81FbnJe+d+tRZINrnLqIj/PC5T81eKggt7+vhnw4tg6 B5BUuQYw+55oakk5CArN5CiH/E+CaIfV7BvWok55igJqfYPf9vFiIwk7iIW8gkVzYPPx AdWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="r+ZtP/zW"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f4si26515878pfd.61.2022.02.14.08.52.49; Mon, 14 Feb 2022 08:53:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="r+ZtP/zW"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343672AbiBNJyT (ORCPT + 99 others); Mon, 14 Feb 2022 04:54:19 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:34518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343666AbiBNJu5 (ORCPT ); Mon, 14 Feb 2022 04:50:57 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FE1B66217; Mon, 14 Feb 2022 01:41:56 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C447061172; Mon, 14 Feb 2022 09:41:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEA87C340F0; Mon, 14 Feb 2022 09:41:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1644831715; bh=b++DG1/O5mEmOhO6STDxegYQ9ltg4/TqedAfNshj/Yw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r+ZtP/zWAf1RvZQLe1asnu2o8mMoMPVWPkJOlV3EfdCOxCaUl2/SuJF0zhbDy862m lJ25+qLl2D69WwkF+Zh+Dc4/PT8OcPbPJd9wHK+QsLvlhmo+XKrj8q8w33Yix2uj09 22SvDvC0OPIhUm927Jb+rHsWtJJ8t4eLelz3L4dg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Woodhouse , Alexander Graf , Sean Christopherson , Paolo Bonzini , Sasha Levin Subject: [PATCH 5.10 041/116] KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadow Date: Mon, 14 Feb 2022 10:25:40 +0100 Message-Id: <20220214092500.104588000@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220214092458.668376521@linuxfoundation.org> References: <20220214092458.668376521@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson [ Upstream commit b9bed78e2fa9571b7c983b20666efa0009030c71 ] Set vmcs.GUEST_PENDING_DBG_EXCEPTIONS.BS, a.k.a. the pending single-step breakpoint flag, when re-injecting a #DB with RFLAGS.TF=1, and STI or MOVSS blocking is active. Setting the flag is necessary to make VM-Entry consistency checks happy, as VMX has an invariant that if RFLAGS.TF is set and STI/MOVSS blocking is true, then the previous instruction must have been STI or MOV/POP, and therefore a single-step #DB must be pending since the RFLAGS.TF cannot have been set by the previous instruction, i.e. the one instruction delay after setting RFLAGS.TF must have already expired. Normally, the CPU sets vmcs.GUEST_PENDING_DBG_EXCEPTIONS.BS appropriately when recording guest state as part of a VM-Exit, but #DB VM-Exits intentionally do not treat the #DB as "guest state" as interception of the #DB effectively makes the #DB host-owned, thus KVM needs to manually set PENDING_DBG.BS when forwarding/re-injecting the #DB to the guest. Note, although this bug can be triggered by guest userspace, doing so requires IOPL=3, and guest userspace running with IOPL=3 has full access to all I/O ports (from the guest's perspective) and can crash/reboot the guest any number of ways. IOPL=3 is required because STI blocking kicks in if and only if RFLAGS.IF is toggled 0=>1, and if CPL>IOPL, STI either takes a #GP or modifies RFLAGS.VIF, not RFLAGS.IF. MOVSS blocking can be initiated by userspace, but can be coincident with a #DB if and only if DR7.GD=1 (General Detect enabled) and a MOV DR is executed in the MOVSS shadow. MOV DR #GPs at CPL>0, thus MOVSS blocking is problematic only for CPL0 (and only if the guest is crazy enough to access a DR in a MOVSS shadow). All other sources of #DBs are either suppressed by MOVSS blocking (single-step, code fetch, data, and I/O), are mutually exclusive with MOVSS blocking (T-bit task switch), or are already handled by KVM (ICEBP, a.k.a. INT1). This bug was originally found by running tests[1] created for XSA-308[2]. Note that Xen's userspace test emits ICEBP in the MOVSS shadow, which is presumably why the Xen bug was deemed to be an exploitable DOS from guest userspace. KVM already handles ICEBP by skipping the ICEBP instruction and thus clears MOVSS blocking as a side effect of its "emulation". [1] http://xenbits.xenproject.org/docs/xtf/xsa-308_2main_8c_source.html [2] https://xenbits.xen.org/xsa/advisory-308.html Reported-by: David Woodhouse Reported-by: Alexander Graf Signed-off-by: Sean Christopherson Message-Id: <20220120000624.655815-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- arch/x86/kvm/vmx/vmx.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 351ef5cf1436a..94f5f2129e3b4 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -4846,8 +4846,33 @@ static int handle_exception_nmi(struct kvm_vcpu *vcpu) dr6 = vmx_get_exit_qual(vcpu); if (!(vcpu->guest_debug & (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) { + /* + * If the #DB was due to ICEBP, a.k.a. INT1, skip the + * instruction. ICEBP generates a trap-like #DB, but + * despite its interception control being tied to #DB, + * is an instruction intercept, i.e. the VM-Exit occurs + * on the ICEBP itself. Note, skipping ICEBP also + * clears STI and MOVSS blocking. + * + * For all other #DBs, set vmcs.PENDING_DBG_EXCEPTIONS.BS + * if single-step is enabled in RFLAGS and STI or MOVSS + * blocking is active, as the CPU doesn't set the bit + * on VM-Exit due to #DB interception. VM-Entry has a + * consistency check that a single-step #DB is pending + * in this scenario as the previous instruction cannot + * have toggled RFLAGS.TF 0=>1 (because STI and POP/MOV + * don't modify RFLAGS), therefore the one instruction + * delay when activating single-step breakpoints must + * have already expired. Note, the CPU sets/clears BS + * as appropriate for all other VM-Exits types. + */ if (is_icebp(intr_info)) WARN_ON(!skip_emulated_instruction(vcpu)); + else if ((vmx_get_rflags(vcpu) & X86_EFLAGS_TF) && + (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & + (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS))) + vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, + vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS) | DR6_BS); kvm_queue_exception_p(vcpu, DB_VECTOR, dr6); return 1; -- 2.34.1