Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3020895rwb;
        Mon, 15 Aug 2022 16:18:02 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7kw3CBXSULxf4plZRaK3FEVsjIFpq4H8OUypxJn2dp89hGYE+Fm/JTyGNH1oMYDNSTqZPx
X-Received: by 2002:a63:e107:0:b0:429:a62a:3b8 with SMTP id z7-20020a63e107000000b00429a62a03b8mr22406pgh.527.1660605482463;
        Mon, 15 Aug 2022 16:18:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660605482; cv=none;
        d=google.com; s=arc-20160816;
        b=FNsz/YVZoPn+Pj/+ydUZ9paG6OMN/J5/7GJTUtAHB5V4Z0ISjTaN2ENx5b865lx+Wa
         OvGuB/w2DnMX8Su5zrQ0IAqaa2xVnP6zzhO/nYdjtbYnUyLODTY2KZqGaki4rUdp0ZlC
         f3yxYv7AjvuY+itKQST8x29AqZIHH/G4LpkMt010vnmjF8MWkpAkSLjIvi1E0yvqzHNz
         B35KCqqnv/HkL6HEOHhn/mSD8K0lvOIyLReLncdfv+ga+rm5ISZoLUuNb+joJLMrYIIS
         65LO1JPKs05wW6hDzxS+bHHav6vm65R9PEN64O93E63Ggmdw2Qz61AXgc+2o95N7Ai1F
         qndA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8Zc2sjKHzLBuCbY79KBUKGsLmNJ+eoto/YBWIO5i060=;
        b=xv+q37qLLVIYeBOTFp2wxuDS7ecQHV8oDroigQ3q8TnGfA0E4f6Izn+eGRvelXYEKj
         QTUNB3oTxSdPAccOLHMInBQ3L3Ulktl//SZB+S4fxNE0R6xTtLkwLG2ecCvd1MJJ37Y5
         8NIVW24Y5nmN9vkWm2fnWG0eq3AjBdDCdSrs9fR6kke+8uGvXfgp5HbUPGEbQjXmFlL0
         jcuaHl4fw5O5UHfjIqsOaLO2xrITD9b7g9qgclFEbReRJA2ahqzE8pcn7riHVPVHr6sh
         3FBLIi0n7f7yzn4gjDQ8jmMgGIUbi3IMeUjfl1SLNz38ZmHjDKT3L5MM7lOCFAphOaoC
         9C4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gVudz0Xc;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id il16-20020a17090b165000b001f4c9f920f6si18689471pjb.157.2022.08.15.16.17.52;
        Mon, 15 Aug 2022 16:18:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gVudz0Xc;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244416AbiHOVxf (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 17:53:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44194 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1350285AbiHOVu6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 17:50:58 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74D83DEB7D;
        Mon, 15 Aug 2022 12:32:25 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 967A6B80FD3;
        Mon, 15 Aug 2022 19:32:23 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3291C433D6;
        Mon, 15 Aug 2022 19:32:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660591942;
        bh=RIXvlqtErnqUU+6Rz5r6bqonG4MImcLLPCMCxhVxYak=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=gVudz0XcvtFdoKs2UH7LtgyjxoH0EgXd3/6idn3t+GtQ54+yrdBrrweaeppHs6fst
         MbrRMn67yowA0kzbt8n09eb9qkGrmGxzW4WF2yReN4H/jMQbYsnKFTPdmtGODTr1RH
         I4LHmlGa2qEUEgU+qtwMipmLLleBM/HEv68/3YQc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 5.19 0034/1157] KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks
Date:   Mon, 15 Aug 2022 19:49:50 +0200
Message-Id: <20220815180440.799547938@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180439.416659447@linuxfoundation.org>
References: <20220815180439.416659447@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <seanjc@google.com>

commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac upstream.

Check that the guest (L2) and host (L1) CR4 values that would be loaded
by nested VM-Enter and VM-Exit respectively are valid with respect to
KVM's (L0 host) allowed CR4 bits.  Failure to check KVM reserved bits
would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or
failed VM-Entry) by massaging guest CPUID to allow features that are not
supported by KVM.  Amusingly, KVM itself is an accomplice in its doom, as
KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for
L2 based on L1's CPUID model.

Note, although nested_{guest,host}_cr4_valid() are _currently_ used if
and only if the vCPU is post-VMXON (nested.vmxon == true), that may not
be true in the future, e.g. emulating VMXON has a bug where it doesn't
check the allowed/required CR0/CR4 bits.

Cc: stable@vger.kernel.org
Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX operation")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx/nested.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx/nested.h
+++ b/arch/x86/kvm/vmx/nested.h
@@ -281,7 +281,8 @@ static inline bool nested_cr4_valid(stru
 	u64 fixed0 = to_vmx(vcpu)->nested.msrs.cr4_fixed0;
 	u64 fixed1 = to_vmx(vcpu)->nested.msrs.cr4_fixed1;
 
-	return fixed_bits_valid(val, fixed0, fixed1);
+	return fixed_bits_valid(val, fixed0, fixed1) &&
+	       __kvm_is_valid_cr4(vcpu, val);
 }
 
 /* No difference in the restrictions on guest and host CR4 in VMX operation. */