Received: by 2002:a05:6358:111d:b0:dc:6189:e246 with SMTP id f29csp1633656rwi; Thu, 3 Nov 2022 07:28:38 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7pKUExZvSS6kiMHNGpsOiO8rXop+TDRXbtosd1r71DcFg3Q6NH6JLtXOHQ8qLKgXdC8Xry X-Received: by 2002:a17:906:7944:b0:73c:838:ac3d with SMTP id l4-20020a170906794400b0073c0838ac3dmr29035114ejo.242.1667485717913; Thu, 03 Nov 2022 07:28:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667485717; cv=none; d=google.com; s=arc-20160816; b=J2YEEneTGRsj1dnHyMj6vg36SI7OLkxJnBsPAc5AFSTU1yqUeccm4gyxrqsyQkBA2i iVx22yZSGQh01WSl28L03wk9e0e+mYQRtWpr2tD4F9kb1qPjyd4qZsQNM4ZsL48pE6eD KexeRKnvRPr97dVCaOarbsBPyem7KoHnaMScH/i0hCeiJZInfMkrC7gGlZKeTly9p97g GQDuWMg7qM9Q11OAPRohrOdQIwrkpkpL699Md2JAPRA2p46W4GKJzZBDfgw2uscBBajd 09vZV74R6v46OJC2ufv/4DZh7iz+KOJ4rd68Q7cZ7yXnrjDaxYXgIdUkDrhNVLT/7wdW Kk8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5Rmr0NPOPytRRHk5QfeeqyFTJ7brcQ8/Uu01aFjhZlA=; b=OtzrijjATIU7G3AQPvGxSI25xsebZ73cJr/6EYgn4AT5Lr0fYqt/oeGAfi6Ju3nCLU 4p9f8ASS6tSOet2EfboSFPrr8SZsO8FvXSypnHFqrGE2q0/p/xzPE3IAZBwtf0bF6GU6 IIQ7820G/+054QeoUGcc3kDVImTKh+NpEj8dnDbuLtKncN+g88dEI9chgIPrIy5l8yLT WrJY+qpCKWh/MBIA+/cgqw602AIbkGNwEUt9rL4K0UlSll2hdqDyo4cIbnVJrcruwrDp HcPOWULcyz5cXh+xMP4+n/Vf2zM92/B/mQ4R3M5AWS8249rBNtKkJ38x79NJXt/SF2KN nYIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L+nxbdji; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gn10-20020a1709070d0a00b0078ddffd4660si1489210ejc.651.2022.11.03.07.28.13; Thu, 03 Nov 2022 07:28:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L+nxbdji; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231700AbiKCOPi (ORCPT + 98 others); Thu, 3 Nov 2022 10:15:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231545AbiKCOPR (ORCPT ); Thu, 3 Nov 2022 10:15:17 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0605B2723 for ; Thu, 3 Nov 2022 07:14:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1667484857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5Rmr0NPOPytRRHk5QfeeqyFTJ7brcQ8/Uu01aFjhZlA=; b=L+nxbdjiHtrFF4eD5yQw1sH555zDz8VqPXi/84pwCaHrpCDurDaskJwOw+7qzFRfi9HUU7 naobVO0ZAj3Q10aTEb55jTJwKgZEjZW4rruvJbmwM9b3JYB21+28etHkEmByW2DenNcP46 /c93mel0BD36BfIi2fxvfarlYpDKcGQ= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-158-8QSbxQGbMy2_stjOx5gJeA-1; Thu, 03 Nov 2022 10:14:14 -0400 X-MC-Unique: 8QSbxQGbMy2_stjOx5gJeA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DBBFD1C08780; Thu, 3 Nov 2022 14:14:12 +0000 (UTC) Received: from amdlaptop.tlv.redhat.com (dhcp-4-238.tlv.redhat.com [10.35.4.238]) by smtp.corp.redhat.com (Postfix) with ESMTP id 48C6B40C6EC3; Thu, 3 Nov 2022 14:14:08 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Paolo Bonzini , Thomas Gleixner , linux-kernel@vger.kernel.org, Chenyi Qiang , Yang Zhong , x86@kernel.org, Shuah Khan , Dave Hansen , "H. Peter Anvin" , Maxim Levitsky , Colton Lewis , Borislav Petkov , Peter Xu , Sean Christopherson , Jim Mattson , linux-kselftest@vger.kernel.org, Ingo Molnar , Wei Wang , David Matlack , stable@vger.kernel.org Subject: [PATCH v2 4/9] KVM: x86: forcibly leave nested mode on vCPU reset Date: Thu, 3 Nov 2022 16:13:46 +0200 Message-Id: <20221103141351.50662-5-mlevitsk@redhat.com> In-Reply-To: <20221103141351.50662-1-mlevitsk@redhat.com> References: <20221103141351.50662-1-mlevitsk@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable@vger.kernel.org Signed-off-by: Maxim Levitsky --- arch/x86/kvm/x86.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 316ab1d5317f92..3fd900504e683b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11694,8 +11694,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0; -- 2.34.3