Received: by 2002:a05:6358:111d:b0:dc:6189:e246 with SMTP id f29csp1670431rwi; Thu, 3 Nov 2022 07:52:24 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4qQOJwiuEtWOdAP42wj9ePeuWzB0Inpv6xz6E1/3VfQ7l7oRMORImCE8JCPB5vdBXTGXaU X-Received: by 2002:a17:906:9bc8:b0:7ad:7e6a:50ac with SMTP id de8-20020a1709069bc800b007ad7e6a50acmr30373220ejc.66.1667487144707; Thu, 03 Nov 2022 07:52:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667487144; cv=none; d=google.com; s=arc-20160816; b=vzyga7JXquoxJzwY51+ECh0+AsGXaAzLrXLp8v8CAU9R4cK6xcopeIIHvBr2qAZhg+ QdF1eayfPzXlOK9Thzm57ihJSlNHaodDWi44RK9MvaHAekJ9AnyHiDCp+97/rNGhnMN2 S3gZGuPtLj86GFdVjYPjAloqRoQaNC6FIgYabGx6U+rpq1/h98cGblhrBIP1VOkl8QLj 3UadKMkXCIEln0SMCg8pZdCcFYoJC5L6IzWMo8RZYn6umunHouErVDQJTgGNAhYxDMEb QdIyJJG4faKScKezYht5mnyX4U6uAcsA1GXOvFtoGH8svvOh0qjsMIW9Rda2NZN6ww3i MIQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=/YfhlfHGgnctluMl7Qrmit8OONQl7OJvXkn7jff4wDA=; b=jbUgueO4t8T2tb5JZgC51loWfmYPYJrNPvYaEoh6J7Deljrdn/wcWuLCp2GMMMrjHx Dr2D7rIuPz1SxoPhesvoGnmd/mlnzAR43+eE3/l/vy4hD2anIdy2Yd5w7tN3DJWcDZ4C 8dQQgEaj0B11vG3BnQSqsN/sdN0a91LcrIXRoi1SLxYEQIsq4ndDhgD/ZfpOjc7rWB7q amUfQgdGGlCheB3epZfn7RVeTq4hmlqwHU/XzkcMButtUPnCO47i9Bghj1jmdHKwyJQ5 fZNBYvN2o8uThh5BMkrkHIN+aKf92hR9iLIn4k2ZZW4WsMsVj+SGKLD8ktxmvGT+hLV3 CMGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UvKj1ktm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v18-20020a1709064e9200b00779a3220c5asi1063729eju.343.2022.11.03.07.51.59; Thu, 03 Nov 2022 07:52:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UvKj1ktm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229655AbiKCN7r (ORCPT + 97 others); Thu, 3 Nov 2022 09:59:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231144AbiKCN7K (ORCPT ); Thu, 3 Nov 2022 09:59:10 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64BC916589 for ; Thu, 3 Nov 2022 06:58:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1667483880; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/YfhlfHGgnctluMl7Qrmit8OONQl7OJvXkn7jff4wDA=; b=UvKj1ktmVfwaN34n/OaRCw7aqekRht9w2OEjgvgzDTZ2OIU+VoiclDvM13UHiyZs8sGrEn Da71LZQNnA2qFId0tReLh9Z9TzpU2FTOT35h6NIm0ut2uUirg9kY2PEvlx92+4f/v3DUow IXhHezt3j7ULXFJXaIJe5BVUykrfrXQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-411-kIsNtGYQNQSJL-Arnu4H7w-1; Thu, 03 Nov 2022 09:57:57 -0400 X-MC-Unique: kIsNtGYQNQSJL-Arnu4H7w-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8FA198027F5; Thu, 3 Nov 2022 13:57:56 +0000 (UTC) Received: from amdlaptop.tlv.redhat.com (dhcp-4-238.tlv.redhat.com [10.35.4.238]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2D89740C83AD; Thu, 3 Nov 2022 13:57:53 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Paolo Bonzini , "H. Peter Anvin" , Shuah Khan , Yang Zhong , Wei Wang , Colton Lewis , Sean Christopherson , Jim Mattson , Chenyi Qiang , Borislav Petkov , linux-kernel@vger.kernel.org, x86@kernel.org, Thomas Gleixner , Dave Hansen , Ingo Molnar , David Matlack , Peter Xu , Maxim Levitsky , linux-kselftest@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 4/9] KVM: x86: forcibly leave nested mode on vCPU reset Date: Thu, 3 Nov 2022 15:57:31 +0200 Message-Id: <20221103135736.42295-5-mlevitsk@redhat.com> In-Reply-To: <20221103135736.42295-1-mlevitsk@redhat.com> References: <20221103135736.42295-1-mlevitsk@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable@vger.kernel.org Signed-off-by: Maxim Levitsky --- arch/x86/kvm/x86.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 316ab1d5317f92..3fd900504e683b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11694,8 +11694,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0; -- 2.34.3