Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp256775rwb;
        Fri, 4 Aug 2023 12:10:41 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEwdAK0OfEePzWcg9kAZcX0CEy7qZmpc9jWHrLmJmXSmvuO7CQAuT036ZpqlNjs2ARcsT7e
X-Received: by 2002:a17:90a:989:b0:263:e133:b9c9 with SMTP id 9-20020a17090a098900b00263e133b9c9mr2246207pjo.34.1691176241432;
        Fri, 04 Aug 2023 12:10:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691176241; cv=none;
        d=google.com; s=arc-20160816;
        b=UQAzrCrcLmOcH8Q9TB8BjyF0/LDI752wwOZ7Frinpn9PZUupFoqgHyErrH5mS/kV+x
         4MJfVbT427QlT8sQKeGrN0DHg4GaAWSndu7xjPqSXkdkV0sPn4IYVeeC0NAsjecH9eGt
         FqcqwNDkfGlFR9ERietykYqVJG5OjwHc1Q3H+LZnDSMTxi5aiPfiiIINSZSNbtf5ChzW
         DPP/hD/qqtB1XDLGS0gKy/7mpf9m8hGfi9jE1YhMS7P4i3mw2IsFrsI7ErDKMedS9paz
         myxCIFomsota37l+epae75bv2Lpo6x0sOgiT6Q2PbTrijvbmogZfYP5cr8bHG3VL1Cuo
         sNsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=NI4jvdIDyh2Ts1MLknp3BoQ/fcSYRa/824rQ3V7P6xM=;
        fh=nsRfJTjZ5F/27GlF9aPnVssnDgYOJ/hrBEMnVqIebB4=;
        b=B9n4FcJU7MB7rcNuXZmkt6APLmCQ33w0yu0XPkoIyolEMNi6+/4SP1S9V+0JLEDw0a
         4oF0WpytFBRdnO1E31rzvtfxTcgmNBWKCr8MMJBrmCH1pa7dzxCHjaHl1Lbp4FjC1Qgi
         zesmCFu1v7pQu5KABRFd/H5Sztzp16mPnOaiU/AeCmumo27GZmU8qBcxeF75vo6IopQq
         cyScxk7LetJkqKIbJFeR6k23pcFGCor4+5ch4EtBOvSIG0wMhamPFAR36GGnnLdRbwCj
         O+QmWWxGvYZtoGffg34XX8FkgTNj2v1ePzN56xOj1oynm5JxiQzucb5ekhx3QbBRQE3n
         IQPA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XT+amo8l;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id il17-20020a17090b165100b00256a04ff7cbsi2345957pjb.119.2023.08.04.12.10.28;
        Fri, 04 Aug 2023 12:10:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XT+amo8l;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229776AbjHDRez (ORCPT <rfc822;apalekar@gmail.com> + 99 others);
        Fri, 4 Aug 2023 13:34:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58036 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232041AbjHDRev (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 4 Aug 2023 13:34:51 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BA904C0E
        for <linux-kernel@vger.kernel.org>; Fri,  4 Aug 2023 10:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1691170440;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding;
        bh=NI4jvdIDyh2Ts1MLknp3BoQ/fcSYRa/824rQ3V7P6xM=;
        b=XT+amo8lxFdMsCWDQFnV390d6hJm+TBQKsKH/BOL59K/i0u1jjRXM5Fro0fU3V7grY13/+
        XTQ6MMJgC/4VvKXzvgq4RRM37pLw1x8g86uDKJPanL105/8od8OgWRsV4hr1H6UNs7a/Na
        MQHPZOFVA14WrVBS8+RBfh5KHArt5Lw=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-410-B-3snfznM9mXsA2pNEXPEw-1; Fri, 04 Aug 2023 13:33:57 -0400
X-MC-Unique: B-3snfznM9mXsA2pNEXPEw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7E95B1039439;
        Fri,  4 Aug 2023 17:33:56 +0000 (UTC)
Received: from virtlab511.virt.lab.eng.bos.redhat.com (virtlab511.virt.lab.eng.bos.redhat.com [10.19.152.198])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 4C876C5796C;
        Fri,  4 Aug 2023 17:33:56 +0000 (UTC)
From:   Paolo Bonzini <pbonzini@redhat.com>
To:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc:     pgonda@google.com, seanjc@google.com, theflow@google.com,
        vkuznets@redhat.com, thomas.lendacky@amd.com
Subject: [PATCH 0/3] KVM: SEV: only access GHCB fields once
Date:   Fri,  4 Aug 2023 13:33:52 -0400
Message-Id: <20230804173355.51753-1-pbonzini@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The VMGEXIT handler has a time-of-check/time-of-use vulnerability; due
to a double fetch, the guest can exploit a race condition to invoke
the VMGEXIT handler recursively.  It is extremely difficult to
reliably win the race ~100 consecutive times in order to cause an
overflow, and the impact is usually mitigated by CONFIG_VMAP_STACK,
but it ought to be fixed anyway.

One way to do so could be to snapshot the whole GHCB, but this is
relatively expensive.  Instead, because the VMGEXIT handler already
syncs the GHCB to internal KVM state, this series makes sure that the
GHCB is not read outside sev_es_sync_from_ghcb().

Patch 1 adds caching for fields that currently are not snapshotted
in host memory; patch 2 ensures that the cached fields are always used,
thus fixing the race.  Finally patch 3 removes some local variables
that are prone to incorrect use, to avoid reintroducing the race in
other places.

Please review!

Paolo

Paolo Bonzini (3):
  KVM: SEV: snapshot the GHCB before accessing it
  KVM: SEV: only access GHCB fields once
  KVM: SEV: remove ghcb variable declarations

 arch/x86/kvm/svm/sev.c | 124 ++++++++++++++++++++---------------------
 arch/x86/kvm/svm/svm.h |  26 +++++++++
 2 files changed, 87 insertions(+), 63 deletions(-)

-- 
2.39.0