Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp5788897rwb;
        Wed, 9 Aug 2023 09:07:08 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IE0JfuEpp7QUBW+SwK9QHuoIP0zsIAxPxICDqkLrY+AsjugLxiTRFssfgLiq4dOvycJxZR/
X-Received: by 2002:a05:6000:551:b0:317:7159:9a78 with SMTP id b17-20020a056000055100b0031771599a78mr1881549wrf.54.1691597227947;
        Wed, 09 Aug 2023 09:07:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691597227; cv=none;
        d=google.com; s=arc-20160816;
        b=RKe2orsUlN5KaYksklAjXLckw+NdF3R8QIe4dsWhU92L4xKJ1lJB3YA7YC/+K4J533
         ENsop2AKCjo2UeLNbJxYZ0FIDiDIX7AN1XBY0C0jDGrqE1o/A/hke+pbAg/M7uaqLduW
         WzVbnumRNVQRHdJJ2YLIwUUoBgIOBV6aUIerT+j+r9zmKm5mSUxjhj+6QF2DQ+1Cwgyu
         dzlS+a+ua0mJXD/RtW6bGnPuf4DH3E87xeHvZcmwzftl1+dgzeU28esy6aKx0h0AIyep
         MJK+Kpb5z6a+22xFIzMyn2eCk/fIvzhjLoqHO4Z6mfEL+o+RHuPyZ1C3smADP4o+NZhC
         C54w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=VIYHqN573i4m0xBR4po1MavQBRxO9IhPxpT2FqODpvA=;
        fh=HtObeyxWbo5M6PI7kiJxKpymnacBIlv5B+LmTllFqX8=;
        b=e3EBUIJeQZzxsGI+VHwmcO7W1Jct0khkbj/6FgbBGISmaZsZiBqBE2zuPvcvOG95ib
         qoAmQgid1XH0NK42kAcav8IiGK35Pc3mbgpVa1C6CQQMpwXeugQ2qzehCX8B5IMT2QcK
         G4JO7AbQvwmP+LUCXnBK9kWSWQZ9zcfMoM0LMmWethF4q0kF2loK+Rx6bSqnj9Hl3T5j
         ICTaqHR55ngFIeWSBQfptC5W8ZC5KiIMJYysddRxyqdJwkND5N9Ae6vW27QYYTqyYMjV
         tG6g5JjsakGVP37dGl2jYIMSYoK9N7J4tMeUXS+8brOWbA/lm33iVWSTs8DLSAQmmpY4
         A8Mw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=TvniPABn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e13-20020a056402148d00b005233d7f4910si4499384edv.162.2023.08.09.09.06.34;
        Wed, 09 Aug 2023 09:07:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=TvniPABn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233592AbjHIOiZ (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 9 Aug 2023 10:38:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37330 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229820AbjHIOiY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Aug 2023 10:38:24 -0400
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7E732103
        for <linux-kernel@vger.kernel.org>; Wed,  9 Aug 2023 07:38:23 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-4f14865fcc0so2848e87.0
        for <linux-kernel@vger.kernel.org>; Wed, 09 Aug 2023 07:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1691591902; x=1692196702;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VIYHqN573i4m0xBR4po1MavQBRxO9IhPxpT2FqODpvA=;
        b=TvniPABn8pq1qp5Ziy5FMSj67rVRNehgZsdJglTihNL2JllM6eyFRmS5CjOBWPXTOB
         iWjwQNY6oO3eCKwYXcWHCEWsXuMxiWNPeuDed8byUdtgd+DpRHISnFqPxI7H/FGbUjzC
         OOpQI6YAA4GZJ1L16gFtEN9GM/b7z8IdQccUX2Wc8au+Y/Pwi7lUvy9LefrZrH4UrLgn
         MCwHAeCEeqmYKFWavS0jkQqdPNeaYcsBwCZ32S49VM6oddxv37c2EXLik19idhScY5ef
         KrcjfN3jdq4mpBW9AAG3REhIyCiFA3Kc3sY0ZVZAfiALbtJn87VO9dhzGSiAoigYnkrb
         xQZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1691591902; x=1692196702;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VIYHqN573i4m0xBR4po1MavQBRxO9IhPxpT2FqODpvA=;
        b=GsZYAN0S9DRkwdlEamvMvtMbnURoLdLUyocWXH/KJVwCOPnJ1/+aGv8uVNmGZIAPW2
         m8RTc3ojqy6lqnoIArasz4tNI1dB0wWkp2yqsgEQ7uxIZwfS024ZKqw33I3ndOkADXWf
         l0Iww6txGYMH/DTUW6QCd8yycJMciaqv0mUcZ1luLOxBBUCgfuLk/hSKI78kb9hC8tPc
         UtHaL2uCAduw/jUIdHew3UXlDionpypKqNLDE3Y/AL+YCVO3mIvt9K9MNhxkr/MUpgyQ
         6uWBDjT7sF6kGllf4uVRZUDQA61bl/0XxNrTpF616+rg4KzhX0A2LEZ8kfJLp1bb4dMG
         w3RQ==
X-Gm-Message-State: AOJu0YyKK/XNsWeSPNzEya1IsoXqLe8xmpOELklx/HZRntvSJJA+6XJh
        spcnWQ3OBQEYYeHOPettCa6hfbJwdJ+HdPa7QOW0Rg==
X-Received: by 2002:ac2:54a9:0:b0:4fd:d759:a47 with SMTP id
 w9-20020ac254a9000000b004fdd7590a47mr46277lfk.3.1691591901743; Wed, 09 Aug
 2023 07:38:21 -0700 (PDT)
MIME-Version: 1.0
References: <20230804173355.51753-1-pbonzini@redhat.com>
In-Reply-To: <20230804173355.51753-1-pbonzini@redhat.com>
From:   Peter Gonda <pgonda@google.com>
Date:   Wed, 9 Aug 2023 08:38:10 -0600
Message-ID: <CAMkAt6o1OGCXb1ET5qduLX=211f9SRs+CFyM86kHXZPZRN_KCg@mail.gmail.com>
Subject: Re: [PATCH 0/3] KVM: SEV: only access GHCB fields once
To:     Paolo Bonzini <pbonzini@redhat.com>
Cc:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
        seanjc@google.com, theflow@google.com, vkuznets@redhat.com,
        thomas.lendacky@amd.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Aug 4, 2023 at 11:34=E2=80=AFAM Paolo Bonzini <pbonzini@redhat.com>=
 wrote:
>
> The VMGEXIT handler has a time-of-check/time-of-use vulnerability; due
> to a double fetch, the guest can exploit a race condition to invoke
> the VMGEXIT handler recursively.  It is extremely difficult to
> reliably win the race ~100 consecutive times in order to cause an
> overflow, and the impact is usually mitigated by CONFIG_VMAP_STACK,
> but it ought to be fixed anyway.
>
> One way to do so could be to snapshot the whole GHCB, but this is
> relatively expensive.  Instead, because the VMGEXIT handler already
> syncs the GHCB to internal KVM state, this series makes sure that the
> GHCB is not read outside sev_es_sync_from_ghcb().
>
> Patch 1 adds caching for fields that currently are not snapshotted
> in host memory; patch 2 ensures that the cached fields are always used,
> thus fixing the race.  Finally patch 3 removes some local variables
> that are prone to incorrect use, to avoid reintroducing the race in
> other places.
>
> Please review!
>

Tested-by: Peter Gonda <pgonda@google.com>

I booted an Ubuntu guest and ran our internal GHCB correctness test
with these patches.