Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3469829rdh; Thu, 28 Sep 2023 12:36:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGPzBlsIaeNgZoqQH458Ymq0kHFemOm3k0Z3ni0ZHt1baI+VpVSqo9TM8L2D2RCy0i4gdKt X-Received: by 2002:a17:902:720a:b0:1c5:7aa1:3a51 with SMTP id ba10-20020a170902720a00b001c57aa13a51mr2121149plb.34.1695929762549; Thu, 28 Sep 2023 12:36:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695929762; cv=none; d=google.com; s=arc-20160816; b=WfATXBdez19bkptiRENAcg7y5WicgIYqTuMdXhMnSRt+Kh9JGW1reWVIzJD6SLtXTG Gy064VYD4tJRHA4NGtyO5CWfeJHK0Psw3DjRCl8eOOojKMvL5QnQ+5Z2m9+jASMS2WG8 esb/B12xDM0fw8UCvbUVq1JYeEZACMxN8awYauqoAJrUxnL1K8TZNcY8amEnMwD0tmHD k7TFgkcGW/nqnM+bUxWtLBGVdM1NSjWeCCY0fBTGmxv6x5r5vPBcQe3Vcv82VKw45fgU yxgy0UhqKN1qEkGj3n78VGX5eAzaS4SlLcj7it3IGpA0PvsAXP+BlO6UAQdRYOFSVnvS ZVsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=E+PIeCSrfaW18zOkmenj4XNWXbjicG5Z3Ntw9Ymuv4Q=; fh=k8YxIaPvIPXsZjGxhmoFEFw2FthFvsrwXSIogQNrxiI=; b=cdL8Ijo0F45BX4xtIiRjDAk/JumCf7kNL35So+QNysAlEJb9t69P36fgoGYltgVGYX 28rQt3twkfc4gqGd08dxbHZ3VfBsTexX4Khh5bIeR0y/kd4vPFmnTPeTYugpTVWVZDj3 coHPHHHMh072FllTpr0ISIe6Wijee+RS2J++IUWRVXB+vefrw0oz3DW23BDHcEdeBXdr c7HJeAQY983I9pUXatj4GFWIAMEmVD+2QwAS1FXcF/7J6v/bfvGM8HA8pAzgV/V57voi +paIJtaizTRoe0L/SkK89sa240XL7lVt/uAZ8VnfdmZLUsNVJfHsX9yC7wSVUrJNxEx1 s6MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LglO15rb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id jg5-20020a17090326c500b001c5fca2e1besi13617342plb.15.2023.09.28.12.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 12:36:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LglO15rb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 7605E80775AD; Thu, 28 Sep 2023 08:05:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231520AbjI1PFg (ORCPT + 99 others); Thu, 28 Sep 2023 11:05:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231445AbjI1PFe (ORCPT ); Thu, 28 Sep 2023 11:05:34 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50D801AC for ; Thu, 28 Sep 2023 08:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695913482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E+PIeCSrfaW18zOkmenj4XNWXbjicG5Z3Ntw9Ymuv4Q=; b=LglO15rb2dXS/5/YirtmG2G+eEnZUXFfMfm02jlvOyzdBnd22l3FRzgNWg7N9CALHKylF9 gbbhWmi5gJLQfxhaKI7cRr5OtOfzH0TB+velCCUf9mn475efQdtyjOSwgJWhZvr7lVypKf QMF70tuMCHXaHqQdcV+qLowZrXSIO14= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-448-cZx1yAeFPPeI-OiQmsVxAA-1; Thu, 28 Sep 2023 11:04:37 -0400 X-MC-Unique: cZx1yAeFPPeI-OiQmsVxAA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8B782858F19; Thu, 28 Sep 2023 15:04:36 +0000 (UTC) Received: from localhost.localdomain (unknown [10.45.226.141]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0F9CF40C6E76; Thu, 28 Sep 2023 15:04:32 +0000 (UTC) From: Maxim Levitsky To: kvm@vger.kernel.org Cc: Will Deacon , Borislav Petkov , Dave Hansen , Suravee Suthikulpanit , Thomas Gleixner , Paolo Bonzini , x86@kernel.org, Robin Murphy , iommu@lists.linux.dev, Ingo Molnar , Joerg Roedel , Sean Christopherson , "H. Peter Anvin" , linux-kernel@vger.kernel.org, Maxim Levitsky , stable@vger.kernel.org Subject: [PATCH 1/5] x86: KVM: SVM: fix for x2avic CVE-2023-5090 Date: Thu, 28 Sep 2023 18:04:24 +0300 Message-Id: <20230928150428.199929-2-mlevitsk@redhat.com> In-Reply-To: <20230928150428.199929-1-mlevitsk@redhat.com> References: <20230928150428.199929-1-mlevitsk@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 28 Sep 2023 08:05:39 -0700 (PDT) The following problem exists since the x2avic was enabled in the KVM: svm_set_x2apic_msr_interception is called to enable the interception of the x2apic msrs. In particular it is called at the moment the guest resets its apic. Assuming that the guest's apic was in x2apic mode, the reset will bring it back to the xapic mode. The svm_set_x2apic_msr_interception however has an erroneous check for '!apic_x2apic_mode()' which prevents it from doing anything in this case. As a result of this, all x2apic msrs are left unintercepted, and that exposes the bare metal x2apic (if enabled) to the guest. Oops. Remove the erroneous '!apic_x2apic_mode()' check to fix that. Cc: stable@vger.kernel.org Signed-off-by: Maxim Levitsky --- arch/x86/kvm/svm/svm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 9507df93f410a63..acdd0b89e4715a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -913,8 +913,7 @@ void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept) if (intercept == svm->x2avic_msrs_intercepted) return; - if (!x2avic_enabled || - !apic_x2apic_mode(svm->vcpu.arch.apic)) + if (!x2avic_enabled) return; for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) { -- 2.26.3