From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Will Deacon <will@kernel.org>,
Marc Zyngier <maz@kernel.org>
Subject: [PATCH 4.19 26/48] KVM: arm64: Fix 32bit PC wrap-around
Date: Wed, 13 May 2020 11:44:52 +0200 [thread overview]
Message-ID: <20200513094357.501897308@linuxfoundation.org> (raw)
In-Reply-To: <20200513094351.100352960@linuxfoundation.org>
From: Marc Zyngier <maz@kernel.org>
commit 0225fd5e0a6a32af7af0aefac45c8ebf19dc5183 upstream.
In the unlikely event that a 32bit vcpu traps into the hypervisor
on an instruction that is located right at the end of the 32bit
range, the emulation of that instruction is going to increment
PC past the 32bit range. This isn't great, as userspace can then
observe this value and get a bit confused.
Conversly, userspace can do things like (in the context of a 64bit
guest that is capable of 32bit EL0) setting PSTATE to AArch64-EL0,
set PC to a 64bit value, change PSTATE to AArch32-USR, and observe
that PC hasn't been truncated. More confusion.
Fix both by:
- truncating PC increments for 32bit guests
- sanitizing all 32bit regs every time a core reg is changed by
userspace, and that PSTATE indicates a 32bit mode.
Cc: stable@vger.kernel.org
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/guest.c | 7 +++++++
virt/kvm/arm/hyp/aarch32.c | 8 ++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -179,6 +179,13 @@ static int set_core_reg(struct kvm_vcpu
}
memcpy((u32 *)regs + off, valp, KVM_REG_SIZE(reg->id));
+
+ if (*vcpu_cpsr(vcpu) & PSR_MODE32_BIT) {
+ int i;
+
+ for (i = 0; i < 16; i++)
+ *vcpu_reg32(vcpu, i) = (u32)*vcpu_reg32(vcpu, i);
+ }
out:
return err;
}
--- a/virt/kvm/arm/hyp/aarch32.c
+++ b/virt/kvm/arm/hyp/aarch32.c
@@ -125,12 +125,16 @@ static void __hyp_text kvm_adjust_itstat
*/
void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr)
{
+ u32 pc = *vcpu_pc(vcpu);
bool is_thumb;
is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT);
if (is_thumb && !is_wide_instr)
- *vcpu_pc(vcpu) += 2;
+ pc += 2;
else
- *vcpu_pc(vcpu) += 4;
+ pc += 4;
+
+ *vcpu_pc(vcpu) = pc;
+
kvm_adjust_itstate(vcpu);
}
next prev parent reply other threads:[~2020-05-13 10:05 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 9:44 [PATCH 4.19 00/48] 4.19.123-rc1 review Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 01/48] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 02/48] tracing/kprobes: Fix a double initialization typo Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 03/48] vt: fix unicode console freeing with a common interface Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 04/48] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 05/48] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 06/48] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 07/48] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 08/48] net_sched: sch_skbprio: add message validation to skbprio_change() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 09/48] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 10/48] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 11/48] sch_sfq: validate silly quantum values Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 12/48] tipc: fix partial topology connection closure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 13/48] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 14/48] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 15/48] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 16/48] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 17/48] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 18/48] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 19/48] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 20/48] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 21/48] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 22/48] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 23/48] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 24/48] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 25/48] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-13 9:44 ` Greg Kroah-Hartman [this message]
2020-05-13 9:44 ` [PATCH 4.19 27/48] arm64: hugetlb: avoid potential NULL dereference Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 28/48] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 29/48] staging: gasket: Check the return value of gasket_get_bar_index() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 30/48] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 31/48] KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 32/48] KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()s asm blob Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 33/48] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 34/48] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 35/48] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-13 21:03 ` Pavel Machek
2020-05-13 9:45 ` [PATCH 4.19 36/48] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 37/48] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-13 21:48 ` Pavel Machek
2020-05-14 19:27 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 38/48] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 39/48] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 40/48] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 41/48] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-13 21:52 ` Pavel Machek
2020-05-14 19:44 ` Josh Poimboeuf
2020-05-14 20:13 ` Pavel Machek
2020-05-14 20:28 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 42/48] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 43/48] x86/unwind/orc: Fix premature unwind stoppage due to IRET frames Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 44/48] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 45/48] netfilter: nf_osf: avoid passing pointer to local var Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 46/48] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 47/48] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 48/48] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Greg Kroah-Hartman
[not found] ` <20200513094351.100352960-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-13 13:45 ` [PATCH 4.19 00/48] 4.19.123-rc1 review Jon Hunter
2020-05-13 13:45 ` Jon Hunter
2020-05-13 17:03 ` Guenter Roeck
2020-05-13 18:14 ` Naresh Kamboju
2020-05-13 19:29 ` Chris Paterson
2020-05-13 23:02 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200513094357.501897308@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.