[PATCH V2] x86/sev-es: Fix SEV-ES #VC handler for string port IO

[PATCH V2] x86/sev-es: Fix SEV-ES #VC handler for string port IO

[Hyunwook (Wooky) Baek]

Don't assume dest/source buffers are userspace addresses when manually
copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
if handed a kernel address and ultimately lead to a kernel panic.

Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
Acked-by: David Rientjes <rientjes@google.com>
---

This patch is tested by invoking INSB/OUTSB instructions in kernel space in a
SEV-ES-enabled VM. Without the patch, the kernel crashed with the following
message:
  "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"
With the patch, the instructions successfully read/wrote the string from/to
the I/O port.

 arch/x86/kernel/sev-es.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c
index 0bd1a0fc587e..ab31c34ba508 100644
--- a/arch/x86/kernel/sev-es.c
+++ b/arch/x86/kernel/sev-es.c
@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;

+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
+		memcpy(dst, buf, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		memcpy(&d1, buf, 1);
@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;

+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
+		memcpy(buf, src, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		if (get_user(d1, s))
--
2.30.0.284.gd98b1dd5eaa7-goog

[tip: x86/seves] x86/sev-es: Handle string port IO to kernel memory properly

[tip-bot2 for Hyunwook (Wooky) Baek]

The following commit has been merged into the x86/seves branch of tip:

Commit-ID:     36648d64ac3420b3cfa741b12b14633fad9651e4
Gitweb:        https://git.kernel.org/tip/36648d64ac3420b3cfa741b12b14633fad9651e4
Author:        Hyunwook (Wooky) Baek <baekhw@google.com>
AuthorDate:    Sat, 09 Jan 2021 23:11:02 -08:00
Committer:     Borislav Petkov <bp@suse.de>
CommitterDate: Mon, 11 Jan 2021 12:22:10 +01:00

x86/sev-es: Handle string port IO to kernel memory properly

Don't assume dest/source buffers are userspace addresses when manually
copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
if handed a kernel address and ultimately lead to a kernel panic.

When invoking INSB/OUTSB instructions in kernel space in a
SEV-ES-enabled VM, the kernel crashes with the following message:

  "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"

Handle that case properly.

 [ bp: Massage commit message. ]

Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: David Rientjes <rientjes@google.com>
Link: https://lkml.kernel.org/r/20210110071102.2576186-1-baekhw@google.com
---
 arch/x86/kernel/sev-es.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c
index 0bd1a0f..ab31c34 100644
--- a/arch/x86/kernel/sev-es.c
+++ b/arch/x86/kernel/sev-es.c
@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
+		memcpy(dst, buf, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		memcpy(&d1, buf, 1);
@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
+		memcpy(buf, src, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		if (get_user(d1, s))

Re: [PATCH V2] x86/sev-es: Fix SEV-ES #VC handler for string port IO

[Tom Lendacky]

On 1/10/21 1:11 AM, Hyunwook (Wooky) Baek wrote:
> Don't assume dest/source buffers are userspace addresses when manually
> copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
> if handed a kernel address and ultimately lead to a kernel panic.
> 
> Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
> Acked-by: David Rientjes <rientjes@google.com>
> ---
> 
> This patch is tested by invoking INSB/OUTSB instructions in kernel space in a
> SEV-ES-enabled VM. Without the patch, the kernel crashed with the following
> message:
>    "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"
> With the patch, the instructions successfully read/wrote the string from/to
> the I/O port.

Shouldn't this have a Fixes: tag?

Thanks,
Tom

> 
>   arch/x86/kernel/sev-es.c | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
> 

Re: [PATCH V2] x86/sev-es: Fix SEV-ES #VC handler for string port IO

[David Rientjes]

On Mon, 11 Jan 2021, Tom Lendacky wrote:

> > Don't assume dest/source buffers are userspace addresses when manually
> > copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
> > if handed a kernel address and ultimately lead to a kernel panic.
> > 
> > Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
> > Acked-by: David Rientjes <rientjes@google.com>
> > ---
> > 
> > This patch is tested by invoking INSB/OUTSB instructions in kernel space in
> > a
> > SEV-ES-enabled VM. Without the patch, the kernel crashed with the following
> > message:
> >    "SEV-ES: Unsupported exception in #VC instruction emulation - can't
> > continue"
> > With the patch, the instructions successfully read/wrote the string from/to
> > the I/O port.
> 
> Shouldn't this have a Fixes: tag?
> 

Makes sense, I think this should likely be:

Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")

Re: [PATCH V2] x86/sev-es: Fix SEV-ES #VC handler for string port IO

[Borislav Petkov]

On Mon, Jan 11, 2021 at 12:29:08PM -0600, Tom Lendacky wrote:
> Shouldn't this have a Fixes: tag?

Yah, moving to x86/urgent after a quick IRC clarification.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[tip: x86/urgent] x86/sev-es: Handle string port IO to kernel memory properly

[tip-bot2 for Hyunwook (Wooky) Baek]

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     7024f60d655272bd2ca1d3a4c9e0a63319b1eea1
Gitweb:        https://git.kernel.org/tip/7024f60d655272bd2ca1d3a4c9e0a63319b1eea1
Author:        Hyunwook (Wooky) Baek <baekhw@google.com>
AuthorDate:    Sat, 09 Jan 2021 23:11:02 -08:00
Committer:     Borislav Petkov <bp@suse.de>
CommitterDate: Mon, 11 Jan 2021 20:01:52 +01:00

x86/sev-es: Handle string port IO to kernel memory properly

Don't assume dest/source buffers are userspace addresses when manually
copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
if handed a kernel address and ultimately lead to a kernel panic.

When invoking INSB/OUTSB instructions in kernel space in a
SEV-ES-enabled VM, the kernel crashes with the following message:

  "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"

Handle that case properly.

 [ bp: Massage commit message. ]

Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")
Signed-off-by: Hyunwook (Wooky) Baek <baekhw@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: David Rientjes <rientjes@google.com>
Link: https://lkml.kernel.org/r/20210110071102.2576186-1-baekhw@google.com
---
 arch/x86/kernel/sev-es.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c
index 0bd1a0f..ab31c34 100644
--- a/arch/x86/kernel/sev-es.c
+++ b/arch/x86/kernel/sev-es.c
@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
+		memcpy(dst, buf, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		memcpy(&d1, buf, 1);
@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
+		memcpy(buf, src, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		if (get_user(d1, s))