From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Maxim Levitsky <mlevitsk@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 4.14 32/64] KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
Date: Tue, 24 Aug 2021 13:04:25 -0400 [thread overview]
Message-ID: <20210824170457.710623-33-sashal@kernel.org> (raw)
In-Reply-To: <20210824170457.710623-1-sashal@kernel.org>
From: Maxim Levitsky <mlevitsk@redhat.com>
[ upstream commit 0f923e07124df069ba68d8bb12324398f4b6b709 ]
* Invert the mask of bits that we pick from L2 in
nested_vmcb02_prepare_control
* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
This fixes a security issue that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/svm.h | 2 ++
arch/x86/kvm/svm.c | 15 ++++++++-------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 78dd9df88157..2a9e81e93aac 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -117,6 +117,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
#define V_IGN_TPR_SHIFT 20
#define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
+
#define V_INTR_MASKING_SHIFT 24
#define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 0e6e158b8f8f..5ff6c145fdbb 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1211,12 +1211,7 @@ static __init int svm_hardware_setup(void)
}
}
- if (vgif) {
- if (!boot_cpu_has(X86_FEATURE_VGIF))
- vgif = false;
- else
- pr_info("Virtual GIF supported\n");
- }
+ vgif = false; /* Disabled for CVE-2021-3653 */
return 0;
@@ -3164,7 +3159,13 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
svm->nested.intercept = nested_vmcb->control.intercept;
svm_flush_tlb(&svm->vcpu, true);
- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
+
+ svm->vmcb->control.int_ctl &=
+ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
+
+ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl &
+ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK);
+
if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
svm->vcpu.arch.hflags |= HF_VINTR_MASK;
else
--
2.30.2
next prev parent reply other threads:[~2021-08-24 17:31 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-24 17:03 [PATCH 4.14 00/64] 4.14.245-rc1 review Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 01/64] iio: humidity: hdc100x: Add margin to the conversion time Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 02/64] iio: adc: Fix incorrect exit of for-loop Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 03/64] ASoC: intel: atom: Fix reference to PCM buffer address Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 04/64] i2c: dev: zero out array used for i2c reads from userspace Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 05/64] ACPI: NFIT: Fix support for virtual SPA ranges Sasha Levin
2021-08-24 17:03 ` [PATCH 4.14 06/64] ASoC: cs42l42: Correct definition of ADC Volume control Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 07/64] ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 08/64] ASoC: cs42l42: Fix inversion of ADC Notch Switch control Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 09/64] ASoC: cs42l42: Remove duplicate control for WNF filter frequency Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 10/64] net: dsa: mt7530: add the missing RxUnicast MIB counter Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 11/64] ppp: Fix generating ifname when empty IFLA_IFNAME is specified Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 12/64] psample: Add a fwd declaration for skbuff Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 13/64] net: Fix memory leak in ieee802154_raw_deliver Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 14/64] net: bridge: fix memleak in br_add_if() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 15/64] tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 16/64] xen/events: Fix race in set_evtchn_to_irq Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 17/64] vsock/virtio: avoid potential deadlock when vsock device remove Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 18/64] powerpc/kprobes: Fix kprobe Oops happens in booke Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 19/64] x86/tools: Fix objdump version check again Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 20/64] x86/resctrl: Fix default monitoring groups reporting Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 21/64] PCI/MSI: Enable and mask MSI-X early Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 22/64] PCI/MSI: Do not set invalid bits in MSI mask Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 23/64] PCI/MSI: Correct misleading comments Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 24/64] PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 25/64] PCI/MSI: Protect msi_desc::masked for multi-MSI Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 26/64] PCI/MSI: Mask all unused MSI-X entries Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 27/64] PCI/MSI: Enforce that MSI-X table entry is masked for update Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 28/64] PCI/MSI: Enforce MSI[X] entry updates to be visible Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 29/64] vmlinux.lds.h: Handle clang's module.{c,d}tor sections Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 30/64] mac80211: drop data frames without key on encrypted links Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 31/64] KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) Sasha Levin
2021-08-24 17:04 ` Sasha Levin [this message]
2021-08-24 17:04 ` [PATCH 4.14 33/64] x86/fpu: Make init_fpstate correct with optimized XSAVE Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 34/64] ath: Use safer key clearing with key cache entries Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 35/64] ath9k: Clear key cache explicitly on disabling hardware Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 36/64] ath: Export ath_hw_keysetmac() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 37/64] ath: Modify ath_key_delete() to not need full key entry Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 38/64] ath9k: Postpone key cache entry deletion for TXQ frames reference it Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 39/64] dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 40/64] ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 41/64] dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 42/64] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 43/64] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 44/64] scsi: core: Avoid printing an error if target_alloc() returns -ENXIO Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 45/64] ARM: dts: nomadik: Fix up interrupt controller node names Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 46/64] net: usb: lan78xx: don't modify phy_device state concurrently Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 47/64] Bluetooth: hidp: use correct wait queue when removing ctrl_wait Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 48/64] dccp: add do-while-0 stubs for dccp_pr_debug macros Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 49/64] vhost: Fix the calculation in vhost_overflow() Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 50/64] bnxt: don't lock the tx queue from napi poll Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 51/64] net: 6pack: fix slab-out-of-bounds in decode_data Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 52/64] ptp_pch: Restore dependency on PCI Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 53/64] net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 54/64] net: mdio-mux: Don't ignore memory allocation errors Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 55/64] net: mdio-mux: Handle -EPROBE_DEFER correctly Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 56/64] mmc: dw_mmc: Fix hang on data CRC error Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 57/64] ALSA: hda - fix the 'Capture Switch' value change notifications Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 58/64] ipack: tpci200: fix many double free issues in tpci200_pci_probe Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 59/64] btrfs: prevent rename2 from exchanging a subvol with a directory from different parents Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 60/64] ASoC: intel: atom: Fix breakage for PCM buffer address setup Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 61/64] locks: print a warning when mount fails due to lack of "mand" support Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 62/64] fs: warn about impending deprecation of mandatory locks Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 63/64] netfilter: nft_exthdr: fix endianness of tcp option cast Sasha Levin
2021-08-24 17:04 ` [PATCH 4.14 64/64] Linux 4.14.245-rc1 Sasha Levin
2021-08-25 20:26 ` [PATCH 4.14 00/64] 4.14.245-rc1 review Guenter Roeck
2021-08-25 21:04 ` Daniel Díaz
2021-08-26 1:01 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210824170457.710623-33-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).