From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: seanjc@google.com, Krish Sadhukhan <krish.sadhukhan@oracle.com>,
Sean Christopherson <sean.j.christopherson@intel.com>
Subject: [PATCH 09/23] KVM: nSVM: Add missing checks for reserved bits to svm_set_nested_state()
Date: Tue, 2 Mar 2021 14:33:29 -0500 [thread overview]
Message-ID: <20210302193343.313318-10-pbonzini@redhat.com> (raw)
In-Reply-To: <20210302193343.313318-1-pbonzini@redhat.com>
From: Krish Sadhukhan <krish.sadhukhan@oracle.com>
The path for SVM_SET_NESTED_STATE needs to have the same checks for the CPU
registers, as we have in the VMRUN path for a nested guest. This patch adds
those missing checks to svm_set_nested_state().
Suggested-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Message-Id: <20201006190654.32305-3-krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/svm/nested.c | 54 ++++++++++++++++++++++++++++-----------
1 file changed, 39 insertions(+), 15 deletions(-)
diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 585b5aa1914f..cadf776f58f7 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -246,29 +246,51 @@ static bool nested_vmcb_check_controls(struct vmcb_control_area *control)
return true;
}
-static bool nested_vmcb_checks(struct vcpu_svm *svm, struct vmcb *vmcb12)
+static bool nested_vmcb_check_cr3_cr4(struct vcpu_svm *svm,
+ struct vmcb_save_area *save)
{
struct kvm_vcpu *vcpu = &svm->vcpu;
- bool vmcb12_lma;
- if ((vmcb12->save.efer & EFER_SVME) == 0)
+ /*
+ * These checks are also performed by KVM_SET_SREGS,
+ * except that EFER.LMA is not checked by SVM against
+ * CR0.PG && EFER.LME.
+ */
+ if ((save->efer & EFER_LME) && (save->cr0 & X86_CR0_PG)) {
+ if (!(save->cr4 & X86_CR4_PAE) || !(save->cr0 & X86_CR0_PE) ||
+ kvm_vcpu_is_illegal_gpa(vcpu, save->cr3))
+ return false;
+ }
+
+ return kvm_is_valid_cr4(&svm->vcpu, save->cr4);
+}
+
+/* Common checks that apply to both L1 and L2 state. */
+static bool nested_vmcb_valid_sregs(struct vcpu_svm *svm,
+ struct vmcb_save_area *save)
+{
+ if (!(save->efer & EFER_SVME))
return false;
- if (((vmcb12->save.cr0 & X86_CR0_CD) == 0) && (vmcb12->save.cr0 & X86_CR0_NW))
+ if (((save->cr0 & X86_CR0_CD) == 0 && (save->cr0 & X86_CR0_NW)) ||
+ (save->cr0 & ~0xffffffffULL))
return false;
- if (!kvm_dr6_valid(vmcb12->save.dr6) || !kvm_dr7_valid(vmcb12->save.dr7))
+ if (!kvm_dr6_valid(save->dr6) || !kvm_dr7_valid(save->dr7))
return false;
- vmcb12_lma = (vmcb12->save.efer & EFER_LME) && (vmcb12->save.cr0 & X86_CR0_PG);
+ if (!nested_vmcb_check_cr3_cr4(svm, save))
+ return false;
- if (vmcb12_lma) {
- if (!(vmcb12->save.cr4 & X86_CR4_PAE) ||
- !(vmcb12->save.cr0 & X86_CR0_PE) ||
- kvm_vcpu_is_illegal_gpa(vcpu, vmcb12->save.cr3))
- return false;
- }
- if (!kvm_is_valid_cr4(&svm->vcpu, vmcb12->save.cr4))
+ if (!kvm_valid_efer(&svm->vcpu, save->efer))
+ return false;
+
+ return true;
+}
+
+static bool nested_vmcb_checks(struct vcpu_svm *svm, struct vmcb *vmcb12)
+{
+ if (!nested_vmcb_valid_sregs(svm, &vmcb12->save))
return false;
return nested_vmcb_check_controls(&vmcb12->control);
@@ -1232,9 +1254,11 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu,
/*
* Validate host state saved from before VMRUN (see
* nested_svm_check_permissions).
- * TODO: validate reserved bits for all saved state.
*/
- if (!(save->cr0 & X86_CR0_PG))
+ if (!(save->cr0 & X86_CR0_PG) ||
+ !(save->cr0 & X86_CR0_PE) ||
+ (save->rflags & X86_EFLAGS_VM) ||
+ !nested_vmcb_valid_sregs(svm, save))
goto out_free;
/*
--
2.26.2
next prev parent reply other threads:[~2021-03-02 22:37 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-02 19:33 [PATCH 00/23] SVM queue for 5.13 Paolo Bonzini
2021-03-02 19:33 ` [PATCH 01/23] KVM: SVM: Use a separate vmcb for the nested L2 guest Paolo Bonzini
2021-03-02 19:33 ` [PATCH 02/23] KVM: nSVM: Track the physical cpu of the vmcb vmrun through the vmcb Paolo Bonzini
2021-03-02 19:33 ` [PATCH 03/23] KVM: nSVM: Track the ASID generation " Paolo Bonzini
2021-03-02 19:33 ` [PATCH 04/23] KVM: nSVM: rename functions and variables according to vmcbXY nomenclature Paolo Bonzini
2021-03-02 19:33 ` [PATCH 05/23] KVM: nSVM: do not copy vmcb01->control blindly to vmcb02->control Paolo Bonzini
2021-03-02 19:33 ` [PATCH 06/23] KVM: nSVM: do not mark all VMCB01 fields dirty on nested vmexit Paolo Bonzini
2021-03-02 19:33 ` [PATCH 07/23] KVM: nSVM: do not mark all VMCB02 " Paolo Bonzini
2021-03-02 19:33 ` [PATCH 08/23] KVM: nSVM: only copy L1 non-VMLOAD/VMSAVE data in svm_set_nested_state() Paolo Bonzini
2021-03-02 19:33 ` Paolo Bonzini [this message]
2021-03-02 19:33 ` [PATCH 10/23] KVM: x86: Move nVMX's consistency check macro to common code Paolo Bonzini
2021-03-02 19:33 ` [PATCH 11/23] KVM: nSVM: Trace VM-Enter consistency check failures Paolo Bonzini
2021-03-02 19:33 ` [PATCH 12/23] KVM: SVM: merge update_cr0_intercept into svm_set_cr0 Paolo Bonzini
2021-03-02 19:33 ` [PATCH 13/23] KVM: SVM: Pass struct kvm_vcpu to exit handlers (and many, many other places) Paolo Bonzini
2021-03-02 19:33 ` [PATCH 14/23] KVM: nSVM: Add VMLOAD/VMSAVE helper to deduplicate code Paolo Bonzini
2021-03-02 19:33 ` [PATCH 15/23] KVM: x86: Move XSETBV emulation to common code Paolo Bonzini
2021-03-02 19:33 ` [PATCH 16/23] KVM: x86: Move trivial instruction-based exit handlers " Paolo Bonzini
2021-03-02 19:33 ` [PATCH 17/23] KVM: x86: Move RDPMC emulation " Paolo Bonzini
2021-03-02 19:33 ` [PATCH 18/23] KVM: SVM: Don't manually emulate RDPMC if nrips=0 Paolo Bonzini
2021-03-02 19:33 ` [PATCH 19/23] KVM: SVM: Skip intercepted PAUSE instructions after emulation Paolo Bonzini
2021-03-02 19:33 ` [PATCH 20/23] KVM: SVM: move VMLOAD/VMSAVE to C code Paolo Bonzini
2021-03-02 19:33 ` [PATCH 21/23] KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state Paolo Bonzini
2021-03-02 19:33 ` [PATCH 22/23] x86/cpufeatures: Add the Virtual SPEC_CTRL feature Paolo Bonzini
2021-03-02 19:33 ` [PATCH 23/23] KVM: SVM: Add support for Virtual SPEC_CTRL Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210302193343.313318-10-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=krish.sadhukhan@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sean.j.christopherson@intel.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).