cherry-pick fixes for CVE-2021-3653 and CVE-2021-3656

from ubuntu-focal upstream/master-next Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-08-18 17:35:22 +02:00 · 2021-08-18 17:35:22 +02:00 · f290af2cd5
commit f290af2cd5
parent 916656976b
2 changed files with 127 additions and 0 deletions
--- a/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch
+++ b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch
@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Thu, 29 Jul 2021 18:37:38 +0300
+Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when
+ nested
+
+If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
+Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
+then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
+possible by making L0 intercept these instructions.
+
+Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
+and thus read/write portions of the host physical memory.
+
+This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
+Paolo Bonzini.
+
+Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+CVE-2021-3656
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Acked-by: Stefan Bader <stefan.bader@canonical.com>
+Acked-by: Ben Romer <benjamin.romer@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+(cherry picked from commit 001ba8ebae0d2489b3e671b231daed4ad6f558d2)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ arch/x86/kvm/svm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index be8a017be58b..3b1b57521d8b 100644
+--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
+@@ -516,6 +516,9 @@ static void recalc_intercepts(struct vcpu_svm *svm)
+ 	c->intercept_dr = h->intercept_dr | g->intercept_dr;
+ 	c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
+ 	c->intercept = h->intercept | g->intercept;
+
+	c->intercept |= (1ULL << INTERCEPT_VMLOAD);
+	c->intercept |= (1ULL << INTERCEPT_VMSAVE);
+ }
+ 
+ static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)
--- a/patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch
+++ b/patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch
@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Mon, 16 Aug 2021 22:06:00 +0200
+Subject: [PATCH] KVM: nSVM: avoid picking up unsupported bits from L2 in
+ int_ctl (CVE-2021-3653)
+
+BugLink: https://bugs.launchpad.net/bugs/1940134
+
+commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream.
+
+* Invert the mask of bits that we pick from L2 in
+  nested_vmcb02_prepare_control
+
+* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
+
+This fixes a security issue that allowed a malicious L1 to run L2 with
+AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
+AVIC to read/write the host physical memory at some offsets.
+
+Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+(cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y)
+CVE-2021-3653
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Acked-by: Kamal Mostafa <kamal@canonical.com>
+Acked-by: Ian May <ian.may@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+(cherry picked from commit 47aa9272b0ff29c845179e60ecf8cb7a8375b346)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ arch/x86/include/asm/svm.h |  2 ++
+ arch/x86/kvm/svm.c         | 15 ++++++++-------
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
+index 6ece8561ba66..c29d8fb0ffbe 100644
+--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
+@@ -119,6 +119,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
+ #define V_IGN_TPR_SHIFT 20
+ #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
+ 
+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
+
+ #define V_INTR_MASKING_SHIFT 24
+ #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
+ 
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 3b1b57521d8b..4f2e4bc4b33b 100644
+--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
+@@ -1446,12 +1446,7 @@ static __init int svm_hardware_setup(void)
+ 		}
+ 	}
+ 
+-	if (vgif) {
+-		if (!boot_cpu_has(X86_FEATURE_VGIF))
+-			vgif = false;
+-		else
+-			pr_info("Virtual GIF supported\n");
+-	}
+	vgif = false; /* Disabled for CVE-2021-3653 */
+ 
+ 	return 0;
+ 
+@@ -3601,7 +3596,13 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa,
+ 	svm->nested.intercept            = nested_vmcb->control.intercept;
+ 
+ 	svm_flush_tlb(&svm->vcpu, true);
+-	svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
+
+	svm->vmcb->control.int_ctl &=
+			V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
+
+	svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl &
+			(V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK);
+
+ 	if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
+ 		svm->vcpu.arch.hflags |= HF_VINTR_MASK;
+ 	else