From f290af2cd5b1735f1dc96b5b9ad9c22da4541be1 Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Wed, 18 Aug 2021 17:35:22 +0200 Subject: [PATCH] cherry-pick fixes for CVE-2021-3653 and CVE-2021-3656 from ubuntu-focal upstream/master-next Signed-off-by: Stoiko Ivanov Signed-off-by: Wolfgang Bumiller --- ...-nSVM-always-intercept-VMLOAD-VMSAVE.patch | 45 ++++++++++ ...icking-up-unsupported-bits-from-L2-i.patch | 82 +++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch create mode 100644 patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch diff --git a/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch new file mode 100644 index 0000000..0f6a1bf --- /dev/null +++ b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Thu, 29 Jul 2021 18:37:38 +0300 +Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when + nested + +If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable +Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), +then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only +possible by making L0 intercept these instructions. + +Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, +and thus read/write portions of the host physical memory. + +This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and +Paolo Bonzini. + +Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +CVE-2021-3656 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Ben Romer +Signed-off-by: Stefan Bader +(cherry picked from commit 001ba8ebae0d2489b3e671b231daed4ad6f558d2) +Signed-off-by: Stoiko Ivanov +--- + arch/x86/kvm/svm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index be8a017be58b..3b1b57521d8b 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -516,6 +516,9 @@ static void recalc_intercepts(struct vcpu_svm *svm) + c->intercept_dr = h->intercept_dr | g->intercept_dr; + c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions; + c->intercept = h->intercept | g->intercept; ++ ++ c->intercept |= (1ULL << INTERCEPT_VMLOAD); ++ c->intercept |= (1ULL << INTERCEPT_VMSAVE); + } + + static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm) diff --git a/patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch b/patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch new file mode 100644 index 0000000..f41d4dd --- /dev/null +++ b/patches/kernel/0009-KVM-nSVM-avoid-picking-up-unsupported-bits-from-L2-i.patch @@ -0,0 +1,82 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Mon, 16 Aug 2021 22:06:00 +0200 +Subject: [PATCH] KVM: nSVM: avoid picking up unsupported bits from L2 in + int_ctl (CVE-2021-3653) + +BugLink: https://bugs.launchpad.net/bugs/1940134 + +commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream. + +* Invert the mask of bits that we pick from L2 in + nested_vmcb02_prepare_control + +* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr + +This fixes a security issue that allowed a malicious L1 to run L2 with +AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled +AVIC to read/write the host physical memory at some offsets. + +Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +(cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y) +CVE-2021-3653 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Ian May +Signed-off-by: Stefan Bader +(cherry picked from commit 47aa9272b0ff29c845179e60ecf8cb7a8375b346) +Signed-off-by: Stoiko Ivanov +--- + arch/x86/include/asm/svm.h | 2 ++ + arch/x86/kvm/svm.c | 15 ++++++++------- + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h +index 6ece8561ba66..c29d8fb0ffbe 100644 +--- a/arch/x86/include/asm/svm.h ++++ b/arch/x86/include/asm/svm.h +@@ -119,6 +119,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area { + #define V_IGN_TPR_SHIFT 20 + #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) + ++#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) ++ + #define V_INTR_MASKING_SHIFT 24 + #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 3b1b57521d8b..4f2e4bc4b33b 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1446,12 +1446,7 @@ static __init int svm_hardware_setup(void) + } + } + +- if (vgif) { +- if (!boot_cpu_has(X86_FEATURE_VGIF)) +- vgif = false; +- else +- pr_info("Virtual GIF supported\n"); +- } ++ vgif = false; /* Disabled for CVE-2021-3653 */ + + return 0; + +@@ -3601,7 +3596,13 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa, + svm->nested.intercept = nested_vmcb->control.intercept; + + svm_flush_tlb(&svm->vcpu, true); +- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK; ++ ++ svm->vmcb->control.int_ctl &= ++ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; ++ ++ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl & ++ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK); ++ + if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK) + svm->vcpu.arch.hflags |= HF_VINTR_MASK; + else