f290af2cd5
from ubuntu-focal upstream/master-next Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
83 lines
3.0 KiB
Diff
83 lines
3.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Maxim Levitsky <mlevitsk@redhat.com>
|
|
Date: Mon, 16 Aug 2021 22:06:00 +0200
|
|
Subject: [PATCH] KVM: nSVM: avoid picking up unsupported bits from L2 in
|
|
int_ctl (CVE-2021-3653)
|
|
|
|
BugLink: https://bugs.launchpad.net/bugs/1940134
|
|
|
|
commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream.
|
|
|
|
* Invert the mask of bits that we pick from L2 in
|
|
nested_vmcb02_prepare_control
|
|
|
|
* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
|
|
|
|
This fixes a security issue that allowed a malicious L1 to run L2 with
|
|
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
|
|
AVIC to read/write the host physical memory at some offsets.
|
|
|
|
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
|
|
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
(cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y)
|
|
CVE-2021-3653
|
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
Acked-by: Kamal Mostafa <kamal@canonical.com>
|
|
Acked-by: Ian May <ian.may@canonical.com>
|
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
|
(cherry picked from commit 47aa9272b0ff29c845179e60ecf8cb7a8375b346)
|
|
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
|
|
---
|
|
arch/x86/include/asm/svm.h | 2 ++
|
|
arch/x86/kvm/svm.c | 15 ++++++++-------
|
|
2 files changed, 10 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
|
|
index 6ece8561ba66..c29d8fb0ffbe 100644
|
|
--- a/arch/x86/include/asm/svm.h
|
|
+++ b/arch/x86/include/asm/svm.h
|
|
@@ -119,6 +119,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area {
|
|
#define V_IGN_TPR_SHIFT 20
|
|
#define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
|
|
|
|
+#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
|
|
+
|
|
#define V_INTR_MASKING_SHIFT 24
|
|
#define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
|
|
|
|
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
|
|
index 3b1b57521d8b..4f2e4bc4b33b 100644
|
|
--- a/arch/x86/kvm/svm.c
|
|
+++ b/arch/x86/kvm/svm.c
|
|
@@ -1446,12 +1446,7 @@ static __init int svm_hardware_setup(void)
|
|
}
|
|
}
|
|
|
|
- if (vgif) {
|
|
- if (!boot_cpu_has(X86_FEATURE_VGIF))
|
|
- vgif = false;
|
|
- else
|
|
- pr_info("Virtual GIF supported\n");
|
|
- }
|
|
+ vgif = false; /* Disabled for CVE-2021-3653 */
|
|
|
|
return 0;
|
|
|
|
@@ -3601,7 +3596,13 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa,
|
|
svm->nested.intercept = nested_vmcb->control.intercept;
|
|
|
|
svm_flush_tlb(&svm->vcpu, true);
|
|
- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
|
|
+
|
|
+ svm->vmcb->control.int_ctl &=
|
|
+ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
|
|
+
|
|
+ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl &
|
|
+ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK);
|
|
+
|
|
if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
|
|
svm->vcpu.arch.hflags |= HF_VINTR_MASK;
|
|
else
|