diff --git a/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch new file mode 100644 index 0000000..696a17f --- /dev/null +++ b/patches/kernel/0008-UBUNTU-SAUCE-KVM-nSVM-avoid-picking-up-unsupported-b.patch @@ -0,0 +1,96 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Thu, 29 Jul 2021 17:54:04 +0300 +Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits + from L2 in int_ctl + +This fixes CVE-2021-3653 that allowed a malicious L1 to run L2 with +AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled +AVIC to read/write the host physical memory at some offsets. + +The bug was discovered by Maxim Levitsky. + +Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +CVE-2021-3653 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Ben Romer +Signed-off-by: Stefan Bader +(cherry picked from commit d4c8d125f361e6aef5d58490672f7efa83dab257) +Signed-off-by: Stoiko Ivanov +--- + arch/x86/include/asm/svm.h | 2 ++ + arch/x86/kvm/svm/nested.c | 11 +++++++---- + arch/x86/kvm/svm/svm.c | 8 ++++---- + 3 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h +index 1c561945b426..6278111bbf97 100644 +--- a/arch/x86/include/asm/svm.h ++++ b/arch/x86/include/asm/svm.h +@@ -178,6 +178,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area { + #define V_IGN_TPR_SHIFT 20 + #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) + ++#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) ++ + #define V_INTR_MASKING_SHIFT 24 + #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) + +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index 0b3bf6e2aeb9..049d3cbbee5a 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -429,7 +429,10 @@ static void nested_prepare_vmcb_save(struct vcpu_svm *svm, struct vmcb *vmcb12) + + static void nested_prepare_vmcb_control(struct vcpu_svm *svm) + { +- const u32 mask = V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; ++ const u32 int_ctl_vmcb01_bits = ++ V_INTR_MASKING_MASK | V_GIF_MASK | V_GIF_ENABLE_MASK; ++ ++ const u32 int_ctl_vmcb12_bits = V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK; + + if (nested_npt_enabled(svm)) + nested_svm_init_mmu_context(&svm->vcpu); +@@ -437,9 +440,9 @@ static void nested_prepare_vmcb_control(struct vcpu_svm *svm) + svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset = + svm->vcpu.arch.l1_tsc_offset + svm->nested.ctl.tsc_offset; + +- svm->vmcb->control.int_ctl = +- (svm->nested.ctl.int_ctl & ~mask) | +- (svm->nested.hsave->control.int_ctl & mask); ++ svm->vmcb->control.int_ctl = ++ (svm->nested.ctl.int_ctl & int_ctl_vmcb12_bits) | ++ (svm->nested.hsave->control.int_ctl & int_ctl_vmcb01_bits); + + svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext; + svm->vmcb->control.int_vector = svm->nested.ctl.int_vector; +diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c +index 786c0eb8bd29..b676386f877e 100644 +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -1547,17 +1547,17 @@ static void svm_set_vintr(struct vcpu_svm *svm) + + static void svm_clear_vintr(struct vcpu_svm *svm) + { +- const u32 mask = V_TPR_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK | V_INTR_MASKING_MASK; + svm_clr_intercept(svm, INTERCEPT_VINTR); + + /* Drop int_ctl fields related to VINTR injection. */ +- svm->vmcb->control.int_ctl &= mask; ++ svm->vmcb->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK; + if (is_guest_mode(&svm->vcpu)) { +- svm->nested.hsave->control.int_ctl &= mask; ++ svm->nested.hsave->control.int_ctl &= ~V_IRQ_INJECTION_BITS_MASK; + + WARN_ON((svm->vmcb->control.int_ctl & V_TPR_MASK) != + (svm->nested.ctl.int_ctl & V_TPR_MASK)); +- svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl & ~mask; ++ svm->vmcb->control.int_ctl |= svm->nested.ctl.int_ctl & ++ V_IRQ_INJECTION_BITS_MASK; + } + + vmcb_mark_dirty(svm->vmcb, VMCB_INTR); diff --git a/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch b/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch new file mode 100644 index 0000000..48f3c30 --- /dev/null +++ b/patches/kernel/0009-UBUNTU-SAUCE-KVM-nSVM-always-intercept-VMLOAD-VMSAVE.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Thu, 29 Jul 2021 18:37:38 +0300 +Subject: [PATCH] UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when + nested + +If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable +Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), +then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only +possible by making L0 intercept these instructions. + +Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, +and thus read/write portions of the host physical memory. + +This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and +Paolo Bonzini. + +Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +CVE-2021-3656 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Ben Romer +Signed-off-by: Stefan Bader +(cherry picked from commit 7e23c00e809c1669676363962e2ef9df1bd2840b) +Signed-off-by: Stoiko Ivanov +--- + arch/x86/kvm/svm/nested.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index 049d3cbbee5a..3bd5c7d6716e 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -147,6 +147,9 @@ void recalc_intercepts(struct vcpu_svm *svm) + + for (i = 0; i < MAX_INTERCEPT; i++) + c->intercepts[i] |= g->intercepts[i]; ++ ++ vmcb_set_intercept(c, INTERCEPT_VMLOAD); ++ vmcb_set_intercept(c, INTERCEPT_VMSAVE); + } + + static void copy_vmcb_control_area(struct vmcb_control_area *dst,