diff mbox series

[4.14.y] KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)

Message ID 20210816140240.11399-8-pbonzini@redhat.com
State Superseded
Headers show
Series [4.14.y] KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) | expand

Commit Message

Paolo Bonzini Aug. 16, 2021, 2:02 p.m. UTC 
From: Maxim Levitsky <mlevitsk@redhat.com>

[ upstream commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc ]

If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
possible by making L0 intercept these instructions.

Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
and thus read/write portions of the host physical memory.

Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
	The above upstream SHA1 is still on its way to Linus

 arch/x86/kvm/svm.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paolo Bonzini Aug. 16, 2021, 2:42 p.m. UTC | #1 
On 16/08/21 16:26, Greg KH wrote:
>>
>> [ upstream commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc ]
> 
> This is not a commit in Linus's tree:(

Not yet, that was remarked further down in the message.  I sent the 
stable patches at the same time as the embargo lifted.

Paolo
diff mbox series

Patch

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 0dfd0af61a29..439aecbbdd1e 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -389,6 +389,9 @@  static void recalc_intercepts(struct vcpu_svm *svm)
 	c->intercept_dr = h->intercept_dr | g->intercept_dr;
 	c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
 	c->intercept = h->intercept | g->intercept;
+
+	c->intercept |= (1ULL << INTERCEPT_VMLOAD);
+	c->intercept |= (1ULL << INTERCEPT_VMSAVE);
 }
 
 static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)