From: Shanker Donthineni <shankerd@codeaurora.org>
To: Marc Zyngier <marc.zyngier@arm.com>,
Christoffer Dall <christoffer.dall@linaro.org>
Cc: kvm <kvm@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>
Subject: [PATCH] arm64: KVM: Reject non-compliant HVC calls from guest kernel
Date: Mon, 7 Aug 2017 14:03:28 -0500 [thread overview]
Message-ID: <1502132608-26077-1-git-send-email-shankerd@codeaurora.org> (raw)
The SMC/HVC instructions with an immediate value non-zero are not compliant
according to 'SMC calling convention system software document'. Add a
validation check in handle_hvc() to avoid malicious HVC calls from VM, and
inject an undefined instruction for those calls.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
---
arch/arm64/include/asm/esr.h | 4 ++++
arch/arm64/kvm/handle_exit.c | 12 +++++++-----
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
index 8cabd57..fa988e5 100644
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -107,6 +107,9 @@
#define ESR_ELx_AR (UL(1) << 14)
#define ESR_ELx_CM (UL(1) << 8)
+/* ISS field definitions for HVC/SVC instruction execution traps */
+#define ESR_HVC_IMMEDIATE(esr) ((esr) & 0xFFFF)
+
/* ISS field definitions for exceptions taken in to Hyp */
#define ESR_ELx_CV (UL(1) << 24)
#define ESR_ELx_COND_SHIFT (20)
@@ -114,6 +117,7 @@
#define ESR_ELx_WFx_ISS_WFE (UL(1) << 0)
#define ESR_ELx_xVC_IMM_MASK ((1UL << 16) - 1)
+
/* ESR value templates for specific events */
/* BRK instruction trap from AArch64 state */
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index 17d8a16..a900dcd 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -42,13 +42,15 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
kvm_vcpu_hvc_get_imm(vcpu));
vcpu->stat.hvc_exit_stat++;
- ret = kvm_psci_call(vcpu);
- if (ret < 0) {
- kvm_inject_undefined(vcpu);
- return 1;
+ /* HVC immediate value must be zero for all compliant calls */
+ if (!ESR_HVC_IMMEDIATE(kvm_vcpu_get_hsr(vcpu))) {
+ ret = kvm_psci_call(vcpu);
+ if (ret >= 0)
+ return ret;
}
- return ret;
+ kvm_inject_undefined(vcpu);
+ return 1;
}
static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
--
Qualcomm Datacenter Technologies, Inc. on behalf of the Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.
WARNING: multiple messages have this Message-ID (diff)
From: shankerd@codeaurora.org (Shanker Donthineni)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm64: KVM: Reject non-compliant HVC calls from guest kernel
Date: Mon, 7 Aug 2017 14:03:28 -0500 [thread overview]
Message-ID: <1502132608-26077-1-git-send-email-shankerd@codeaurora.org> (raw)
The SMC/HVC instructions with an immediate value non-zero are not compliant
according to 'SMC calling convention system software document'. Add a
validation check in handle_hvc() to avoid malicious HVC calls from VM, and
inject an undefined instruction for those calls.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
---
arch/arm64/include/asm/esr.h | 4 ++++
arch/arm64/kvm/handle_exit.c | 12 +++++++-----
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
index 8cabd57..fa988e5 100644
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -107,6 +107,9 @@
#define ESR_ELx_AR (UL(1) << 14)
#define ESR_ELx_CM (UL(1) << 8)
+/* ISS field definitions for HVC/SVC instruction execution traps */
+#define ESR_HVC_IMMEDIATE(esr) ((esr) & 0xFFFF)
+
/* ISS field definitions for exceptions taken in to Hyp */
#define ESR_ELx_CV (UL(1) << 24)
#define ESR_ELx_COND_SHIFT (20)
@@ -114,6 +117,7 @@
#define ESR_ELx_WFx_ISS_WFE (UL(1) << 0)
#define ESR_ELx_xVC_IMM_MASK ((1UL << 16) - 1)
+
/* ESR value templates for specific events */
/* BRK instruction trap from AArch64 state */
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index 17d8a16..a900dcd 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -42,13 +42,15 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
kvm_vcpu_hvc_get_imm(vcpu));
vcpu->stat.hvc_exit_stat++;
- ret = kvm_psci_call(vcpu);
- if (ret < 0) {
- kvm_inject_undefined(vcpu);
- return 1;
+ /* HVC immediate value must be zero for all compliant calls */
+ if (!ESR_HVC_IMMEDIATE(kvm_vcpu_get_hsr(vcpu))) {
+ ret = kvm_psci_call(vcpu);
+ if (ret >= 0)
+ return ret;
}
- return ret;
+ kvm_inject_undefined(vcpu);
+ return 1;
}
static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
--
Qualcomm Datacenter Technologies, Inc. on behalf of the Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.
WARNING: multiple messages have this Message-ID (diff)
From: Shanker Donthineni <shankerd@codeaurora.org>
To: Marc Zyngier <marc.zyngier@arm.com>,
Christoffer Dall <christoffer.dall@linaro.org>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>, kvm <kvm@vger.kernel.org>,
Shanker Donthineni <shankerd@codeaurora.org>
Subject: [PATCH] arm64: KVM: Reject non-compliant HVC calls from guest kernel
Date: Mon, 7 Aug 2017 14:03:28 -0500 [thread overview]
Message-ID: <1502132608-26077-1-git-send-email-shankerd@codeaurora.org> (raw)
The SMC/HVC instructions with an immediate value non-zero are not compliant
according to 'SMC calling convention system software document'. Add a
validation check in handle_hvc() to avoid malicious HVC calls from VM, and
inject an undefined instruction for those calls.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
---
arch/arm64/include/asm/esr.h | 4 ++++
arch/arm64/kvm/handle_exit.c | 12 +++++++-----
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
index 8cabd57..fa988e5 100644
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -107,6 +107,9 @@
#define ESR_ELx_AR (UL(1) << 14)
#define ESR_ELx_CM (UL(1) << 8)
+/* ISS field definitions for HVC/SVC instruction execution traps */
+#define ESR_HVC_IMMEDIATE(esr) ((esr) & 0xFFFF)
+
/* ISS field definitions for exceptions taken in to Hyp */
#define ESR_ELx_CV (UL(1) << 24)
#define ESR_ELx_COND_SHIFT (20)
@@ -114,6 +117,7 @@
#define ESR_ELx_WFx_ISS_WFE (UL(1) << 0)
#define ESR_ELx_xVC_IMM_MASK ((1UL << 16) - 1)
+
/* ESR value templates for specific events */
/* BRK instruction trap from AArch64 state */
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index 17d8a16..a900dcd 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -42,13 +42,15 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
kvm_vcpu_hvc_get_imm(vcpu));
vcpu->stat.hvc_exit_stat++;
- ret = kvm_psci_call(vcpu);
- if (ret < 0) {
- kvm_inject_undefined(vcpu);
- return 1;
+ /* HVC immediate value must be zero for all compliant calls */
+ if (!ESR_HVC_IMMEDIATE(kvm_vcpu_get_hsr(vcpu))) {
+ ret = kvm_psci_call(vcpu);
+ if (ret >= 0)
+ return ret;
}
- return ret;
+ kvm_inject_undefined(vcpu);
+ return 1;
}
static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
--
Qualcomm Datacenter Technologies, Inc. on behalf of the Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.
next reply other threads:[~2017-08-07 19:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-07 19:03 Shanker Donthineni [this message]
2017-08-07 19:03 ` [PATCH] arm64: KVM: Reject non-compliant HVC calls from guest kernel Shanker Donthineni
2017-08-07 19:03 ` Shanker Donthineni
2017-08-08 7:36 ` Christoffer Dall
2017-08-08 7:36 ` Christoffer Dall
2017-08-08 7:52 ` Marc Zyngier
2017-08-08 7:52 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1502132608-26077-1-git-send-email-shankerd@codeaurora.org \
--to=shankerd@codeaurora.org \
--cc=christoffer.dall@linaro.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.