From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Oliver Upton" <oupton@kernel.org>,
kvmarm@lists.linux.dev, "Marc Zyngier" <maz@kernel.org>
Subject: Re: [PATCH 6/8] KVM: arm64: Minimise EL2's exposure of host VGIC state during world switch
Date: Fri, 19 Jun 2026 07:22:38 +0000 [thread overview]
Message-ID: <20260619072238.CBAD51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260619070508.802802-7-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing trust boundary validation for host-provided pointers in several hypercalls (`handle___vgic_v5_save_apr`, `handle___vgic_v5_restore_vmcr_apr`, `handle___kvm_adjust_pc`, `handle___kvm_tlb_flush_vmid_ipa`), leading to arbitrary EL2 memory dereference.
--
commit 5fa49efc0aabdcdf925969737165624792f92f6c
Author: Marc Zyngier <maz@kernel.org>
KVM: arm64: Minimise EL2's exposure of host VGIC state during world switch
This patch minimises EL2's exposure of host VGIC state by recovering the host
vCPU from the supplied cpu_if via container_of() and copying only the
necessary registers. This avoids directly dereferencing the host's
vgic_v3_cpu_if pointer.
> diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
[ ... ]
> static void handle___kvm_adjust_pc(struct kvm_cpu_context *host_ctxt)
> {
> DECLARE_REG(struct kvm_vcpu *, vcpu, host_ctxt, 1);
>
> __kvm_adjust_pc(kern_hyp_va(vcpu));
> }
[Severity: Critical]
This is a pre-existing issue, but while this patch fixes the trust boundary
for the VGIC v3 aprs hypercalls, other always-on hypercalls like
handle___kvm_adjust_pc() still unconditionally use kern_hyp_va() on
host-provided pointers.
Can a malicious host provide a crafted EL2 linear-map pointer (for example,
the address of a protected VM's vCPU) here? Since kern_hyp_va() is idempotent
for linear-map objects, it leaves the pointer as-is.
This would allow the host to dereference this pointer, potentially modifying
protected guest state via __kvm_adjust_pc() and bypassing pKVM isolation.
[ ... ]
> static void handle___kvm_tlb_flush_vmid_ipa(struct kvm_cpu_context *host_ctxt)
> {
> DECLARE_REG(struct kvm_s2_mmu *, mmu, host_ctxt, 1);
> DECLARE_REG(phys_addr_t, ipa, host_ctxt, 2);
> DECLARE_REG(int, level, host_ctxt, 3);
>
> __kvm_tlb_flush_vmid_ipa(kern_hyp_va(mmu), ipa, level);
> }
[Severity: Critical]
This is a pre-existing issue, but similar to the above, does this allow
the host to pass a crafted mmu pointer?
If kern_hyp_va() leaves an EL2 linear-map pointer untouched, could the host
use this to load arbitrary values into hardware registers like VTTBR_EL2 via
__kvm_tlb_flush_vmid_ipa()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619070508.802802-1-tabba@google.com?part=6
next prev parent reply other threads:[~2026-06-19 7:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 7:05 [PATCH 0/8] KVM: arm64: Rework pKVM vCPU state synchronisation Fuad Tabba
2026-06-19 7:05 ` [PATCH 1/8] KVM: arm64: Extract MPIDR computation into a shared header Fuad Tabba
2026-06-19 7:05 ` [PATCH 2/8] KVM: arm64: Make vcpu_{read,write}_sys_reg available to HYP code Fuad Tabba
2026-06-19 7:05 ` [PATCH 3/8] KVM: arm64: Factor out reusable vCPU reset helpers Fuad Tabba
2026-06-19 7:05 ` [PATCH 4/8] KVM: arm64: Move PSCI helper functions to a shared header Fuad Tabba
2026-06-19 7:16 ` sashiko-bot
2026-06-19 7:24 ` Fuad Tabba
2026-06-19 7:05 ` [PATCH 5/8] KVM: arm64: Add host and hypervisor vCPU lookup primitives Fuad Tabba
2026-06-19 7:05 ` [PATCH 6/8] KVM: arm64: Minimise EL2's exposure of host VGIC state during world switch Fuad Tabba
2026-06-19 7:22 ` sashiko-bot [this message]
2026-06-19 7:29 ` Fuad Tabba
2026-06-19 7:05 ` [PATCH 7/8] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2 Fuad Tabba
2026-06-19 7:05 ` [PATCH 8/8] KVM: arm64: Implement lazy vCPU state sync for non-protected guests Fuad Tabba
2026-06-19 7:24 ` sashiko-bot
2026-06-19 7:55 ` Fuad Tabba
2026-06-19 7:06 ` [PATCH 0/8] KVM: arm64: Rework pKVM vCPU state synchronisation Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619072238.CBAD51F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.