Re: [PATCH 7.2-based 01/19] KVM: x86/hyperv: remove unnecessary mmu_is_nested() check

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] When an L2 guest issues a slow Hyper-V flush hypercall without nEPT/nNPT enabled, the commit fails to translate the L2 GPA or return an error, instead interpreting the untranslated L2-provided GPA as an L1 GPA. This allows the L2 guest to read arbitrary L1 memory for hypercall parameters.
- [High] When translating an L2 GPA to an L1 GPA for slow Hyper-V hypercalls, KVM translates only the base address (`hc->ingpa`) and then reads contiguous L1 physical memory. It fails to apply L2's nested EPT (nEPT) mappings for subsequent pages if the hypercall input data crosses an L2 page boundary, leaking out-of-bounds L1 memory.
--

commit 5644e8b1976b85a1ec2e9308b24a274e70825283
Author: Paolo Bonzini <pbonzini@redhat.com>

KVM: x86/hyperv: remove unnecessary mmu_is_nested() check

This commit simplifies kvm_hv_flush_tlb() by using kvm_translate_gpa()
instead of calling translate_nested_gpa() directly. This addresses the
nEPT/nNPT check in slow flush hypercalls.

> diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
> index fd4eb1e561f7f..0b5050cccab4d 100644
> --- a/arch/x86/kvm/hyperv.c
> +++ b/arch/x86/kvm/hyperv.c
> @@ -2045,10 +2045,9 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, struct kvm_hv_hcall *hc)
>  	 * flush).  Translate the address here so the memory can be uniformly
>  	 * read with kvm_read_guest().
>  	 */
> -	if (!hc->fast && mmu_is_nested(vcpu)) {
> -		hc->ingpa = kvm_x86_ops.nested_ops->translate_nested_gpa(
> -					vcpu, hc->ingpa,
> -					PFERR_GUEST_FINAL_MASK, NULL, 0);
> +	if (!hc->fast) {
> +		hc->ingpa = kvm_translate_gpa(vcpu, vcpu->arch.walk_mmu, hc->ingpa,
> +					      PFERR_GUEST_FINAL_MASK, NULL, 0);
>  		if (unlikely(hc->ingpa == INVALID_GPA))
>  			return HV_STATUS_INVALID_HYPERCALL_INPUT;
>  	}

[Severity: High]
This isn't a bug introduced by this patch, but when an L2 guest issues a
slow Hyper-V flush hypercall without nEPT/nNPT enabled, it appears we fail
to translate the L2 GPA or return an error.

If kvm_translate_gpa() bypasses the nested translation (e.g., because
mmu_is_nested(vcpu) is false), the L2-provided hc->ingpa is returned
unchanged. 

Does this result in the untranslated L2 GPA being treated as an L1 GPA when
passed to kvm_read_guest(), potentially allowing the L2 guest to read
arbitrary L1 memory for hypercall parameters?

[Severity: High]
This is also a pre-existing issue, but when reading the hypercall input
data for slow Hyper-V hypercalls, does KVM fail to apply L2's nested EPT
(nEPT) mappings when the data crosses an L2 page boundary?

Later in the process, kvm_hv_get_hc_data() adds an offset to the translated
L1 base GPA:

arch/x86/kvm/hyperv.c:kvm_hv_get_hc_data() {
    ...
	return kvm_read_guest(kvm, hc->ingpa + hc->data_offset, data,
			      cnt * sizeof(*data));
}

Because kvm_read_guest() iterates contiguous L1 GFNs when crossing page
boundaries, if the hypercall input data straddles an L2 page boundary,
won't this ignore L2's EPT mappings for the subsequent pages and read
from unmapped, adjacent L1 physical memory?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260624214218.73796-1-pbonzini@redhat.com?part=1