From: Marc Zyngier <maz@kernel.org>
To: Geonha Lee <w1nsom3gna@korea.ac.kr>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Oliver Upton <oliver.upton@linux.dev>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>
Subject: Re: [PATCH] KVM: arm64: nested: fix VNCR TLB ASID match logic for non-Global entries
Date: Thu, 04 Sep 2025 10:32:44 +0100 [thread overview]
Message-ID: <87v7lyzhoj.wl-maz@kernel.org> (raw)
In-Reply-To: <20250903150421.90752-1-w1nsom3gna@korea.ac.kr>
On Wed, 03 Sep 2025 16:04:21 +0100,
Geonha Lee <w1nsom3gna@korea.ac.kr> wrote:
>
> kvm_vncr_tlb_lookup() is supposed to return true when the cached VNCR
> TLB entry is valid for the current context. For non-Global entries, that
> means the entry’s ASID must match the current ASID.
>
> The current code returns true when the ASIDs do *not* match, which
> inverts the logic. This is a potential vulnerability:
>
> - Valid entries are ignored and we fall back to kvm_translate_vncr(),
> hurting performance.
> - Mismatched entries are treated as permission faults (-EPERM) instead
> of triggering a fresh translation.
> - This can also cause stale translations to be (wrongly) considered
> valid across address spaces.
I don't immediately see the vulnerability on the host. In the guest,
yes, absolutely.
>
> Flip the predicate so non-Global entries only hit when ASIDs match.
>
> Reported-by: Team 0xB6 in bob14
> DongHa Lee (@GAP-dev)
> Gyujeong Jin (@gyutrange)
> Daehyeon Ko (@4ncienth)
> Geonha Lee (@leegn4a)
> Hyungyu Oh (@DQPC_lover)
> Jaewon Yang (@R4mbb)
Reported-by: has a specific meaning, and needs addresses. Oliver, can
you change this to some sort of attribution?
>
> Signed-off-by: Geonha Lee <w1nsom3gna@korea.ac.kr>
> ---
> arch/arm64/kvm/nested.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
> index 77db81bae86f..24eab94d7d7f 100644
> --- a/arch/arm64/kvm/nested.c
> +++ b/arch/arm64/kvm/nested.c
> @@ -1276,7 +1276,7 @@ static bool kvm_vncr_tlb_lookup(struct kvm_vcpu *vcpu)
> !(tcr & TCR_ASID16))
> asid &= GENMASK(7, 0);
>
> - return asid != vt->wr.asid;
> + return asid == vt->wr.asid;
> }
>
> return true;
Yup, looks correct to me. Thanks again for fixing it.
Reviewed-by: Marc Zyngier <maz@kernel.org>
M.
--
Jazz isn't dead. It just smells funny.
next prev parent reply other threads:[~2025-09-04 9:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-03 15:04 [PATCH] KVM: arm64: nested: fix VNCR TLB ASID match logic for non-Global entries Geonha Lee
2025-09-04 9:32 ` Marc Zyngier [this message]
2025-09-05 9:41 ` Oliver Upton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v7lyzhoj.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.upton@linux.dev \
--cc=suzuki.poulose@arm.com \
--cc=w1nsom3gna@korea.ac.kr \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.