From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@kernel.org
Subject: [Bug 195167] New: INVEPT might crash the host
Date: Fri, 31 Mar 2017 02:30:17 +0000 [thread overview]
Message-ID: <bug-195167-28872@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=195167
Bug ID: 195167
Summary: INVEPT might crash the host
Product: Virtualization
Version: unspecified
Kernel Version: 3.11 - 3.14
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: kvm
Assignee: virtualization_kvm@kernel-bugs.osdl.org
Reporter: minoura@valinux.co.jp
Regression: No
Created attachment 255653
--> https://bugzilla.kernel.org/attachment.cgi?id=255653&action=edit
build and insmod'ing the module on a guest linux crashes the host
KVM in linux 3.11 - 3.14 (including long term supported 3.12.72) has a
flaw in INVEPT emulation that could crash the host.
[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at
0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP
(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)
The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:
kvm_cpu_vmxon(phys_addr);
ept_sync_context(0);
(requires nested EPT; full PoC module code attached)
This flaw was introduced in commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.
a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)
switch (type) {
case VMX_EPT_EXTENT_CONTEXT:
+ if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+ break;
if ((operand.eptp & eptp_mask) !=
(nested_ept_get_cr3(vcpu) & eptp_mask))
break;
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2017-03-31 2:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 2:30 bugzilla-daemon [this message]
2017-04-24 20:45 ` [Bug 195167] INVEPT might crash the host bugzilla-daemon
2017-04-24 22:12 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-195167-28872@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=kvm@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.