From: bugzilla-daemon@kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 220964] nSVM: missing sanity checks in svm_leave_smm()
Date: Thu, 15 Jan 2026 01:22:30 +0000 [thread overview]
Message-ID: <bug-220964-28872-CHHSZu8vB3@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-220964-28872@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=220964
--- Comment #1 from yosry.ahmed@linux.dev ---
On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
>
> Bug ID: 220964
> Summary: nSVM: missing sanity checks in svm_leave_smm()
> Product: Virtualization
> Version: unspecified
> Hardware: AMD
> OS: Linux
> Status: NEW
> Severity: normal
> Priority: P3
> Component: kvm
> Assignee: virtualization_kvm@kernel-bugs.osdl.org
> Reporter: max@m00nbsd.net
> Regression: No
>
> In svm_leave_smm():
>
> svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
> nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
> nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
> ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
>
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the
> guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.
This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.
I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.
>
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
prev parent reply other threads:[~2026-01-15 1:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-10 20:03 [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm() bugzilla-daemon
2026-01-15 1:22 ` Yosry Ahmed
2026-01-15 1:22 ` bugzilla-daemon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-220964-28872-CHHSZu8vB3@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.