From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@kernel.org
Subject: [Bug 195167] New: INVEPT might crash the host
Date: Fri, 31 Mar 2017 02:30:17 +0000 [thread overview]
Message-ID: <bug-195167-28872@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=195167
Bug ID: 195167
Summary: INVEPT might crash the host
Product: Virtualization
Version: unspecified
Kernel Version: 3.11 - 3.14
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: kvm
Assignee: virtualization_kvm@kernel-bugs.osdl.org
Reporter: minoura@valinux.co.jp
Regression: No
Created attachment 255653
--> https://bugzilla.kernel.org/attachment.cgi?id=255653&action=edit
build and insmod'ing the module on a guest linux crashes the host
KVM in linux 3.11 - 3.14 (including long term supported 3.12.72) has a
flaw in INVEPT emulation that could crash the host.
[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at
0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP
(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)
The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:
kvm_cpu_vmxon(phys_addr);
ept_sync_context(0);
(requires nested EPT; full PoC module code attached)
This flaw was introduced in commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.
a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)
switch (type) {
case VMX_EPT_EXTENT_CONTEXT:
+ if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+ break;
if ((operand.eptp & eptp_mask) !=
(nested_ept_get_cr3(vcpu) & eptp_mask))
break;
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2017-03-31 2:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 2:30 bugzilla-daemon [this message]
2017-04-24 20:45 ` [Bug 195167] INVEPT might crash the host bugzilla-daemon
2017-04-24 22:12 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-195167-28872@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=kvm@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox