From mboxrd@z Thu Jan  1 00:00:00 1970
From: bugzilla-daemon@bugzilla.kernel.org
Subject: [Bug 195167] New: INVEPT might crash the host
Date: Fri, 31 Mar 2017 02:30:17 +0000
Message-ID: <bug-195167-28872@https.bugzilla.kernel.org/>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8BIT
To: kvm@kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail.wl.linuxfoundation.org ([198.145.29.98]:47960 "EHLO
        mail.wl.linuxfoundation.org" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750968AbdCaCaa (ORCPT
        <rfc822;kvm@vger.kernel.org>); Thu, 30 Mar 2017 22:30:30 -0400
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
        by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 65CE828650
        for <kvm@vger.kernel.org>; Fri, 31 Mar 2017 02:30:29 +0000 (UTC)
Received: from pdx-korg-bugzilla-1.web.codeaurora.org (unknown [172.30.200.120])
        by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2072B28646
        for <kvm@vger.kernel.org>; Fri, 31 Mar 2017 02:30:29 +0000 (UTC)
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

https://bugzilla.kernel.org/show_bug.cgi?id=195167

            Bug ID: 195167
           Summary: INVEPT might crash the host
           Product: Virtualization
           Version: unspecified
    Kernel Version: 3.11 - 3.14
          Hardware: x86-64
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: minoura@valinux.co.jp
        Regression: No

Created attachment 255653
  --> https://bugzilla.kernel.org/attachment.cgi?id=255653&action=edit
build and insmod'ing the module on a guest linux crashes the host

KVM in linux 3.11 - 3.14 (including long term supported 3.12.72) has a
flaw in INVEPT emulation that could crash the host.

[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at
0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0 
[ 1046.390273] Oops: 0000 [#1] SMP 

(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)

The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:

        kvm_cpu_vmxon(phys_addr);
        ept_sync_context(0);

(requires nested EPT; full PoC module code attached)

This flaw was introduced in commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.

a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)

        switch (type) {
        case VMX_EPT_EXTENT_CONTEXT:
+               if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+                       break;
                if ((operand.eptp & eptp_mask) !=
                                (nested_ept_get_cr3(vcpu) & eptp_mask))
                        break;

-- 
You are receiving this mail because:
You are watching the assignee of the bug.