From: bugzilla-daemon@kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 220964] nSVM: missing sanity checks in svm_leave_smm()
Date: Thu, 15 Jan 2026 01:22:30 +0000 [thread overview]
Message-ID: <bug-220964-28872-CHHSZu8vB3@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-220964-28872@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=220964
--- Comment #1 from yosry.ahmed@linux.dev ---
On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
>
> Bug ID: 220964
> Summary: nSVM: missing sanity checks in svm_leave_smm()
> Product: Virtualization
> Version: unspecified
> Hardware: AMD
> OS: Linux
> Status: NEW
> Severity: normal
> Priority: P3
> Component: kvm
> Assignee: virtualization_kvm@kernel-bugs.osdl.org
> Reporter: max@m00nbsd.net
> Regression: No
>
> In svm_leave_smm():
>
> svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
> nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
> nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
> ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
>
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the
> guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.
This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.
I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.
>
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are watching the assignee of the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
prev parent reply other threads:[~2026-01-15 1:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-10 20:03 [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm() bugzilla-daemon
2026-01-15 1:22 ` Yosry Ahmed
2026-01-15 1:22 ` bugzilla-daemon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-220964-28872-CHHSZu8vB3@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox