[Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm()

[Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm()

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=220964

            Bug ID: 220964
           Summary: nSVM: missing sanity checks in svm_leave_smm()
           Product: Virtualization
           Version: unspecified
          Hardware: AMD
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: max@m00nbsd.net
        Regression: No

In svm_leave_smm():

    svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
...
    nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
    nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
    ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
false);

map_save.hva and vmcb12 are guest mappings, but there is no sanity check
performed on the copied control/save areas. It seems that this allows the guest
to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
features the host may not support or expose.

nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
be combined into one function, same with nested_copy_vmcb_save_to_cache() and
nested_vmcb_check_save(), to eliminate the risk that a copy is made without
sanity check.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

Re: [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm()

[Yosry Ahmed]

On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
> 
>             Bug ID: 220964
>            Summary: nSVM: missing sanity checks in svm_leave_smm()
>            Product: Virtualization
>            Version: unspecified
>           Hardware: AMD
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: kvm
>           Assignee: virtualization_kvm@kernel-bugs.osdl.org
>           Reporter: max@m00nbsd.net
>         Regression: No
> 
> In svm_leave_smm():
> 
>     svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
>     nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
>     nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
>     ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
> 
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.

This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.

I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.

> 
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are watching the assignee of the bug.

[Bug 220964] nSVM: missing sanity checks in svm_leave_smm()

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=220964

--- Comment #1 from yosry.ahmed@linux.dev ---
On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
> 
>             Bug ID: 220964
>            Summary: nSVM: missing sanity checks in svm_leave_smm()
>            Product: Virtualization
>            Version: unspecified
>           Hardware: AMD
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: kvm
>           Assignee: virtualization_kvm@kernel-bugs.osdl.org
>           Reporter: max@m00nbsd.net
>         Regression: No
> 
> In svm_leave_smm():
> 
>     svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
>     nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
>     nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
>     ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
> 
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the
> guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.

This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.

I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.

> 
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are watching the assignee of the bug.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.