[Bug 220964] New: nSVM: missing sanity checks in svm_leave

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

* [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm()
@ 2026-01-10 20:03 bugzilla-daemon
  2026-01-15  1:22 ` Yosry Ahmed
  2026-01-15  1:22 ` [Bug 220964] " bugzilla-daemon
  0 siblings, 2 replies; 3+ messages in thread
From: bugzilla-daemon @ 2026-01-10 20:03 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=220964

            Bug ID: 220964
           Summary: nSVM: missing sanity checks in svm_leave_smm()
           Product: Virtualization
           Version: unspecified
          Hardware: AMD
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: max@m00nbsd.net
        Regression: No

In svm_leave_smm():

    svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
...
    nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
    nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
    ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
false);

map_save.hva and vmcb12 are guest mappings, but there is no sanity check
performed on the copied control/save areas. It seems that this allows the guest
to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
features the host may not support or expose.

nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
be combined into one function, same with nested_copy_vmcb_save_to_cache() and
nested_vmcb_check_save(), to eliminate the risk that a copy is made without
sanity check.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm()
  2026-01-10 20:03 [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm() bugzilla-daemon
@ 2026-01-15  1:22 ` Yosry Ahmed
  2026-01-15  1:22 ` [Bug 220964] " bugzilla-daemon
  1 sibling, 0 replies; 3+ messages in thread
From: Yosry Ahmed @ 2026-01-15  1:22 UTC (permalink / raw)
  To: bugzilla-daemon; +Cc: kvm

On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
> 
>             Bug ID: 220964
>            Summary: nSVM: missing sanity checks in svm_leave_smm()
>            Product: Virtualization
>            Version: unspecified
>           Hardware: AMD
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: kvm
>           Assignee: virtualization_kvm@kernel-bugs.osdl.org
>           Reporter: max@m00nbsd.net
>         Regression: No
> 
> In svm_leave_smm():
> 
>     svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
>     nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
>     nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
>     ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
> 
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.

This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.

I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.

> 
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug 220964] nSVM: missing sanity checks in svm_leave_smm()
  2026-01-10 20:03 [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm() bugzilla-daemon
  2026-01-15  1:22 ` Yosry Ahmed
@ 2026-01-15  1:22 ` bugzilla-daemon
  1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2026-01-15  1:22 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=220964

--- Comment #1 from yosry.ahmed@linux.dev ---
On Sat, Jan 10, 2026 at 08:03:07PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=220964
> 
>             Bug ID: 220964
>            Summary: nSVM: missing sanity checks in svm_leave_smm()
>            Product: Virtualization
>            Version: unspecified
>           Hardware: AMD
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: kvm
>           Assignee: virtualization_kvm@kernel-bugs.osdl.org
>           Reporter: max@m00nbsd.net
>         Regression: No
> 
> In svm_leave_smm():
> 
>     svm_copy_vmrun_state(&svm->vmcb01.ptr->save, map_save.hva + 0x400);
> ...
>     nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
>     nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
>     ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12,
> false);
> 
> map_save.hva and vmcb12 are guest mappings, but there is no sanity check
> performed on the copied control/save areas. It seems that this allows the
> guest
> to modify restricted values (intercepts, EFER, CR4) and gain access to CPU
> features the host may not support or expose.

This was reported by Sean in
https://lore.kernel.org/kvm/aThIQzni6fC1qdgj@google.com/.

I think the following patch should fix it:
https://lore.kernel.org/kvm/20260115011312.3675857-14-yosry.ahmed@linux.dev/.

> 
> nested_copy_vmcb_control_to_cache() and nested_vmcb_check_controls() ought to
> be combined into one function, same with nested_copy_vmcb_save_to_cache() and
> nested_vmcb_check_save(), to eliminate the risk that a copy is made without
> sanity check.
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are watching the assignee of the bug.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-15  1:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-10 20:03 [Bug 220964] New: nSVM: missing sanity checks in svm_leave_smm() bugzilla-daemon
2026-01-15  1:22 ` Yosry Ahmed
2026-01-15  1:22 ` [Bug 220964] " bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox