From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Felix Wilhelm <fwilhelm@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.16 07/43] kvm: nVMX: Enforce cpl=0 for VMX instructions
Date: Thu, 14 Jun 2018 16:04:11 +0200 [thread overview]
Message-ID: <20180614132135.424847630@linuxfoundation.org> (raw)
In-Reply-To: <20180614132135.111973468@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Wilhelm <fwilhelm@google.com>
commit 727ba748e110b4de50d142edca9d6a9b7e6111d8 upstream.
VMX instructions executed inside a L1 VM will always trigger a VM exit
even when executed with cpl 3. This means we must perform the
privilege check in software.
Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7426,6 +7426,12 @@ static int handle_vmon(struct kvm_vcpu *
return 1;
}
+ /* CPL=0 must be checked manually. */
+ if (vmx_get_cpl(vcpu)) {
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 1;
+ }
+
if (vmx->nested.vmxon) {
nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
return kvm_skip_emulated_instruction(vcpu);
@@ -7485,6 +7491,11 @@ static int handle_vmon(struct kvm_vcpu *
*/
static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
{
+ if (vmx_get_cpl(vcpu)) {
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 0;
+ }
+
if (!to_vmx(vcpu)->nested.vmxon) {
kvm_queue_exception(vcpu, UD_VECTOR);
return 0;
@@ -7785,7 +7796,7 @@ static int handle_vmread(struct kvm_vcpu
if (get_vmx_mem_address(vcpu, exit_qualification,
vmx_instruction_info, true, &gva))
return 1;
- /* _system ok, as hardware has verified cpl=0 */
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
&field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
}
@@ -7945,7 +7956,7 @@ static int handle_vmptrst(struct kvm_vcp
if (get_vmx_mem_address(vcpu, exit_qualification,
vmx_instruction_info, true, &vmcs_gva))
return 1;
- /* ok to use *_system, as hardware has verified cpl=0 */
+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
(void *)&to_vmx(vcpu)->nested.current_vmptr,
sizeof(u64), &e)) {
next prev parent reply other threads:[~2018-06-14 14:42 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 14:04 [PATCH 4.16 00/43] 4.16.16-stable review Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 01/43] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump() Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 02/43] crypto: chelsio - request to HW should wrap Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 03/43] blkdev_report_zones_ioctl(): Use vmalloc() to allocate large buffers Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 04/43] af_key: Always verify length of provided sadb_key Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 06/43] KVM: x86: introduce linear_{read,write}_system Greg Kroah-Hartman
2018-06-14 14:04 ` Greg Kroah-Hartman [this message]
2018-06-14 14:04 ` [PATCH 4.16 08/43] KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 09/43] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 10/43] NFC: pn533: dont send USB data off of the stack Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 11/43] usbip: vhci_sysfs: fix potential Spectre v1 Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 12/43] usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 13/43] usb-storage: Add compatibility quirk flags for G-Technologies G-Drive Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 14/43] Input: xpad - add GPD Win 2 Controller USB IDs Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 15/43] phy: qcom-qusb2: Fix crash if nvmem cell not specified Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 16/43] usb: core: message: remove extra endianness conversion in usb_set_isoch_delay Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 17/43] usb: typec: wcove: Remove dependency on HW FSM Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 18/43] usb: gadget: function: printer: avoid wrong list handling in printer_write() Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 19/43] usb: gadget: udc: renesas_usb3: fix double phy_put() Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 20/43] usb: gadget: udc: renesas_usb3: should remove debugfs Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 21/43] usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add udc Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 22/43] usb: gadget: udc: renesas_usb3: should call devm_phy_get() " Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 23/43] usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 24/43] usb: gadget: udc: renesas_usb3: disable the controllers irqs for reconnecting Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 25/43] serial: sh-sci: Stop using printk format %pCr Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 26/43] tty/serial: atmel: use port->name as name in request_irq() Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 27/43] serial: samsung: fix maxburst parameter for DMA transactions Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 28/43] serial: 8250: omap: Fix idling of clocks for unused uarts Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 29/43] vmw_balloon: fixing double free when batching mode is off Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 30/43] tty: pl011: Avoid spuriously stuck-off interrupts Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 31/43] kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 32/43] Input: goodix - add new ACPI id for GPD Win 2 touch screen Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 33/43] Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 39/43] crypto: cavium - Fix fallout from CONFIG_VMAP_STACK Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 40/43] crypto: cavium - Limit result reading attempts Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 41/43] crypto: vmx - Remove overly verbose printk from AES init routines Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 42/43] crypto: vmx - Remove overly verbose printk from AES XTS init Greg Kroah-Hartman
2018-06-14 14:04 ` [PATCH 4.16 43/43] crypto: omap-sham - fix memleak Greg Kroah-Hartman
2018-06-14 22:33 ` [PATCH 4.16 00/43] 4.16.16-stable review Shuah Khan
2018-06-15 0:51 ` Naresh Kamboju
2018-06-15 15:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180614132135.424847630@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fwilhelm@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox