From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Marc Orr <marcorr@google.com>,
Jim Mattson <jmattson@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.19 100/101] KVM: x86: nVMX: close leak of L0s x2APIC MSRs (CVE-2019-3887)
Date: Mon, 15 Apr 2019 20:59:38 +0200 [thread overview]
Message-ID: <20190415183745.651392259@linuxfoundation.org> (raw)
In-Reply-To: <20190415183740.341577907@linuxfoundation.org>
From: Marc Orr <marcorr@google.com>
commit acff78477b9b4f26ecdf65733a4ed77fe837e9dc upstream.
The nested_vmx_prepare_msr_bitmap() function doesn't directly guard the
x2APIC MSR intercepts with the "virtualize x2APIC mode" MSR. As a
result, we discovered the potential for a buggy or malicious L1 to get
access to L0's x2APIC MSRs, via an L2, as follows.
1. L1 executes WRMSR(IA32_SPEC_CTRL, 1). This causes the spec_ctrl
variable, in nested_vmx_prepare_msr_bitmap() to become true.
2. L1 disables "virtualize x2APIC mode" in VMCS12.
3. L1 enables "APIC-register virtualization" in VMCS12.
Now, KVM will set VMCS02's x2APIC MSR intercepts from VMCS12, and then
set "virtualize x2APIC mode" to 0 in VMCS02. Oops.
This patch closes the leak by explicitly guarding VMCS02's x2APIC MSR
intercepts with VMCS12's "virtualize x2APIC mode" control.
The scenario outlined above and fix prescribed here, were verified with
a related patch in kvm-unit-tests titled "Add leak scenario to
virt_x2apic_mode_test".
Note, it looks like this issue may have been introduced inadvertently
during a merge---see 15303ba5d1cd.
Signed-off-by: Marc Orr <marcorr@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx.c | 72 ++++++++++++++++++++++++++++++++---------------------
1 file changed, 44 insertions(+), 28 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11582,6 +11582,17 @@ static int nested_vmx_check_tpr_shadow_c
return 0;
}
+static inline void enable_x2apic_msr_intercepts(unsigned long *msr_bitmap) {
+ int msr;
+
+ for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
+ unsigned word = msr / BITS_PER_LONG;
+
+ msr_bitmap[word] = ~0;
+ msr_bitmap[word + (0x800 / sizeof(long))] = ~0;
+ }
+}
+
/*
* Merge L0's and L1's MSR bitmap, return false to indicate that
* we do not use the hardware.
@@ -11623,39 +11634,44 @@ static inline bool nested_vmx_prepare_ms
return false;
msr_bitmap_l1 = (unsigned long *)kmap(page);
- if (nested_cpu_has_apic_reg_virt(vmcs12)) {
- /*
- * L0 need not intercept reads for MSRs between 0x800 and 0x8ff, it
- * just lets the processor take the value from the virtual-APIC page;
- * take those 256 bits directly from the L1 bitmap.
- */
- for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
- unsigned word = msr / BITS_PER_LONG;
- msr_bitmap_l0[word] = msr_bitmap_l1[word];
- msr_bitmap_l0[word + (0x800 / sizeof(long))] = ~0;
- }
- } else {
- for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
- unsigned word = msr / BITS_PER_LONG;
- msr_bitmap_l0[word] = ~0;
- msr_bitmap_l0[word + (0x800 / sizeof(long))] = ~0;
- }
- }
- nested_vmx_disable_intercept_for_msr(
- msr_bitmap_l1, msr_bitmap_l0,
- X2APIC_MSR(APIC_TASKPRI),
- MSR_TYPE_W);
+ /*
+ * To keep the control flow simple, pay eight 8-byte writes (sixteen
+ * 4-byte writes on 32-bit systems) up front to enable intercepts for
+ * the x2APIC MSR range and selectively disable them below.
+ */
+ enable_x2apic_msr_intercepts(msr_bitmap_l0);
+
+ if (nested_cpu_has_virt_x2apic_mode(vmcs12)) {
+ if (nested_cpu_has_apic_reg_virt(vmcs12)) {
+ /*
+ * L0 need not intercept reads for MSRs between 0x800
+ * and 0x8ff, it just lets the processor take the value
+ * from the virtual-APIC page; take those 256 bits
+ * directly from the L1 bitmap.
+ */
+ for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
+ unsigned word = msr / BITS_PER_LONG;
+
+ msr_bitmap_l0[word] = msr_bitmap_l1[word];
+ }
+ }
- if (nested_cpu_has_vid(vmcs12)) {
- nested_vmx_disable_intercept_for_msr(
- msr_bitmap_l1, msr_bitmap_l0,
- X2APIC_MSR(APIC_EOI),
- MSR_TYPE_W);
nested_vmx_disable_intercept_for_msr(
msr_bitmap_l1, msr_bitmap_l0,
- X2APIC_MSR(APIC_SELF_IPI),
+ X2APIC_MSR(APIC_TASKPRI),
MSR_TYPE_W);
+
+ if (nested_cpu_has_vid(vmcs12)) {
+ nested_vmx_disable_intercept_for_msr(
+ msr_bitmap_l1, msr_bitmap_l0,
+ X2APIC_MSR(APIC_EOI),
+ MSR_TYPE_W);
+ nested_vmx_disable_intercept_for_msr(
+ msr_bitmap_l1, msr_bitmap_l0,
+ X2APIC_MSR(APIC_SELF_IPI),
+ MSR_TYPE_W);
+ }
}
if (spec_ctrl)
next prev parent reply other threads:[~2019-04-15 19:21 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 18:57 [PATCH 4.19 000/101] 4.19.35-stable review Greg Kroah-Hartman
2019-04-15 18:57 ` [PATCH 4.19 001/101] kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 002/101] drm/i915/gvt: do not let pin count of shadow mm go negative Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 003/101] powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 004/101] hv_netvsc: Fix unwanted wakeup after tx_disable Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 005/101] ibmvnic: Fix completion structure initialization Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 006/101] ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 007/101] ipv6: Fix dangling pointer when ipv6 fragment Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 008/101] ipv6: sit: reset ip header pointer in ipip6_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 009/101] kcm: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 010/101] net: ethtool: not call vzalloc for zero sized memory request Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 011/101] net-gro: Fix GRO flush when receiving a GSO packet Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 012/101] net/mlx5: Decrease default mr cache size Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 013/101] netns: provide pure entropy for net_hash_mix() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 014/101] net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 015/101] net/sched: act_sample: fix divide by zero in the traffic path Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 016/101] net/sched: fix ->get helper of the matchall cls Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 017/101] openvswitch: fix flow actions reallocation Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 018/101] qmi_wwan: add Olicard 600 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 019/101] r8169: disable ASPM again Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 020/101] sctp: initialize _pad of sockaddr_in before copying to user memory Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 021/101] tcp: Ensure DCTCP reacts to losses Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 022/101] tcp: fix a potential NULL pointer dereference in tcp_sk_exit Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 023/101] vrf: check accept_source_route on the original netdevice Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 024/101] net/mlx5e: Fix error handling when refreshing TIRs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 025/101] net/mlx5e: Add a lock on tir list Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 026/101] nfp: validate the return code from dev_queue_xmit() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 027/101] nfp: disable netpoll on representors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 028/101] bnxt_en: Improve RX consumer index validity check Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 029/101] bnxt_en: Reset device on RX buffer errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 030/101] net: ip_gre: fix possible use-after-free in erspan_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 031/101] net: ip6_gre: fix possible use-after-free in ip6erspan_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 032/101] net: core: netif_receive_skb_list: unlist skb before passing to pt->func Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 033/101] r8169: disable default rx interrupt coalescing on RTL8168 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 034/101] net: mlx5: Add a missing check on idr_find, free buf Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 035/101] net/mlx5e: Update xoff formula Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 036/101] net/mlx5e: Update xon formula Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 037/101] kbuild: deb-pkg: fix bindeb-pkg breakage when O= is used Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 038/101] kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 039/101] x86/vdso: Drop implicit common-page-size linker flag Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 040/101] lib/string.c: implement a basic bcmp Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 041/101] Revert "clk: meson: clean-up clock registration" Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 042/101] netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 043/101] netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 044/101] arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 045/101] tty: mark Siemens R3964 line discipline as BROKEN Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 046/101] tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 047/101] hwmon: (w83773g) Select REGMAP_I2C to fix build error Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 048/101] ACPICA: Clear status of GPEs before enabling them Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 049/101] ACPICA: Namespace: remove address node from global list after method termination Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 050/101] ALSA: seq: Fix OOB-reads from strlcpy Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 051/101] ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 052/101] ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 053/101] ALSA: hda - Add two more machines to the power_save_blacklist Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 054/101] mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 055/101] arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 056/101] parisc: Detect QEMU earlier in boot process Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 057/101] parisc: regs_return_value() should return gpr28 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 058/101] parisc: also set iaoq_b in instruction_pointer_set() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 059/101] alarmtimer: Return correct remaining time Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 060/101] drm/i915/gvt: do not deliver a workload if its creation fails Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.19 061/101] drm/udl: add a release method and delay modeset teardown Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 062/101] kvm: svm: fix potential get_num_contig_pages overflow Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 063/101] include/linux/bitrev.h: fix constant bitrev Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 064/101] mm: writeback: use exact memcg dirty counts Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 065/101] ASoC: intel: Fix crash at suspend/resume after failed codec registration Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 066/101] ASoC: fsl_esai: fix channel swap issue when stream starts Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 067/101] Btrfs: do not allow trimming when a fs is mounted with the nologreplay option Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 068/101] btrfs: prop: fix zstd compression parameter validation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 069/101] btrfs: prop: fix vanished compression property after failed set Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 070/101] riscv: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 071/101] block: do not leak memory in bio_copy_user_iov() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 072/101] block: fix the return errno for direct IO Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 073/101] genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 074/101] genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 075/101] virtio: Honour may_reduce_num in vring_create_virtqueue Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 076/101] ARM: dts: rockchip: fix rk3288 cpu opp node reference Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 077/101] ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 078/101] ARM: dts: am335x-evm: " Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 079/101] ARM: dts: at91: Fix typo in ISC_D0 on PC9 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 080/101] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 081/101] arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 082/101] arm64: backtrace: Dont bother trying to unwind the userspace stack Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 083/101] xen: Prevent buffer overflow in privcmd ioctl Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 084/101] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 085/101] xtensa: fix return_address Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 086/101] x86/asm: Remove dead __GNUC__ conditionals Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 087/101] x86/asm: Use stricter assembly constraints in bitops Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 088/101] x86/perf/amd: Resolve race condition when disabling PMC Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 089/101] x86/perf/amd: Resolve NMI latency issues for active PMCs Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 090/101] x86/perf/amd: Remove need to check "running" bit in NMI handler Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 091/101] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 092/101] PCI: pciehp: Ignore Link State Changes after powering off a slot Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 093/101] dm integrity: change memcmp to strncmp in dm_integrity_ctr Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 094/101] dm: revert 8f50e358153d ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE") Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 095/101] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 096/101] dm integrity: fix deadlock with overlapping I/O Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 097/101] arm64: dts: rockchip: fix vcc_host1_5v pin assign on rk3328-rock64 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 098/101] arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity " Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.19 099/101] ACPICA: AML interpreter: add region addresses in global list during initialization Greg Kroah-Hartman
2019-04-15 18:59 ` Greg Kroah-Hartman [this message]
2019-04-15 18:59 ` [PATCH 4.19 101/101] KVM: x86: nVMX: fix x2APIC VTPR read intercept Greg Kroah-Hartman
2019-04-16 0:24 ` [PATCH 4.19 000/101] 4.19.35-stable review kernelci.org bot
2019-04-16 10:34 ` Jon Hunter
2019-04-16 11:21 ` Naresh Kamboju
2019-04-16 16:30 ` Guenter Roeck
2019-04-16 21:39 ` shuah
2019-04-16 22:16 ` Bharath Vedartham
2019-04-17 6:15 ` Greg Kroah-Hartman
2019-04-17 6:16 ` Greg Kroah-Hartman
2019-04-17 16:40 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190415183745.651392259@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jmattson@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcorr@google.com \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).