From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1DE71C2DB1; Tue, 27 Aug 2024 15:04:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724771065; cv=none; b=Oyy19NeXUPY9u3KaaPUBmjGlSwQ8wbp0MS4tCf29Rxz0I8rc+Ovu2ozIzrUv5qplt1OtE7hWCpeYOKXt/Lzrd6t2I/D13dBFg4Lx/IjMzUZlQO+P4S0E9BRj+KmpU+o30ODM6ZDHJ30sE5FxeCGPA4f4qvjbwEvPsYZD2Tm27CE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724771065; c=relaxed/simple; bh=VyQ8j96z/tpAjIdS5DuXKrloN1KJHdkbg5wG1f6qeI8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=S3QEEeNJFzBM9WK7WcDjsGqH0YkJUaO0WDArAU8bmIWCUXX3noKHdGG/S7njx3CVJLPVTVtB82SMoGzc/cIwH17FX20l3sWhZrnLT5JCFqBVa5LJv6BotN89SbZrMWj1V6hZhqt2sQnK8/d+W4eHVRduVfMgh7v53d+HqZ1sKuY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=p22GUbIx; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="p22GUbIx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2B1E4C61056; Tue, 27 Aug 2024 15:04:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1724771065; bh=VyQ8j96z/tpAjIdS5DuXKrloN1KJHdkbg5wG1f6qeI8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p22GUbIxNbS8D04i0ChbHJEIFc/u4D9DqmojfIM3hM61ncDviHdRKtKab4oxAemuq QF4HshulgmhCsd9OVpeNt4M3OhgQcooSwja6fO0P2KGpXXsBEAiV2cPPyWgiGzr9qY 6Xztql292rMepiR/6RYCr5uyOIUgpMuhluwiDUz0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Claudio Imbrenda , Christian Borntraeger , Steffen Eiden , Janosch Frank , Sasha Levin Subject: [PATCH 6.10 077/273] s390/uv: Panic for set and remove shared access UVC errors Date: Tue, 27 Aug 2024 16:36:41 +0200 Message-ID: <20240827143836.344030991@linuxfoundation.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240827143833.371588371@linuxfoundation.org> References: <20240827143833.371588371@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Claudio Imbrenda [ Upstream commit cff59d8631e1409ffdd22d9d717e15810181b32c ] The return value uv_set_shared() and uv_remove_shared() (which are wrappers around the share() function) is not always checked. The system integrity of a protected guest depends on the Share and Unshare UVCs being successful. This means that any caller that fails to check the return value will compromise the security of the protected guest. No code path that would lead to such violation of the security guarantees is currently exercised, since all the areas that are shared never get unshared during the lifetime of the system. This might change and become an issue in the future. The Share and Unshare UVCs can only fail in case of hypervisor misbehaviour (either a bug or malicious behaviour). In such cases there is no reasonable way forward, and the system needs to panic. This patch replaces the return at the end of the share() function with a panic, to guarantee system integrity. Fixes: 5abb9351dfd9 ("s390/uv: introduce guest side ultravisor code") Signed-off-by: Claudio Imbrenda Reviewed-by: Christian Borntraeger Reviewed-by: Steffen Eiden Reviewed-by: Janosch Frank Link: https://lore.kernel.org/r/20240801112548.85303-1-imbrenda@linux.ibm.com Message-ID: <20240801112548.85303-1-imbrenda@linux.ibm.com> [frankja@linux.ibm.com: Fixed up patch subject] Signed-off-by: Janosch Frank Signed-off-by: Sasha Levin --- arch/s390/include/asm/uv.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h index 0e7bd3873907f..b2e2f9a4163c5 100644 --- a/arch/s390/include/asm/uv.h +++ b/arch/s390/include/asm/uv.h @@ -442,7 +442,10 @@ static inline int share(unsigned long addr, u16 cmd) if (!uv_call(0, (u64)&uvcb)) return 0; - return -EINVAL; + pr_err("%s UVC failed (rc: 0x%x, rrc: 0x%x), possible hypervisor bug.\n", + uvcb.header.cmd == UVC_CMD_SET_SHARED_ACCESS ? "Share" : "Unshare", + uvcb.header.rc, uvcb.header.rrc); + panic("System security cannot be guaranteed unless the system panics now.\n"); } /* -- 2.43.0