The g_pat field from the vmcb12 save state area must be validated. To accommodate validation without TOCTTOU issues, add a g_pat field to the vmcb_save_area_cached struct, and include it in the fields copied by __nested_copy_vmcb_save_to_cache().
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") Signed-off-by: Jim Mattson jmattson@google.com --- arch/x86/kvm/svm/nested.c | 2 ++ arch/x86/kvm/svm/svm.h | 1 + 2 files changed, 3 insertions(+)
diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 9aec836ac04c..ad9272aae908 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -506,6 +506,8 @@ static void __nested_copy_vmcb_save_to_cache(struct vmcb_save_area_cached *to,
to->dr6 = from->dr6; to->dr7 = from->dr7; + + to->g_pat = from->g_pat; }
void nested_copy_vmcb_save_to_cache(struct vcpu_svm *svm, diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 7d28a739865f..39138378531e 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -145,6 +145,7 @@ struct vmcb_save_area_cached { u64 cr0; u64 dr7; u64 dr6; + u64 g_pat; };
struct vmcb_ctrl_area_cached {