November 2022 - Linux-stable-mirror

FAILED: patch "[PATCH] KVM: x86: nSVM: leave nested mode on vCPU free" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 917401f26a6a ("KVM: x86: nSVM: leave nested mode on vCPU free") 2fcf4876ada8 ("KVM: nSVM: implement on demand allocation of the nested state") 72f211ecaa80 ("KVM: x86: allow kvm_x86_ops.set_efer to return an error value") fd6fa73d1337 ("KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied") 476c9bd8e997 ("KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs") d85a8034c016 ("KVM: VMX: Rename "find_msr_entry" to "vmx_find_uret_msr"") eb3db1b13788 ("KVM: VMX: Rename the "shared_msr_entry" struct to "vmx_uret_msr"") ce833b2324ba ("KVM: VMX: Prepend "MAX_" to MSR array size defines") 7e34fbd05c63 ("KVM: x86: Rename "shared_msrs" to "user_return_msrs"") 8d22b90e942c ("KVM: SVM: refactor exit labels in svm_create_vcpu") 0681de1b8369 ("KVM: SVM: use __GFP_ZERO instead of clear_page") f4c847a95654 ("KVM: SVM: refactor msr permission bitmap allocation") 0dd16b5b0c9b ("KVM: nSVM: rename nested vmcb to vmcb12") 1feaba144cd3 ("KVM: SVM: rename a variable in the svm_create_vcpu") bf3c0e5e7102 ("Merge branch 'x86-seves-for-paolo' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into HEAD") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 917401f26a6af5756d89b550a8e1bd50cf42b07e Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:43 +0200 Subject: [PATCH] KVM: x86: nSVM: leave nested mode on vCPU free If the VM was terminated while nested, we free the nested state while the vCPU still is in nested mode. Soon a warning will be added for this condition. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-2-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 9f88c8e6766e..098f04bec8ef 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1438,6 +1438,7 @@ static void svm_vcpu_free(struct kvm_vcpu *vcpu) */ svm_clear_current_vmcb(svm->vmcb); + svm_leave_nested(vcpu); svm_free_nested(svm); sev_free_vcpu(vcpu);

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 16ae56d7e052 ("KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use") 2fcf4876ada8 ("KVM: nSVM: implement on demand allocation of the nested state") 72f211ecaa80 ("KVM: x86: allow kvm_x86_ops.set_efer to return an error value") fd6fa73d1337 ("KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied") 476c9bd8e997 ("KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs") d85a8034c016 ("KVM: VMX: Rename "find_msr_entry" to "vmx_find_uret_msr"") eb3db1b13788 ("KVM: VMX: Rename the "shared_msr_entry" struct to "vmx_uret_msr"") ce833b2324ba ("KVM: VMX: Prepend "MAX_" to MSR array size defines") 7e34fbd05c63 ("KVM: x86: Rename "shared_msrs" to "user_return_msrs"") 8d22b90e942c ("KVM: SVM: refactor exit labels in svm_create_vcpu") 0681de1b8369 ("KVM: SVM: use __GFP_ZERO instead of clear_page") f4c847a95654 ("KVM: SVM: refactor msr permission bitmap allocation") 0dd16b5b0c9b ("KVM: nSVM: rename nested vmcb to vmcb12") 1feaba144cd3 ("KVM: SVM: rename a variable in the svm_create_vcpu") bf3c0e5e7102 ("Merge branch 'x86-seves-for-paolo' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into HEAD") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 16ae56d7e0528559bf8dc9070e3bfd8ba3de80df Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:44 +0200 Subject: [PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use Make sure that KVM uses vmcb01 before freeing nested state, and warn if that is not the case. This is a minimal fix for CVE-2022-3344 making the kernel print a warning instead of a kernel panic. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-3-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 4c620999d230..b02a3a1792f1 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1125,6 +1125,9 @@ void svm_free_nested(struct vcpu_svm *svm) if (!svm->nested.initialized) return; + if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr)) + svm_switch_vmcb(svm, &svm->vmcb01); + svm_vcpu_free_msrpm(svm->nested.msrpm); svm->nested.msrpm = NULL;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 16ae56d7e052 ("KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use") 2fcf4876ada8 ("KVM: nSVM: implement on demand allocation of the nested state") 72f211ecaa80 ("KVM: x86: allow kvm_x86_ops.set_efer to return an error value") fd6fa73d1337 ("KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied") 476c9bd8e997 ("KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs") d85a8034c016 ("KVM: VMX: Rename "find_msr_entry" to "vmx_find_uret_msr"") eb3db1b13788 ("KVM: VMX: Rename the "shared_msr_entry" struct to "vmx_uret_msr"") ce833b2324ba ("KVM: VMX: Prepend "MAX_" to MSR array size defines") 7e34fbd05c63 ("KVM: x86: Rename "shared_msrs" to "user_return_msrs"") 8d22b90e942c ("KVM: SVM: refactor exit labels in svm_create_vcpu") 0681de1b8369 ("KVM: SVM: use __GFP_ZERO instead of clear_page") f4c847a95654 ("KVM: SVM: refactor msr permission bitmap allocation") 0dd16b5b0c9b ("KVM: nSVM: rename nested vmcb to vmcb12") 1feaba144cd3 ("KVM: SVM: rename a variable in the svm_create_vcpu") bf3c0e5e7102 ("Merge branch 'x86-seves-for-paolo' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into HEAD") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 16ae56d7e0528559bf8dc9070e3bfd8ba3de80df Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:44 +0200 Subject: [PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use Make sure that KVM uses vmcb01 before freeing nested state, and warn if that is not the case. This is a minimal fix for CVE-2022-3344 making the kernel print a warning instead of a kernel panic. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-3-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 4c620999d230..b02a3a1792f1 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1125,6 +1125,9 @@ void svm_free_nested(struct vcpu_svm *svm) if (!svm->nested.initialized) return; + if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr)) + svm_switch_vmcb(svm, &svm->vmcb01); + svm_vcpu_free_msrpm(svm->nested.msrpm); svm->nested.msrpm = NULL;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 16ae56d7e052 ("KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use") 2fcf4876ada8 ("KVM: nSVM: implement on demand allocation of the nested state") 72f211ecaa80 ("KVM: x86: allow kvm_x86_ops.set_efer to return an error value") fd6fa73d1337 ("KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied") 476c9bd8e997 ("KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs") d85a8034c016 ("KVM: VMX: Rename "find_msr_entry" to "vmx_find_uret_msr"") eb3db1b13788 ("KVM: VMX: Rename the "shared_msr_entry" struct to "vmx_uret_msr"") ce833b2324ba ("KVM: VMX: Prepend "MAX_" to MSR array size defines") 7e34fbd05c63 ("KVM: x86: Rename "shared_msrs" to "user_return_msrs"") 8d22b90e942c ("KVM: SVM: refactor exit labels in svm_create_vcpu") 0681de1b8369 ("KVM: SVM: use __GFP_ZERO instead of clear_page") f4c847a95654 ("KVM: SVM: refactor msr permission bitmap allocation") 0dd16b5b0c9b ("KVM: nSVM: rename nested vmcb to vmcb12") 1feaba144cd3 ("KVM: SVM: rename a variable in the svm_create_vcpu") bf3c0e5e7102 ("Merge branch 'x86-seves-for-paolo' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into HEAD") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 16ae56d7e0528559bf8dc9070e3bfd8ba3de80df Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:44 +0200 Subject: [PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use Make sure that KVM uses vmcb01 before freeing nested state, and warn if that is not the case. This is a minimal fix for CVE-2022-3344 making the kernel print a warning instead of a kernel panic. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-3-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 4c620999d230..b02a3a1792f1 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1125,6 +1125,9 @@ void svm_free_nested(struct vcpu_svm *svm) if (!svm->nested.initialized) return; + if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr)) + svm_switch_vmcb(svm, &svm->vmcb01); + svm_vcpu_free_msrpm(svm->nested.msrpm); svm->nested.msrpm = NULL;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 16ae56d7e052 ("KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use") 2fcf4876ada8 ("KVM: nSVM: implement on demand allocation of the nested state") 72f211ecaa80 ("KVM: x86: allow kvm_x86_ops.set_efer to return an error value") fd6fa73d1337 ("KVM: x86: SVM: Prevent MSR passthrough when MSR access is denied") 476c9bd8e997 ("KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs") d85a8034c016 ("KVM: VMX: Rename "find_msr_entry" to "vmx_find_uret_msr"") eb3db1b13788 ("KVM: VMX: Rename the "shared_msr_entry" struct to "vmx_uret_msr"") ce833b2324ba ("KVM: VMX: Prepend "MAX_" to MSR array size defines") 7e34fbd05c63 ("KVM: x86: Rename "shared_msrs" to "user_return_msrs"") 8d22b90e942c ("KVM: SVM: refactor exit labels in svm_create_vcpu") 0681de1b8369 ("KVM: SVM: use __GFP_ZERO instead of clear_page") f4c847a95654 ("KVM: SVM: refactor msr permission bitmap allocation") 0dd16b5b0c9b ("KVM: nSVM: rename nested vmcb to vmcb12") 1feaba144cd3 ("KVM: SVM: rename a variable in the svm_create_vcpu") bf3c0e5e7102 ("Merge branch 'x86-seves-for-paolo' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into HEAD") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 16ae56d7e0528559bf8dc9070e3bfd8ba3de80df Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:44 +0200 Subject: [PATCH] KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use Make sure that KVM uses vmcb01 before freeing nested state, and warn if that is not the case. This is a minimal fix for CVE-2022-3344 making the kernel print a warning instead of a kernel panic. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-3-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 4c620999d230..b02a3a1792f1 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1125,6 +1125,9 @@ void svm_free_nested(struct vcpu_svm *svm) if (!svm->nested.initialized) return; + if (WARN_ON_ONCE(svm->vmcb != svm->vmcb01.ptr)) + svm_switch_vmcb(svm, &svm->vmcb01); + svm_vcpu_free_msrpm(svm->nested.msrpm); svm->nested.msrpm = NULL;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: forcibly leave nested mode on vCPU reset" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") 0aa1837533e5 ("KVM: x86: Properly reset MMU context at vCPU RESET/INIT") b3646477d458 ("KVM: x86: use static calls to reduce kvm_x86_ops overhead") 15b51dc08a34 ("KVM: x86: Take KVM's SRCU lock only if steal time update is needed") 19979fba9bfa ("KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()") 5719455fbd95 ("KVM: SVM: Do not report support for SMM for an SEV-ES guest") f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") f9a4d621761a ("KVM: x86: introduce complete_emulated_msr callback") 8b474427cbee ("KVM: x86: use kvm_complete_insn_gp in emulating RDMSR/WRMSR") 2259c17f0188 ("kvm: x86: Sink cpuid update into vendor-specific set_cr4 functions") fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") c21d54f0307f ("KVM: x86: hyper-v: allow KVM_GET_SUPPORTED_HV_CPUID as a system ioctl") ee69c92bac61 ("KVM: x86: Return bool instead of int for CR4 and SREGS validity checks") c2fe3cd4604a ("KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook") a447e38a7fad ("KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4()") d3a9e4146a6f ("KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4()") a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") 1d8dd6b3f12b ("kvm: x86/mmu: Support changed pte notifier in tdp MMU") f8e144971c68 ("kvm: x86/mmu: Add access tracking for tdp_mmu") 063afacd8730 ("kvm: x86/mmu: Support invalidate range MMU notifier for TDP MMU") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: [PATCH] KVM: x86: forcibly leave nested mode on vCPU reset While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-5-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff5be7189237..597d7f804d72 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -12003,8 +12003,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: forcibly leave nested mode on vCPU reset" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") 0aa1837533e5 ("KVM: x86: Properly reset MMU context at vCPU RESET/INIT") b3646477d458 ("KVM: x86: use static calls to reduce kvm_x86_ops overhead") 15b51dc08a34 ("KVM: x86: Take KVM's SRCU lock only if steal time update is needed") 19979fba9bfa ("KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()") 5719455fbd95 ("KVM: SVM: Do not report support for SMM for an SEV-ES guest") f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") f9a4d621761a ("KVM: x86: introduce complete_emulated_msr callback") 8b474427cbee ("KVM: x86: use kvm_complete_insn_gp in emulating RDMSR/WRMSR") 2259c17f0188 ("kvm: x86: Sink cpuid update into vendor-specific set_cr4 functions") fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") c21d54f0307f ("KVM: x86: hyper-v: allow KVM_GET_SUPPORTED_HV_CPUID as a system ioctl") ee69c92bac61 ("KVM: x86: Return bool instead of int for CR4 and SREGS validity checks") c2fe3cd4604a ("KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook") a447e38a7fad ("KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4()") d3a9e4146a6f ("KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4()") a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") 1d8dd6b3f12b ("kvm: x86/mmu: Support changed pte notifier in tdp MMU") f8e144971c68 ("kvm: x86/mmu: Add access tracking for tdp_mmu") 063afacd8730 ("kvm: x86/mmu: Support invalidate range MMU notifier for TDP MMU") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: [PATCH] KVM: x86: forcibly leave nested mode on vCPU reset While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-5-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff5be7189237..597d7f804d72 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -12003,8 +12003,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: forcibly leave nested mode on vCPU reset" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") 0aa1837533e5 ("KVM: x86: Properly reset MMU context at vCPU RESET/INIT") b3646477d458 ("KVM: x86: use static calls to reduce kvm_x86_ops overhead") 15b51dc08a34 ("KVM: x86: Take KVM's SRCU lock only if steal time update is needed") 19979fba9bfa ("KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()") 5719455fbd95 ("KVM: SVM: Do not report support for SMM for an SEV-ES guest") f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") f9a4d621761a ("KVM: x86: introduce complete_emulated_msr callback") 8b474427cbee ("KVM: x86: use kvm_complete_insn_gp in emulating RDMSR/WRMSR") 2259c17f0188 ("kvm: x86: Sink cpuid update into vendor-specific set_cr4 functions") fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") c21d54f0307f ("KVM: x86: hyper-v: allow KVM_GET_SUPPORTED_HV_CPUID as a system ioctl") ee69c92bac61 ("KVM: x86: Return bool instead of int for CR4 and SREGS validity checks") c2fe3cd4604a ("KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook") a447e38a7fad ("KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4()") d3a9e4146a6f ("KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4()") a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") 1d8dd6b3f12b ("kvm: x86/mmu: Support changed pte notifier in tdp MMU") f8e144971c68 ("kvm: x86/mmu: Add access tracking for tdp_mmu") 063afacd8730 ("kvm: x86/mmu: Support invalidate range MMU notifier for TDP MMU") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: [PATCH] KVM: x86: forcibly leave nested mode on vCPU reset While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-5-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff5be7189237..597d7f804d72 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -12003,8 +12003,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: forcibly leave nested mode on vCPU reset" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") 0aa1837533e5 ("KVM: x86: Properly reset MMU context at vCPU RESET/INIT") b3646477d458 ("KVM: x86: use static calls to reduce kvm_x86_ops overhead") 15b51dc08a34 ("KVM: x86: Take KVM's SRCU lock only if steal time update is needed") 19979fba9bfa ("KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()") 5719455fbd95 ("KVM: SVM: Do not report support for SMM for an SEV-ES guest") f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") f9a4d621761a ("KVM: x86: introduce complete_emulated_msr callback") 8b474427cbee ("KVM: x86: use kvm_complete_insn_gp in emulating RDMSR/WRMSR") 2259c17f0188 ("kvm: x86: Sink cpuid update into vendor-specific set_cr4 functions") fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") c21d54f0307f ("KVM: x86: hyper-v: allow KVM_GET_SUPPORTED_HV_CPUID as a system ioctl") ee69c92bac61 ("KVM: x86: Return bool instead of int for CR4 and SREGS validity checks") c2fe3cd4604a ("KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook") a447e38a7fad ("KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4()") d3a9e4146a6f ("KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4()") a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") 1d8dd6b3f12b ("kvm: x86/mmu: Support changed pte notifier in tdp MMU") f8e144971c68 ("kvm: x86/mmu: Add access tracking for tdp_mmu") 063afacd8730 ("kvm: x86/mmu: Support invalidate range MMU notifier for TDP MMU") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: [PATCH] KVM: x86: forcibly leave nested mode on vCPU reset While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-5-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff5be7189237..597d7f804d72 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -12003,8 +12003,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0;

2 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: forcibly leave nested mode on vCPU reset" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") 0aa1837533e5 ("KVM: x86: Properly reset MMU context at vCPU RESET/INIT") b3646477d458 ("KVM: x86: use static calls to reduce kvm_x86_ops overhead") 15b51dc08a34 ("KVM: x86: Take KVM's SRCU lock only if steal time update is needed") 19979fba9bfa ("KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()") 5719455fbd95 ("KVM: SVM: Do not report support for SMM for an SEV-ES guest") f1c6366e3043 ("KVM: SVM: Add required changes to support intercepts under SEV-ES") f9a4d621761a ("KVM: x86: introduce complete_emulated_msr callback") 8b474427cbee ("KVM: x86: use kvm_complete_insn_gp in emulating RDMSR/WRMSR") 2259c17f0188 ("kvm: x86: Sink cpuid update into vendor-specific set_cr4 functions") fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") c21d54f0307f ("KVM: x86: hyper-v: allow KVM_GET_SUPPORTED_HV_CPUID as a system ioctl") ee69c92bac61 ("KVM: x86: Return bool instead of int for CR4 and SREGS validity checks") c2fe3cd4604a ("KVM: x86: Move vendor CR4 validity check to dedicated kvm_x86_ops hook") a447e38a7fad ("KVM: VMX: Drop explicit 'nested' check from vmx_set_cr4()") d3a9e4146a6f ("KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: [PATCH] KVM: x86: forcibly leave nested mode on vCPU reset While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Message-Id: <20221103141351.50662-5-mlevitsk(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff5be7189237..597d7f804d72 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -12003,8 +12003,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu))); + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0;

2 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2022