On 8/4/23 12:33, Paolo Bonzini wrote:
Validation of the GHCB is susceptible to time-of-check/time-of-use vulnerabilities. To avoid them, we would like to always snapshot the fields that are read in sev_es_validate_vmgexit(), and not use the GHCB anymore after it returns.
This means:
invoking sev_es_sync_from_ghcb() before any GHCB access, including before sev_es_validate_vmgexit()
snapshotting all fields including the valid bitmap and the sw_scratch field, which are currently not caching anywhere.
The valid bitmap is the first thing to be copied out of the GHCB; then, further accesses will use the copy in svm->sev_es.
Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini pbonzini@redhat.com
Reviewed-by: Tom Lendacky thomas.lendacky@amd.com
arch/x86/kvm/svm/sev.c | 69 +++++++++++++++++++++--------------------- arch/x86/kvm/svm/svm.h | 26 ++++++++++++++++ 2 files changed, 61 insertions(+), 34 deletions(-)