From patchwork Thu Nov  3 14:13:42 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxim Levitsky <mlevitsk@redhat.com>
X-Patchwork-Id: 1099
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp560604wru;
        Thu, 3 Nov 2022 07:16:33 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM6ey/djGcrt4hgkBPOG3VGcFMwHWtUaU1Wy6/2GjlJlwwAN7gsRpKgPnJQxVlOzN4CXmt9M
X-Received: by 2002:a65:6bc4:0:b0:439:8ff8:e2e1 with SMTP id
 e4-20020a656bc4000000b004398ff8e2e1mr26329467pgw.91.1667484993344;
        Thu, 03 Nov 2022 07:16:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667484993; cv=none;
        d=google.com; s=arc-20160816;
        b=QGC+AxprQgcdyrwUH5van388Ue5lYJv12PLE5AQKiilTYb7TQxeK0Bvfdc2uqkbVz4
         IGKIAvL8282pQScbbKYqI9PSHOBw3h7tkG5meTDzsoKfTn8wh4V5qFQ+u6z4Imlu5MCo
         MjVXdinF7IKgGU8ESTBwBMeP5RV7yN41T9UAHy0du8t1x+vXHJqayNuWab+ltFfRT7Jk
         ob+IphaU/yd/4062VyfzFdsCIZiAnib2D0a5pxG2dmJnYtZhjEVjfwb0IIc03kvN6gW1
         +6jEfploktd5+947Gse1yVX1yAJkVmR4akNvauw4TLLg6nUS7z9AtRkxyTJq6yA9gXo3
         G8lA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=odaUvMDXgvSntdOJJknK7kUP+2tj3J/gbKRqneFbKT4=;
        b=w7BcmcLCOxdb8OM65FSpU5TxiO3eP82FEVhiE96kKWJ7ze2SSXxTJinqtH6OZlgeXc
         6EE+zPMdW4H7VsYOxzrKomYmDJRalY41Wx1dW3VIr9JBirMXu+lXQA1jtZ2s2kwHOd43
         c/wELuhRbApva6o+afkr3dTdTDbbe7HO+Ckjf3ANQL4jEBVS8yOvaAn5SS6pXmBv/xHH
         vl5MZQeOgEhD8MEz7ITAj0GIUpK+p0jZHeB1PcEdDSfnk3tiaAieY5TuNdopqZCVDLkP
         1LqSkVkRSN38918buhDxuvV32nyBEgzbM3prUCvH+ichcMhnB+zFe8xfEd9vOBeresyY
         7Xag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b="BBQ3o/xT";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 k14-20020a17090a3cce00b002135a4d80d7si1056994pjd.188.2022.11.03.07.16.19;
        Thu, 03 Nov 2022 07:16:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b="BBQ3o/xT";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230496AbiKCOPG (ORCPT <rfc822;yves.mi.zy@gmail.com> + 99 others);
        Thu, 3 Nov 2022 10:15:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36248 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229826AbiKCOPD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Nov 2022 10:15:03 -0400
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9364635E
        for <linux-kernel@vger.kernel.org>;
 Thu,  3 Nov 2022 07:14:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1667484840;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding;
        bh=odaUvMDXgvSntdOJJknK7kUP+2tj3J/gbKRqneFbKT4=;
        b=BBQ3o/xTfuwrvI9GyBuDLCbeZ6XzzsY22fXgl01QV5lMnT5Z2Aj0ctDdYvbYjbt3PXHVjU
        nx7DWLCT9S/j5It6uqBrEhdjQnUFMqjMpJSYyW0fJ84VdMRwCVbfgAPzjW7gk5qLp8G6px
        2VanyypAYcovwBKviujfyYXrEK+JrYA=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-581-R5hAamjFMQKXtliSrCsTJA-1; Thu, 03 Nov 2022 10:13:57 -0400
X-MC-Unique: R5hAamjFMQKXtliSrCsTJA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C2D4E1C087AB;
        Thu,  3 Nov 2022 14:13:55 +0000 (UTC)
Received: from amdlaptop.tlv.redhat.com (dhcp-4-238.tlv.redhat.com
 [10.35.4.238])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 2B52140C6EC3;
        Thu,  3 Nov 2022 14:13:52 +0000 (UTC)
From: Maxim Levitsky <mlevitsk@redhat.com>
To: kvm@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        linux-kernel@vger.kernel.org,
        Chenyi Qiang <chenyi.qiang@intel.com>,
        Yang Zhong <yang.zhong@intel.com>, x86@kernel.org,
        Shuah Khan <shuah@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Maxim Levitsky <mlevitsk@redhat.com>,
        Colton Lewis <coltonlewis@google.com>,
        Borislav Petkov <bp@alien8.de>, Peter Xu <peterx@redhat.com>,
        Sean Christopherson <seanjc@google.com>,
        Jim Mattson <jmattson@google.com>,
        linux-kselftest@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
        Wei Wang <wei.w.wang@intel.com>,
        David Matlack <dmatlack@google.com>
Subject: [PATCH v2 0/9] nSVM: Security and correctness fixes
Date: Thu,  3 Nov 2022 16:13:42 +0200
Message-Id: <20221103141351.50662-1-mlevitsk@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748483815021987934?=
X-GMAIL-MSGID: =?utf-8?q?1748484744337615649?=

Recently while trying to fix some unit tests I found a CVE in SVM nested code.

In 'shutdown_interception' vmexit handler we call kvm_vcpu_reset.

However if running nested and L1 doesn't intercept shutdown, we will still end
up running this function and trigger a bug in it.

The bug is that this function resets the 'vcpu->arch.hflags' without properly
leaving the nested state, which leaves the vCPU in inconsistent state, which
later triggers a kernel panic in SVM code.

The same bug can likely be triggered by sending INIT via local apic to a vCPU
which runs a nested guest.

On VMX we are lucky that the issue can't happen because VMX always intercepts
triple faults, thus triple fault in L2 will always be redirected to L1.
Plus the 'handle_triple_fault' of VMX doesn't reset the vCPU.

INIT IPI can't happen on VMX either because INIT events are masked while in
VMX mode.

First 4 patches in this series address the above issue, and are
already posted on the list with title,
('nSVM: fix L0 crash if L2 has shutdown condtion which L1 doesn't intercept')
I addressed the review feedback and also added a unit test to hit this issue.

In addition to these patches I noticed that KVM doesn't honour SHUTDOWN intercept bit
of L1 on SVM, and I included a fix to do so - its only for correctness
as a normal hypervisor should always intercept SHUTDOWN.
A unit test on the other hand might want to not do so.
I also extendted the triple_fault_test selftest to hit this issue.

Finaly I found another security issue, I found a way to
trigger a kernel non rate limited printk on SVM from the guest, and
last patch in the series fixes that.

A unit test I posted to kvm-unit-tests project hits this issue, so
no selftest was added.

Best regards,
	Maxim Levitsky

Maxim Levitsky (9):
  KVM: x86: nSVM: leave nested mode on vCPU free
  KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while
    still in use
  KVM: x86: add kvm_leave_nested
  KVM: x86: forcibly leave nested mode on vCPU reset
  KVM: selftests: move idt_entry to header
  kvm: selftests: add svm nested shutdown test
  KVM: x86: allow L1 to not intercept triple fault
  KVM: selftests: add svm part to triple_fault_test
  KVM: x86: remove exit_int_info warning in svm_handle_exit

 arch/x86/kvm/svm/nested.c                     | 12 ++-
 arch/x86/kvm/svm/svm.c                        | 10 +--
 arch/x86/kvm/vmx/nested.c                     |  4 +-
 arch/x86/kvm/x86.c                            | 29 ++++++--
 tools/testing/selftests/kvm/.gitignore        |  1 +
 tools/testing/selftests/kvm/Makefile          |  1 +
 .../selftests/kvm/include/x86_64/processor.h  | 13 ++++
 .../selftests/kvm/lib/x86_64/processor.c      | 13 ----
 .../kvm/x86_64/svm_nested_shutdown_test.c     | 67 +++++++++++++++++
 .../kvm/x86_64/triple_fault_event_test.c      | 73 ++++++++++++++-----
 10 files changed, 172 insertions(+), 51 deletions(-)
 create mode 100644 tools/testing/selftests/kvm/x86_64/svm_nested_shutdown_test.c
---
2.34.3