| Message ID | 20230928173354.217464-2-mlevitsk@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp4093295vqu;
Fri, 29 Sep 2023 07:55:41 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IGmkGOlen77K7GhrBZN0M8bvCcwnUFR4n3c/kCB+WCXoiCFYHrZdsdx6gOlXmAsZEQEs9B9
X-Received: by 2002:a9d:73cd:0:b0:6be:e3d8:b9d1 with SMTP id
m13-20020a9d73cd000000b006bee3d8b9d1mr3998357otk.38.1695999340934;
Fri, 29 Sep 2023 07:55:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695999340; cv=none;
d=google.com; s=arc-20160816;
b=wFacKXQoD05YhnuQgE8Bud9TVwdHXjaoBn0gienPzkSzILmhZWE1tZvvi07NE3JaWQ
Mi6DzOM2zTfCHydq39qa1BYFnN+Bcfvby2NSgcOWbMfw5j5GdgurIRYF8qOXvY2geY5Y
uckXmePJDdsx2jGXkp/nY2KNTmlwC168lKojxzu7sATEgBWcrTDoJdHsrVQHHDd6BeEu
RPMH1Yq5iC+/prEWCtKHYHGpmJf217mIWFIpPBq8q0vRELTKskhFPhP2wd4OSgYnMi3Y
Z5T+iAhedTjTPTDtkJfCubi80sWNzRqe7ntGwfdON08jDm2mTHoXQkJ9qQF/9ZWGyWaT
kYKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=oOqP2ppbORxupNPRbUHGH6nf4SvE0P2uUesTtFRc8Ik=;
fh=7KlpA4Bjwb9QBszesWchOFreRBW5Vq50Y+lUlai2k4M=;
b=UyzFZIel0bwEQ3EHmNBNaAKUzdwWL7XbcMQ0gsbd0l799vK6tTiDu2iN9VSkarOIQy
sMp0p5tDTw6gNlfY+UIuXCrtblfgUVSnq3zCsS5QoxTVHUErEMeoS00dL81A0gL4nvp5
MpJgJpHsyVALt5MAJxOt9sn58tVPyJMasWgENwfhiMJwJ+ivI+CR1BIXFPLB9WnL5qOb
+jy6hQslvUoccARyfaSlWEJ8WcqSiWCUy6vh3rm9ISoheVy/QuY+NNrNjtBhGYS6D4JW
gEtV0L8cHtkd2pDOuw9Fll8my1rA6XDViQ5CPngXoGA/n5oNAHRHtLa9EUEuF9ymiOd+
drbA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=FRlxGiDp;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
by mx.google.com with ESMTPS id
r136-20020a632b8e000000b00573f7b6999csi20034881pgr.440.2023.09.29.07.55.40
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 29 Sep 2023 07:55:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=FRlxGiDp;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 6362D83271D2;
Thu, 28 Sep 2023 10:35:21 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231952AbjI1RfD (ORCPT <rfc822;pwkd43@gmail.com> + 21 others);
Thu, 28 Sep 2023 13:35:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37420 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231676AbjI1RfA (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 28 Sep 2023 13:35:00 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D798DD
for <linux-kernel@vger.kernel.org>;
Thu, 28 Sep 2023 10:34:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1695922449;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=oOqP2ppbORxupNPRbUHGH6nf4SvE0P2uUesTtFRc8Ik=;
b=FRlxGiDpbtnvgCnp7ZehAaJE/ca/4sonYHYpkojVTRNOPVFX3bZsyqtjHbaAI6Le9Gem15
a6c5b5AydeIgle8Kku1aSQx5IGLdaWTGs1O2tlcMIrdQp4L6cFS07Ztf9C9fkZZmVDQQpY
Qy6d+1l37Vyg05BE5IvCuy7+XU0Bytg=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
us-mta-436-Df1GUGMiNMW4qntqZxmpqQ-1; Thu, 28 Sep 2023 13:34:04 -0400
X-MC-Unique: Df1GUGMiNMW4qntqZxmpqQ-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
[10.11.54.7])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6EBE92810D42;
Thu, 28 Sep 2023 17:34:03 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.45.226.141])
by smtp.corp.redhat.com (Postfix) with ESMTP id 723E314171B6;
Thu, 28 Sep 2023 17:33:59 +0000 (UTC)
From: Maxim Levitsky <mlevitsk@redhat.com>
To: kvm@vger.kernel.org
Cc: iommu@lists.linux.dev, "H. Peter Anvin" <hpa@zytor.com>,
Sean Christopherson <seanjc@google.com>,
Maxim Levitsky <mlevitsk@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>, Joerg Roedel <joro@8bytes.org>,
x86@kernel.org,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
linux-kernel@vger.kernel.org,
Dave Hansen <dave.hansen@linux.intel.com>,
Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Robin Murphy <robin.murphy@arm.com>, stable@vger.kernel.org
Subject: [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr
interception
Date: Thu, 28 Sep 2023 20:33:51 +0300
Message-Id: <20230928173354.217464-2-mlevitsk@redhat.com>
In-Reply-To: <20230928173354.217464-1-mlevitsk@redhat.com>
References: <20230928173354.217464-1-mlevitsk@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Thu, 28 Sep 2023 10:35:21 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778329509484869717
X-GMAIL-MSGID: 1778384204582565563
|
| Series |
AVIC bugfixes and workarounds
|
|
Commit Message
Maxim Levitsky
Sept. 28, 2023, 5:33 p.m. UTC
The following problem exists since x2avic was enabled in the KVM:
svm_set_x2apic_msr_interception is called to enable the interception of
the x2apic msrs.
In particular it is called at the moment the guest resets its apic.
Assuming that the guest's apic was in x2apic mode, the reset will bring
it back to the xapic mode.
The svm_set_x2apic_msr_interception however has an erroneous check for
'!apic_x2apic_mode()' which prevents it from doing anything in this case.
As a result of this, all x2apic msrs are left unintercepted, and that
exposes the bare metal x2apic (if enabled) to the guest.
Oops.
Remove the erroneous '!apic_x2apic_mode()' check to fix that.
This fixes CVE-2023-5090
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
---
arch/x86/kvm/svm/svm.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Comments
Maxim, Thanks for finding and fixing this. On 9/29/2023 7:24 AM, Sean Christopherson wrote: > On Thu, Sep 28, 2023, Maxim Levitsky wrote: >> The following problem exists since x2avic was enabled in the KVM: >> >> svm_set_x2apic_msr_interception is called to enable the interception of > > Nit, svm_set_x2apic_msr_interception(). > > Definitely not worth another version though. > >> the x2apic msrs. >> >> In particular it is called at the moment the guest resets its apic. >> >> Assuming that the guest's apic was in x2apic mode, the reset will bring >> it back to the xapic mode. >> >> The svm_set_x2apic_msr_interception however has an erroneous check for >> '!apic_x2apic_mode()' which prevents it from doing anything in this case. >> >> As a result of this, all x2apic msrs are left unintercepted, and that >> exposes the bare metal x2apic (if enabled) to the guest. >> Oops. >> >> Remove the erroneous '!apic_x2apic_mode()' check to fix that. >> >> This fixes CVE-2023-5090 >> >> Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") >> Cc: stable@vger.kernel.org >> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> >> --- > > Reviewed-by: Sean Christopherson <seanjc@google.com> Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 9507df93f410a63..acdd0b89e4715a3 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -913,8 +913,7 @@ void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept) if (intercept == svm->x2avic_msrs_intercepted) return; - if (!x2avic_enabled || - !apic_x2apic_mode(svm->vcpu.arch.apic)) + if (!x2avic_enabled) return; for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {