KVM: nVMX: add missing consistency checks for CR0 and CR4

stable inclusion from stable-v5.10.176 commit c54974ccaff73525462e278602dfe4069877cfaa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6U7AN CVE: CVE-2023-30456 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c54974ccaff73525462e278602dfe4069877cfaa -------------------------------- commit 112e6601 upstream. The effective values of the guest CR0 and CR4 registers may differ from those included in the VMCS12. In particular, disabling EPT forces CR4.PAE=1 and disabling unrestricted guest mode forces CR0.PG=CR0.PE=1. Therefore, checks on these bits cannot be delegated to the processor and must be performed by KVM. Reported-by: N Reima ISHII <ishiir@g.ecc.u-tokyo.ac.jp> Cc: stable@vger.kernel.org Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> conflicts: arch/x86/kvm/vmx.c Signed-off-by: N Lin Yujun <linyujun809@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Jianhua <chris.zjh@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

KVM: nVMX: add missing consistency checks for CR0 and CR4
stable inclusion from stable-v5.10.176 commit c54974ccaff73525462e278602dfe4069877cfaa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6U7AN CVE: CVE-2023-30456 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c54974ccaff73525462e278602dfe4069877cfaa -------------------------------- commit 112e6601 upstream. The effective values of the guest CR0 and CR4 registers may differ from those included in the VMCS12. In particular, disabling EPT forces CR4.PAE=1 and disabling unrestricted guest mode forces CR0.PG=CR0.PE=1. Therefore, checks on these bits cannot be delegated to the processor and must be performed by KVM. Reported-by: N Reima ISHII <ishiir@g.ecc.u-tokyo.ac.jp> Cc: stable@vger.kernel.org Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> conflicts: arch/x86/kvm/vmx.c Signed-off-by: N Lin Yujun <linyujun809@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Jianhua <chris.zjh@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
3987c836 · Paolo Bonzini · Yongqiang Liu · 5e4437d3 · 3987c836
隐藏空白更改
内联并排

Showing with 8 addition and 2 deletion

arch/x86/kvm/vmx.c arch/x86/kvm/vmx.c +8 -2

未找到文件。
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -12763,7 +12763,7 @@ static int nested_vmx_check_vmcs_link_ptr(struct kvm_vcpu *vcpu,
 static int check_vmentry_postreqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
 				  u32 *exit_qual)
 {
-	bool ia32e;
+	bool ia32e = !!(vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE);

 	*exit_qual = ENTRY_FAIL_DEFAULT;

@@ -12776,6 +12776,13 @@ static int check_vmentry_postreqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
 		return 1;
 	}

+	if ((vmcs12->guest_cr0 & (X86_CR0_PG | X86_CR0_PE)) == X86_CR0_PG)
+		return 1;
+
+	if ((ia32e && !(vmcs12->guest_cr4 & X86_CR4_PAE)) ||
+	    (ia32e && !(vmcs12->guest_cr0 & X86_CR0_PG)))
+		return 1;
+
 	/*
 	 * If the load IA32_EFER VM-entry control is 1, the following checks
 	 * are performed on the field for the IA32_EFER MSR:
@@ -12787,7 +12794,6 @@ static int check_vmentry_postreqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
 	 */
 	if (to_vmx(vcpu)->nested.nested_run_pending &&
 	    (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER)) {
-		ia32e = (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) != 0;
 		if (!kvm_valid_efer(vcpu, vmcs12->guest_ia32_efer) ||
 		    ia32e != !!(vmcs12->guest_ia32_efer & EFER_LMA) ||
 		    ((vmcs12->guest_cr0 & X86_CR0_PG) &&