提交 a12d5b21 编写于 作者: S Sean Christopherson 提交者: Zheng Zengkai

KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4

stable inclusion
from stable-v5.10.137
commit a7d0b21c6b406e441fffbe4239c36ce83447fc52
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I60PLB

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a7d0b21c6b406e441fffbe4239c36ce83447fc52

--------------------------------

[ Upstream commit c7d855c2 ]

Inject a #UD if L1 attempts VMXON with a CR0 or CR4 that is disallowed
per the associated nested VMX MSRs' fixed0/1 settings.  KVM cannot rely
on hardware to perform the checks, even for the few checks that have
higher priority than VM-Exit, as (a) KVM may have forced CR0/CR4 bits in
hardware while running the guest, (b) there may incompatible CR0/CR4 bits
that have lower priority than VM-Exit, e.g. CR0.NE, and (c) userspace may
have further restricted the allowed CR0/CR4 values by manipulating the
guest's nested VMX MSRs.

Note, despite a very strong desire to throw shade at Jim, commit
70f3aac9 ("kvm: nVMX: Remove superfluous VMX instruction fault checks")
is not to blame for the buggy behavior (though the comment...).  That
commit only removed the CR0.PE, EFLAGS.VM, and COMPATIBILITY mode checks
(though it did erroneously drop the CPL check, but that has already been
remedied).  KVM may force CR0.PE=1, but will do so only when also
forcing EFLAGS.VM=1 to emulate Real Mode, i.e. hardware will still #UD.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216033
Fixes: ec378aee ("KVM: nVMX: Implement VMXON and VMXOFF")
Reported-by: NEric Li <ercli@ucdavis.edu>
Cc: stable@vger.kernel.org
Signed-off-by: NSean Christopherson <seanjc@google.com>
Message-Id: <20220607213604.3346000-4-seanjc@google.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
上级 3c6b4607
...@@ -4888,20 +4888,25 @@ static int handle_vmon(struct kvm_vcpu *vcpu) ...@@ -4888,20 +4888,25 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
| FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX; | FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
/* /*
* The Intel VMX Instruction Reference lists a bunch of bits that are * Note, KVM cannot rely on hardware to perform the CR0/CR4 #UD checks
* prerequisite to running VMXON, most notably cr4.VMXE must be set to * that have higher priority than VM-Exit (see Intel SDM's pseudocode
* 1 (see vmx_is_valid_cr4() for when we allow the guest to set this). * for VMXON), as KVM must load valid CR0/CR4 values into hardware while
* Otherwise, we should fail with #UD. But most faulting conditions * running the guest, i.e. KVM needs to check the _guest_ values.
* have already been checked by hardware, prior to the VM-exit for *
* VMXON. We do test guest cr4.VMXE because processor CR4 always has * Rely on hardware for the other two pre-VM-Exit checks, !VM86 and
* that bit set to 1 in non-root mode. * !COMPATIBILITY modes. KVM may run the guest in VM86 to emulate Real
* Mode, but KVM will never take the guest out of those modes.
*/ */
if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE)) { if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) ||
!nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) {
kvm_queue_exception(vcpu, UD_VECTOR); kvm_queue_exception(vcpu, UD_VECTOR);
return 1; return 1;
} }
/* CPL=0 must be checked manually. */ /*
* CPL=0 and all other checks that are lower priority than VM-Exit must
* be checked manually.
*/
if (vmx_get_cpl(vcpu)) { if (vmx_get_cpl(vcpu)) {
kvm_inject_gp(vcpu, 0); kvm_inject_gp(vcpu, 0);
return 1; return 1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册