2018-07-04 09:50:41 +00:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
2018-06-27 12:50:39 +00:00
|
|
|
From: Felix Wilhelm <fwilhelm@google.com>
|
|
|
|
Date: Mon, 11 Jun 2018 09:43:44 +0200
|
2018-07-04 09:50:41 +00:00
|
|
|
Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions
|
2018-06-27 12:50:39 +00:00
|
|
|
|
|
|
|
VMX instructions executed inside a L1 VM will always trigger a VM exit
|
|
|
|
even when executed with cpl 3. This means we must perform the
|
|
|
|
privilege check in software.
|
|
|
|
|
|
|
|
Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
|
|
|
|
Cc: stable@vger.kernel.org
|
|
|
|
Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
|
|
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
|
|
---
|
|
|
|
arch/x86/kvm/vmx.c | 15 +++++++++++++--
|
|
|
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
2018-08-16 10:20:46 +00:00
|
|
|
index 1a5617fc8b6a..5c8bd2d61080 100644
|
2018-06-27 12:50:39 +00:00
|
|
|
--- a/arch/x86/kvm/vmx.c
|
|
|
|
+++ b/arch/x86/kvm/vmx.c
|
2018-08-16 10:20:46 +00:00
|
|
|
@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
|
2018-06-27 12:50:39 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
+ /* CPL=0 must be checked manually. */
|
|
|
|
+ if (vmx_get_cpl(vcpu)) {
|
|
|
|
+ kvm_queue_exception(vcpu, UD_VECTOR);
|
|
|
|
+ return 1;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (vmx->nested.vmxon) {
|
|
|
|
nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
|
|
|
|
return kvm_skip_emulated_instruction(vcpu);
|
2018-08-16 10:20:46 +00:00
|
|
|
@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
|
2018-06-27 12:50:39 +00:00
|
|
|
*/
|
|
|
|
static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
|
|
|
|
{
|
|
|
|
+ if (vmx_get_cpl(vcpu)) {
|
|
|
|
+ kvm_queue_exception(vcpu, UD_VECTOR);
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (!to_vmx(vcpu)->nested.vmxon) {
|
|
|
|
kvm_queue_exception(vcpu, UD_VECTOR);
|
|
|
|
return 0;
|
2018-08-16 10:20:46 +00:00
|
|
|
@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
|
2018-06-27 12:50:39 +00:00
|
|
|
if (get_vmx_mem_address(vcpu, exit_qualification,
|
|
|
|
vmx_instruction_info, true, &gva))
|
|
|
|
return 1;
|
|
|
|
- /* _system ok, as hardware has verified cpl=0 */
|
|
|
|
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
|
|
|
|
kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
|
|
|
|
&field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
|
|
|
|
}
|
2018-08-16 10:20:46 +00:00
|
|
|
@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
|
2018-06-27 12:50:39 +00:00
|
|
|
if (get_vmx_mem_address(vcpu, exit_qualification,
|
|
|
|
vmx_instruction_info, true, &vmcs_gva))
|
|
|
|
return 1;
|
|
|
|
- /* ok to use *_system, as hardware has verified cpl=0 */
|
|
|
|
+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
|
|
|
|
if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
|
|
|
|
(void *)&to_vmx(vcpu)->nested.current_vmptr,
|
|
|
|
sizeof(u64), &e)) {
|