From patchwork Fri Dec 1 13:15:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1870611 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4ShYVL4Cntz23nT for ; Sat, 2 Dec 2023 00:16:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1r93NP-00082k-55; Fri, 01 Dec 2023 13:16:15 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1r93NJ-000826-W3 for kernel-team@lists.ubuntu.com; Fri, 01 Dec 2023 13:16:10 +0000 Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BE2103F18B for ; Fri, 1 Dec 2023 13:16:09 +0000 (UTC) Received: by mail-pg1-f198.google.com with SMTP id 41be03b00d2f7-5c624e68b45so540818a12.3 for ; Fri, 01 Dec 2023 05:16:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701436567; x=1702041367; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vi5KXcgTvaEwdxeLHFCOsG77TuLrAEFqjwdwNiffqlE=; b=J4NonLT3o5jjbnndrN/rikKxd0yDdxQmzSBkPD/yjveXyNG7vCCoUMxxmodKBniUY/ nspjK71pn+aADyVnDTPfzXP5d9kpGAuoboYryYN6e5fwqs9pJGGU/DnwSS+B5Br6e141 d6vjc3t+3cLxLBLmTHok1z4Hi6ieiSOFlbuY0lubzsOMyna1X6rZXfaWItTLC5/2K24w ejISZwOx/KIx2vvqTv2U+TOZtz5uJ3n4TIJYbRBvfxdWymDKCGb68R4zVO4xBmo/oZJ3 9fryGL0XHTqqPQyIjXKmGf8k1AJaBei5ztE2uTiwxNRQwp+Th+WymRJdBV5663K2ZfWL emSQ== X-Gm-Message-State: AOJu0YztuNewzaofgFmgldX9KnkgMXsofOKRsGJ3Zr+weVfiHtNgWYyG 15Z7ZxfpAIepWF4iKDPoZj9LBg/BlRflORAZhRDf6Yi0a/rT/seBKKInCzUDczrXdiUWtgTutj2 3dZQNJbwQjo7oX7hh003zkBRFBzVegZrsUdZzum3dEucJ94Kd/w== X-Received: by 2002:a05:6a21:33a2:b0:18b:9031:822a with SMTP id yy34-20020a056a2133a200b0018b9031822amr29696412pzb.46.1701436567291; Fri, 01 Dec 2023 05:16:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IHZfPwb2y/IStr2XLCWPJAmZ9Zc8pYdng3AuDR5BX6uLzVd2zpEXxiac3hjeRxC7tOcYG0u6Q== X-Received: by 2002:a05:6a21:33a2:b0:18b:9031:822a with SMTP id yy34-20020a056a2133a200b0018b9031822amr29696386pzb.46.1701436566920; Fri, 01 Dec 2023 05:16:06 -0800 (PST) Received: from magali.. ([2804:7f0:b442:2377:dd30:3fac:53f2:e6fd]) by smtp.gmail.com with ESMTPSA id fb3-20020a056a002d8300b006bde2480806sm2978028pfb.47.2023.12.01.05.16.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 05:16:06 -0800 (PST) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy][PATCH 1/3] x86/sev: Disable MMIO emulation from user mode Date: Fri, 1 Dec 2023 10:15:55 -0300 Message-Id: <20231201131601.1146971-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231201131601.1146971-1-magali.lemes@canonical.com> References: <20231201131601.1146971-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Borislav Petkov (AMD)" Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba A virt scenario can be constructed where MMIO memory can be user memory. When that happens, a race condition opens between when the hardware raises the #VC and when the #VC handler gets to emulate the instruction. If the MOVS is replaced with a MOVS accessing kernel memory in that small race window, then write to kernel memory happens as the access checks are not done at emulation time. Disable MMIO emulation in user mode temporarily until a sensible use case appears and justifies properly handling the race window. Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions") Reported-by: Tom Dohrmann Signed-off-by: Borislav Petkov (AMD) Tested-by: Tom Dohrmann Cc: Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 6797c6d09e50e7ddb1c0f8282ccfb3f1c4d63270 linux-5.15.y) CVE-2023-46813 Signed-off-by: Magali Lemes --- arch/x86/kernel/sev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c index d19d3154a290..a564e319760b 100644 --- a/arch/x86/kernel/sev.c +++ b/arch/x86/kernel/sev.c @@ -1004,6 +1004,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb, enum es_result ret; long *reg_data; + if (user_mode(ctxt->regs)) + return ES_UNSUPPORTED; + switch (insn->opcode.bytes[0]) { /* MMIO Write */ case 0x88: