From patchwork Mon Aug 16 20:06:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1517312 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=NwSXjeGz; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GpQFZ0436z9sT6; Tue, 17 Aug 2021 06:08:02 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mFitp-0001jQ-QV; Mon, 16 Aug 2021 20:07:57 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mFitk-0001it-2P for kernel-team@lists.ubuntu.com; Mon, 16 Aug 2021 20:07:52 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 214143F09F for ; Mon, 16 Aug 2021 20:07:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629144471; bh=YV3coFzGaAX+9hDSyOPTDbe5OjbyNpcutKMI6Wzhs70=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=NwSXjeGz9NgL59xFd86FNA4AVW7e6lbwDStHIcodKXEbxcwVZJeN4h7pyCyWINboH kW5zy6Yy7pFXgJnxAeK/CKfKLr/7fDBFNUJLlDomDbdO0ac8RgMj9tLkQZILJ7EVEw NB4x+intwi3ENYBcuObphp0h6WuHQgt5uS6F+Bo29Li6NoGAugDCBl8UoSpPJti3AY gJOsXGxwcaUAd1JAv7MK2LzdpJjBJAtdEEk30Zyh05Cn7Xyz48o3LapmaCJovmUH5C CgfKf7LBmI/UFfKTlodb6a0o/cSYYBs4R3t9z0WCIRw07I7nFIDsCgJdxuFHsTkSbk enEieLFOL8hOw== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic 1/2] UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl" Date: Mon, 16 Aug 2021 17:06:51 -0300 Message-Id: <20210816200654.12978-1-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210816195742.12730-1-cascardo@canonical.com> References: <20210816195742.12730-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1940134 This reverts commit ba798c67f196aa2719a0ca1544d2d7c72b713d05. When launching L2 Linux guests on systems with VGIF support, they would fail to boot, not showing any console output. Signed-off-by: Thadeu Lima de Souza Cascardo --- arch/x86/include/asm/svm.h | 2 -- arch/x86/kvm/svm.c | 8 +------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 2a9e81e93aac..78dd9df88157 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -117,8 +117,6 @@ struct __attribute__ ((__packed__)) vmcb_control_area { #define V_IGN_TPR_SHIFT 20 #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) -#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) - #define V_INTR_MASKING_SHIFT 24 #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index abb93d4b9f06..db07c4131318 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -3134,13 +3134,7 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa, svm->nested.intercept = nested_vmcb->control.intercept; svm_flush_tlb(&svm->vcpu, true); - - svm->vmcb->control.int_ctl &= - V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; - - svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl & - (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK); - + svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK; if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK) svm->vcpu.arch.hflags |= HF_VINTR_MASK; else From patchwork Mon Aug 16 20:06:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1517314 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Nl02ObXh; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GpQFl34hYz9sSs; Tue, 17 Aug 2021 06:08:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mFiu0-0001n1-5n; Mon, 16 Aug 2021 20:08:08 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mFitl-0001j3-DF for kernel-team@lists.ubuntu.com; Mon, 16 Aug 2021 20:07:53 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 7D9083F09F for ; Mon, 16 Aug 2021 20:07:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629144473; bh=hGGuHIPZURUCe8XJ/ftx6W/Q4niLNqxBSXLqs5tjL7I=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Nl02ObXhJYF/zCU0GCcVNrKtyx8J+XWvA2V1UXNlOt7mXVFHCGCA8+7RaCvEI5zx1 3OMjx5YHOTBJnQbqtxWCLgFcnjWv7H6CXAuRN+rXCENdV782YFwdwM9OmYB2vwzYwD ytO/CLbP4XJgdIcpLq52K7tq2sv2mr8GSHm3HmKi0RTUz+xPjSNl/4NLhbcKyVRPd/ 2jY861A9R8EPgFkIc7xASGONvL3UtrunkWwd7JEBP0vI5eUguE1oBuWnV4lkn/qHan HcQuon3okCCJUvAHTMNvC3rFizwR5jgp1iex9yo4+sJqL7XxP3ArDAuXEhIAJ62l/c X8Tr00EzqC1Tg== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic 2/2] KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) Date: Mon, 16 Aug 2021 17:06:52 -0300 Message-Id: <20210816200654.12978-2-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210816200654.12978-1-cascardo@canonical.com> References: <20210816195742.12730-1-cascardo@canonical.com> <20210816200654.12978-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Maxim Levitsky BugLink: https://bugs.launchpad.net/bugs/1940134 commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream. * Invert the mask of bits that we pick from L2 in nested_vmcb02_prepare_control * Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr This fixes a security issue that allowed a malicious L1 to run L2 with AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled AVIC to read/write the host physical memory at some offsets. Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") Signed-off-by: Maxim Levitsky Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y) CVE-2021-3653 Signed-off-by: Thadeu Lima de Souza Cascardo --- arch/x86/include/asm/svm.h | 2 ++ arch/x86/kvm/svm.c | 15 ++++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h index 78dd9df88157..2a9e81e93aac 100644 --- a/arch/x86/include/asm/svm.h +++ b/arch/x86/include/asm/svm.h @@ -117,6 +117,8 @@ struct __attribute__ ((__packed__)) vmcb_control_area { #define V_IGN_TPR_SHIFT 20 #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) +#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) + #define V_INTR_MASKING_SHIFT 24 #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index db07c4131318..369cd5e2a573 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -1215,12 +1215,7 @@ static __init int svm_hardware_setup(void) } } - if (vgif) { - if (!boot_cpu_has(X86_FEATURE_VGIF)) - vgif = false; - else - pr_info("Virtual GIF supported\n"); - } + vgif = false; /* Disabled for CVE-2021-3653 */ return 0; @@ -3134,7 +3129,13 @@ static void enter_svm_guest_mode(struct vcpu_svm *svm, u64 vmcb_gpa, svm->nested.intercept = nested_vmcb->control.intercept; svm_flush_tlb(&svm->vcpu, true); - svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK; + + svm->vmcb->control.int_ctl &= + V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; + + svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl & + (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK); + if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK) svm->vcpu.arch.hflags |= HF_VINTR_MASK; else