From patchwork Fri Dec  1 13:15:56 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1870613
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4ShYVM2xCkz24DQ
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Dec 2023 00:16:27 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1r93NT-00083r-UC; Fri, 01 Dec 2023 13:16:20 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1r93NL-00082H-RS
 for kernel-team@lists.ubuntu.com; Fri, 01 Dec 2023 13:16:12 +0000
Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com
 [209.85.210.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7DFF23F18B
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Dec 2023 13:16:11 +0000 (UTC)
Received: by mail-pf1-f197.google.com with SMTP id
 d2e1a72fcca58-6cddc344b98so2763277b3a.3
 for <kernel-team@lists.ubuntu.com>; Fri, 01 Dec 2023 05:16:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1701436569; x=1702041369;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=sn8AvZ1lqFKdLgcvn0Z2kSIl/qZr5PPuzPudMOeyrg4=;
 b=G+suToMd9GNITb3/xjWwkw0rkLfhaYpE3niTzBArJAQwREpf28cHfr4eClBt0O4ZtN
 WvyBWFn2deGTtymt/E1bHje2U4xitKwSvHor4x4cKqKAazKMVkBRjTPLloInDC1Nv/R9
 65J2HfQHLAdky8krFU2f0umPHHXJ31c7FdMqj4ut/pYOyiOVejgZ0YnpbrjUsYTQj69C
 p7ir2fawWk96V0mS7BGc5ItJNEFyBteo9a8LtLm6s5cEl6aJ7H1iTLd+Rf1pwduU26mA
 8Mr3a40LFS4AAAlLRv2S+vOFjS+JghjpJt5lpqcubDKXho/iKyHioRJ7rck/fvSdXdTD
 cBJg==
X-Gm-Message-State: AOJu0YyMLC9PSg26Gr/jG7J++oOxmlQ8MRs58LJhRQ/KV3+EvUGXg3F8
 4k7UfedaRV37ZxgUYMq9e6QUuvgRekIZpRGgTdDLrdXRiXmLE9LG7SpowT9PcaqnfNSOzLXB0VT
 t12HV8R9gZPzC5I1RyvQQip3lxxdjuCDwDUMOH3R0VCVkfkeeSQ==
X-Received: by 2002:a05:6a00:93a5:b0:6cd:e101:9cb with SMTP id
 ka37-20020a056a0093a500b006cde10109cbmr8518024pfb.20.1701436569227;
 Fri, 01 Dec 2023 05:16:09 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGuqY4irTO7RsPUmQym9FRn2Ox+wA9eDjaTuuDmRHSGvN9Cp/PDxZYsWlYRxQ7XnXUrC9Vchg==
X-Received: by 2002:a05:6a00:93a5:b0:6cd:e101:9cb with SMTP id
 ka37-20020a056a0093a500b006cde10109cbmr8518004pfb.20.1701436568814;
 Fri, 01 Dec 2023 05:16:08 -0800 (PST)
Received: from magali.. ([2804:7f0:b442:2377:dd30:3fac:53f2:e6fd])
 by smtp.gmail.com with ESMTPSA id
 fb3-20020a056a002d8300b006bde2480806sm2978028pfb.47.2023.12.01.05.16.07
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 Dec 2023 05:16:08 -0800 (PST)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Lunar/Mantic/OEM-6.5][PATCH 1/3] x86/sev: Disable MMIO
 emulation from user mode
Date: Fri,  1 Dec 2023 10:15:56 -0300
Message-Id: <20231201131601.1146971-3-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231201131601.1146971-1-magali.lemes@canonical.com>
References: <20231201131601.1146971-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Borislav Petkov (AMD)" <bp@alien8.de>

A virt scenario can be constructed where MMIO memory can be user memory.
When that happens, a race condition opens between when the hardware
raises the #VC and when the #VC handler gets to emulate the instruction.

If the MOVS is replaced with a MOVS accessing kernel memory in that
small race window, then write to kernel memory happens as the access
checks are not done at emulation time.

Disable MMIO emulation in user mode temporarily until a sensible use
case appears and justifies properly handling the race window.

Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
(cherry picked from commit a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba)
CVE-2023-46813
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 arch/x86/kernel/sev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index 45ef3926381f..b09172592e02 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -1552,6 +1552,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
 			return ES_DECODE_FAILED;
 	}
 
+	if (user_mode(ctxt->regs))
+		return ES_UNSUPPORTED;
+
 	switch (mmio) {
 	case INSN_MMIO_WRITE:
 		memcpy(ghcb->shared_buffer, reg_data, bytes);