1 From 3c9fa24ca7c9c47605672916491f79e8ccacb9e6 Mon Sep 17 00:00:00 2001
2 From: Paolo Bonzini <pbonzini@redhat.com>
3 Date: Wed, 6 Jun 2018 17:38:09 +0200
4 Subject: kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access
6 From: Paolo Bonzini <pbonzini@redhat.com>
8 commit 3c9fa24ca7c9c47605672916491f79e8ccacb9e6 upstream.
10 The functions that were used in the emulation of fxrstor, fxsave, sgdt and
11 sidt were originally meant for task switching, and as such they did not
12 check privilege levels. This is very bad when the same functions are used
13 in the emulation of unprivileged instructions. This is CVE-2018-10853.
15 The obvious fix is to add a new argument to ops->read_std and ops->write_std,
16 which decides whether the access is a "system" access or should use the
19 Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
20 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
24 arch/x86/include/asm/kvm_emulate.h | 6 ++++--
25 arch/x86/kvm/emulate.c | 12 ++++++------
26 arch/x86/kvm/x86.c | 18 ++++++++++++++----
27 3 files changed, 24 insertions(+), 12 deletions(-)
29 --- a/arch/x86/include/asm/kvm_emulate.h
30 +++ b/arch/x86/include/asm/kvm_emulate.h
31 @@ -105,11 +105,12 @@ struct x86_emulate_ops {
32 * @addr: [IN ] Linear address from which to read.
33 * @val: [OUT] Value read from memory, zero-extended to 'u_long'.
34 * @bytes: [IN ] Number of bytes to read from memory.
35 + * @system:[IN ] Whether the access is forced to be at CPL0.
37 int (*read_std)(struct x86_emulate_ctxt *ctxt,
38 unsigned long addr, void *val,
40 - struct x86_exception *fault);
41 + struct x86_exception *fault, bool system);
44 * read_phys: Read bytes of standard (non-emulated/special) memory.
45 @@ -127,10 +128,11 @@ struct x86_emulate_ops {
46 * @addr: [IN ] Linear address to which to write.
47 * @val: [OUT] Value write to memory, zero-extended to 'u_long'.
48 * @bytes: [IN ] Number of bytes to write to memory.
49 + * @system:[IN ] Whether the access is forced to be at CPL0.
51 int (*write_std)(struct x86_emulate_ctxt *ctxt,
52 unsigned long addr, void *val, unsigned int bytes,
53 - struct x86_exception *fault);
54 + struct x86_exception *fault, bool system);
56 * fetch: Read bytes of standard (non-emulated/special) memory.
57 * Used for instruction fetch.
58 --- a/arch/x86/kvm/emulate.c
59 +++ b/arch/x86/kvm/emulate.c
60 @@ -805,14 +805,14 @@ static inline int jmp_rel(struct x86_emu
61 static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
62 void *data, unsigned size)
64 - return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
65 + return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
68 static int linear_write_system(struct x86_emulate_ctxt *ctxt,
69 ulong linear, void *data,
72 - return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
73 + return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
76 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
77 @@ -826,7 +826,7 @@ static int segmented_read_std(struct x86
78 rc = linearize(ctxt, addr, size, false, &linear);
79 if (rc != X86EMUL_CONTINUE)
81 - return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
82 + return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
85 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
86 @@ -840,7 +840,7 @@ static int segmented_write_std(struct x8
87 rc = linearize(ctxt, addr, size, true, &linear);
88 if (rc != X86EMUL_CONTINUE)
90 - return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
91 + return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
95 @@ -2912,12 +2912,12 @@ static bool emulator_io_port_access_allo
97 base |= ((u64)base3) << 32;
99 - r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
100 + r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
101 if (r != X86EMUL_CONTINUE)
103 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
105 - r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
106 + r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
107 if (r != X86EMUL_CONTINUE)
109 if ((perm >> bit_idx) & mask)
110 --- a/arch/x86/kvm/x86.c
111 +++ b/arch/x86/kvm/x86.c
112 @@ -4408,10 +4408,15 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
114 static int emulator_read_std(struct x86_emulate_ctxt *ctxt,
115 gva_t addr, void *val, unsigned int bytes,
116 - struct x86_exception *exception)
117 + struct x86_exception *exception, bool system)
119 struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
120 - return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
123 + if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
124 + access |= PFERR_USER_MASK;
126 + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception);
129 static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
130 @@ -4455,12 +4460,17 @@ out:
133 static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val,
134 - unsigned int bytes, struct x86_exception *exception)
135 + unsigned int bytes, struct x86_exception *exception,
138 struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
139 + u32 access = PFERR_WRITE_MASK;
141 + if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
142 + access |= PFERR_USER_MASK;
144 return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
145 - PFERR_WRITE_MASK, exception);
146 + access, exception);
149 int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,