git.ipfire.org Git - thirdparty/qemu.git/commit

author	Paolo Bonzini <pbonzini@redhat.com>
	Sat, 11 Oct 2025 07:13:29 +0000 (09:13 +0200)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Tue, 14 Oct 2025 09:03:58 +0000 (11:03 +0200)
commit	df32e5c568c9cf68c15a9bbd98d0c3aff19eab63
tree	a89d28f20b246111065b5ccff6d85bf8dce26a85	tree \| snapshot
parent	00001a22d183ce96c110690987bf9dd6a8548552	commit \| diff

i386/cpu: Prevent delivering SIPI during SMM in TCG mode

[commit message by YiFei Zhu]

A malicious kernel may control the instruction pointer in SMM in a
multi-processor VM by sending a sequence of IPIs via APIC:

CPU0 CPU1
IPI(CPU1, MODE_INIT)
x86_cpu_exec_reset()
apic_init_reset()
s->wait_for_sipi = true
IPI(CPU1, MODE_SMI)
do_smm_enter()
env->hflags |= HF_SMM_MASK;
IPI(CPU1, MODE_STARTUP, vector)
do_cpu_sipi()
apic_sipi()
/* s->wait_for_sipi check passes */
cpu_x86_load_seg_cache_sipi(vector)

A different sequence, SMI INIT SIPI, is also buggy in TCG because
INIT is not blocked or latched during SMM. However, it is not
vulnerable to an instruction pointer control in the same way because
x86_cpu_exec_reset clears env->hflags, exiting SMM.

Fixes: a9bad65d2c1f ("target-i386: wake up processors that receive an SMI")
Analyzed-by: YiFei Zhu <zhuyifei@google.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hw/intc/apic.c		diff \| blob \| blame \| history
target/i386/helper.c		diff \| blob \| blame \| history
target/i386/tcg/system/seg_helper.c		diff \| blob \| blame \| history