git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Sean Christopherson <seanjc@google.com>
	Fri, 19 Sep 2025 22:32:10 +0000 (15:32 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Tue, 23 Sep 2025 15:55:19 +0000 (08:55 -0700)
commit	4135a9a8ccba2b685f2301429ea765fa0f78eb89
tree	81ca3943a693b2a535607c9b3e4b2ccbfd60d19f	tree \| snapshot
parent	bd5f500d23170e5bde59ce97da523048b66a8183	commit \| diff

KVM: SEV: Validate XCR0 provided by guest in GHCB

Use __kvm_set_xcr() to propagate XCR0 changes from the GHCB to KVM's
software model in order to validate the new XCR0 against KVM's view of
the supported XCR0.  Allowing garbage is thankfully mostly benign, as
kvm_load_{guest,host}_xsave_state() bail early for vCPUs with protected
state, xstate_required_size() will simply provide garbage back to the
guest, and attempting to save/restore the bad value via KVM_{G,S}ET_XCRS
will only harm the guest (setting XCR0 will fail).

However, allowing the guest to put junk into a field that KVM assumes is
valid is a CVE waiting to happen.  And as a bonus, using the proper API
eliminates the ugly open coding of setting arch.cpuid_dynamic_bits_dirty.

Simply ignore bad values, as either the guest managed to get an
unsupported value into hardware, or the guest is misbehaving and providing
pure garbage.  In either case, KVM can't fix the broken guest.

Note, using __kvm_set_xcr() also avoids recomputing dynamic CPUID bits
if XCR0 isn't actually changing (relatively to KVM's previous snapshot).

Cc: Tom Lendacky <thomas.lendacky@amd.com>
Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/include/asm/kvm_host.h		diff \| blob \| blame \| history
arch/x86/kvm/svm/sev.c		diff \| blob \| blame \| history
arch/x86/kvm/x86.c		diff \| blob \| blame \| history