git.ipfire.org Git - thirdparty/linux.git/commit

author	Yosry Ahmed <yosry@kernel.org>
	Tue, 3 Mar 2026 00:34:14 +0000 (00:34 +0000)
committer	Sean Christopherson <seanjc@google.com>
	Thu, 5 Mar 2026 00:09:04 +0000 (16:09 -0800)
commit	84dc9fd0354d3d0e02faf2f7b3f4d1228c2571ea
tree	4bab58b0abcee371ef924fa41b24ef59886f0aba	tree \| snapshot
parent	7e6eab9be2200f83ab03ab2b921ea7ca47a6c3b4	commit \| diff

KVM: nSVM: Cache all used fields from VMCB12

Currently, most fields used from VMCB12 are cached in
svm->nested.{ctl/save}. This is mainly to avoid TOC-TOU bugs. However,
for the save area, only the fields used in the consistency checks (i.e.
nested_vmcb_check_save()) were being cached. Other fields are read
directly from guest memory in nested_vmcb02_prepare_save().

While probably benign, this still makes it possible for TOC-TOU bugs to
happen. For example, RAX, RSP, and RIP are read twice, once to store in
VMCB02, and once to store in vcpu->arch.regs. It is possible for the
guest to modify the value between both reads, potentially causing nasty
bugs.

Harden against such bugs by caching everything in svm->nested.save.
Cache all the needed fields, and keep all accesses to the VMCB12
strictly in nested_svm_vmrun() for caching and early error injection.
Following changes will further limit the access to the VMCB12 in the
nested VMRUN path.

Introduce vmcb12_is_dirty() to use with the cached control fields
instead of vmcb_is_dirty(), similar to vmcb12_is_intercept().

Opportunistically order the copies in __nested_copy_vmcb_save_to_cache()
by the order in which the fields are defined in struct vmcb_save_area.

Signed-off-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260303003421.2185681-21-yosry@kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/kvm/svm/nested.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/svm.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/svm.h		diff \| blob \| blame \| history