From: Greg Kroah-Hartman Date: Mon, 16 Aug 2021 19:28:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.4.142~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=35464f10ce933e4a684a2da3e1b45ee19464977a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch --- diff --git a/queue-4.14/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch b/queue-4.14/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch new file mode 100644 index 00000000000..ab117026b9c --- /dev/null +++ b/queue-4.14/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Aug 16 09:25:03 PM CEST 2021 +From: Paolo Bonzini +Date: Mon, 16 Aug 2021 16:02:36 +0200 +Subject: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: stable@vger.kernel.org, Maxim Levitsky +Message-ID: <20210816140240.11399-8-pbonzini@redhat.com> + +From: Maxim Levitsky + +[ upstream commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc ] + +If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable +Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), +then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only +possible by making L0 intercept these instructions. + +Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, +and thus read/write portions of the host physical memory. + +Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") + +Suggested-by: Paolo Bonzini +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -389,6 +389,9 @@ static void recalc_intercepts(struct vcp + c->intercept_dr = h->intercept_dr | g->intercept_dr; + c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions; + c->intercept = h->intercept | g->intercept; ++ ++ c->intercept |= (1ULL << INTERCEPT_VMLOAD); ++ c->intercept |= (1ULL << INTERCEPT_VMSAVE); + } + + static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm) diff --git a/queue-4.14/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch b/queue-4.14/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch new file mode 100644 index 00000000000..107e523e858 --- /dev/null +++ b/queue-4.14/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Aug 16 09:25:03 PM CEST 2021 +From: Paolo Bonzini +Date: Mon, 16 Aug 2021 16:02:29 +0200 +Subject: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: stable@vger.kernel.org, Maxim Levitsky +Message-ID: <20210816140240.11399-1-pbonzini@redhat.com> + +From: Maxim Levitsky + +[ upstream commit 0f923e07124df069ba68d8bb12324398f4b6b709 ] + +* Invert the mask of bits that we pick from L2 in + nested_vmcb02_prepare_control + +* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr + +This fixes a security issue that allowed a malicious L1 to run L2 with +AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled +AVIC to read/write the host physical memory at some offsets. + +Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/svm.h | 2 ++ + arch/x86/kvm/svm.c | 15 ++++++++------- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/svm.h ++++ b/arch/x86/include/asm/svm.h +@@ -117,6 +117,8 @@ struct __attribute__ ((__packed__)) vmcb + #define V_IGN_TPR_SHIFT 20 + #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) + ++#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) ++ + #define V_INTR_MASKING_SHIFT 24 + #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1211,12 +1211,7 @@ static __init int svm_hardware_setup(voi + } + } + +- if (vgif) { +- if (!boot_cpu_has(X86_FEATURE_VGIF)) +- vgif = false; +- else +- pr_info("Virtual GIF supported\n"); +- } ++ vgif = false; /* Disabled for CVE-2021-3653 */ + + return 0; + +@@ -3164,7 +3159,13 @@ static bool nested_svm_vmrun(struct vcpu + svm->nested.intercept = nested_vmcb->control.intercept; + + svm_flush_tlb(&svm->vcpu, true); +- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK; ++ ++ svm->vmcb->control.int_ctl &= ++ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; ++ ++ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl & ++ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK); ++ + if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK) + svm->vcpu.arch.hflags |= HF_VINTR_MASK; + else diff --git a/queue-4.14/series b/queue-4.14/series index b5284f77127..db37bd59f40 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -25,3 +25,5 @@ pci-msi-use-msi_mask_irq-in-pci_msi_shutdown.patch pci-msi-protect-msi_desc-masked-for-multi-msi.patch vmlinux.lds.h-handle-clang-s-module.-c-d-tor-sections.patch mac80211-drop-data-frames-without-key-on-encrypted-links.patch +kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch +kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch