From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 16 Aug 2021 17:13:19 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.142~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a5a7e206bde087004bd9fde9e08caa11f749d0c8;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch
	kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch
---

diff --git a/queue-5.4/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch b/queue-5.4/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch
new file mode 100644
index 00000000000..f1e9e71a6d0
--- /dev/null
+++ b/queue-5.4/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch
@@ -0,0 +1,39 @@
+From c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Mon, 19 Jul 2021 16:05:00 +0300
+Subject: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc upstream.
+
+If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
+Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
+then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
+possible by making L0 intercept these instructions.
+
+Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
+and thus read/write portions of the host physical memory.
+
+Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -516,6 +516,9 @@ static void recalc_intercepts(struct vcp
+ 	c->intercept_dr = h->intercept_dr | g->intercept_dr;
+ 	c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
+ 	c->intercept = h->intercept | g->intercept;
++
++	c->intercept |= (1ULL << INTERCEPT_VMLOAD);
++	c->intercept |= (1ULL << INTERCEPT_VMSAVE);
+ }
+ 
+ static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)
diff --git a/queue-5.4/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch b/queue-5.4/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch
new file mode 100644
index 00000000000..4216b66d2c6
--- /dev/null
+++ b/queue-5.4/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch
@@ -0,0 +1,69 @@
+From 0f923e07124df069ba68d8bb12324398f4b6b709 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Thu, 15 Jul 2021 01:56:24 +0300
+Subject: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream.
+
+* Invert the mask of bits that we pick from L2 in
+  nested_vmcb02_prepare_control
+
+* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
+
+This fixes a security issue that allowed a malicious L1 to run L2 with
+AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
+AVIC to read/write the host physical memory at some offsets.
+
+Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/svm.h |    2 ++
+ arch/x86/kvm/svm.c         |   15 ++++++++-------
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/svm.h
++++ b/arch/x86/include/asm/svm.h
+@@ -119,6 +119,8 @@ struct __attribute__ ((__packed__)) vmcb
+ #define V_IGN_TPR_SHIFT 20
+ #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT)
+ 
++#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK)
++
+ #define V_INTR_MASKING_SHIFT 24
+ #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT)
+ 
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1443,12 +1443,7 @@ static __init int svm_hardware_setup(voi
+ 		}
+ 	}
+ 
+-	if (vgif) {
+-		if (!boot_cpu_has(X86_FEATURE_VGIF))
+-			vgif = false;
+-		else
+-			pr_info("Virtual GIF supported\n");
+-	}
++	vgif = false; /* Disabled for CVE-2021-3653 */
+ 
+ 	return 0;
+ 
+@@ -3607,7 +3602,13 @@ static void enter_svm_guest_mode(struct
+ 	svm->nested.intercept            = nested_vmcb->control.intercept;
+ 
+ 	svm_flush_tlb(&svm->vcpu, true);
+-	svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
++
++	svm->vmcb->control.int_ctl &=
++			V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
++
++	svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl &
++			(V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK);
++
+ 	if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
+ 		svm->vcpu.arch.hflags |= HF_VINTR_MASK;
+ 	else
diff --git a/queue-5.4/series b/queue-5.4/series
index c21b1a98bab..2425b3616db 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -60,3 +60,5 @@ ceph-clean-up-locking-annotation-for-ceph_get_snap_realm-and-__lookup_snap_realm
 ceph-take-snap_empty_lock-atomically-with-snaprealm-refcount-change.patch
 vmlinux.lds.h-handle-clang-s-module.-c-d-tor-sections.patch
 iommu-vt-d-fix-agaw-for-a-supported-48-bit-guest-address-width.patch
+kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch
+kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch