From: Greg Kroah-Hartman Date: Mon, 16 Aug 2021 19:28:28 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.4.142~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc32c98087950d866f95328f6f32683fb39664a7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch --- diff --git a/queue-4.19/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch b/queue-4.19/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch new file mode 100644 index 00000000000..e5122deb9af --- /dev/null +++ b/queue-4.19/kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Aug 16 09:24:04 PM CEST 2021 +From: Paolo Bonzini +Date: Mon, 16 Aug 2021 16:02:37 +0200 +Subject: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: stable@vger.kernel.org, Maxim Levitsky +Message-ID: <20210816140240.11399-9-pbonzini@redhat.com> + +From: Maxim Levitsky + +[ upstream commit c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc ] + +If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable +Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), +then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only +possible by making L0 intercept these instructions. + +Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, +and thus read/write portions of the host physical memory. + +Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") + +Suggested-by: Paolo Bonzini +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -513,6 +513,9 @@ static void recalc_intercepts(struct vcp + c->intercept_dr = h->intercept_dr | g->intercept_dr; + c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions; + c->intercept = h->intercept | g->intercept; ++ ++ c->intercept |= (1ULL << INTERCEPT_VMLOAD); ++ c->intercept |= (1ULL << INTERCEPT_VMSAVE); + } + + static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm) diff --git a/queue-4.19/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch b/queue-4.19/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch new file mode 100644 index 00000000000..80f52732593 --- /dev/null +++ b/queue-4.19/kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Aug 16 09:24:04 PM CEST 2021 +From: Paolo Bonzini +Date: Mon, 16 Aug 2021 16:02:30 +0200 +Subject: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: stable@vger.kernel.org, Maxim Levitsky +Message-ID: <20210816140240.11399-2-pbonzini@redhat.com> + +From: Maxim Levitsky + +[ upstream commit 0f923e07124df069ba68d8bb12324398f4b6b709 ] + +* Invert the mask of bits that we pick from L2 in + nested_vmcb02_prepare_control + +* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr + +This fixes a security issue that allowed a malicious L1 to run L2 with +AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled +AVIC to read/write the host physical memory at some offsets. + +Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") +Signed-off-by: Maxim Levitsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/svm.h | 2 ++ + arch/x86/kvm/svm.c | 15 ++++++++------- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/svm.h ++++ b/arch/x86/include/asm/svm.h +@@ -118,6 +118,8 @@ struct __attribute__ ((__packed__)) vmcb + #define V_IGN_TPR_SHIFT 20 + #define V_IGN_TPR_MASK (1 << V_IGN_TPR_SHIFT) + ++#define V_IRQ_INJECTION_BITS_MASK (V_IRQ_MASK | V_INTR_PRIO_MASK | V_IGN_TPR_MASK) ++ + #define V_INTR_MASKING_SHIFT 24 + #define V_INTR_MASKING_MASK (1 << V_INTR_MASKING_SHIFT) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1444,12 +1444,7 @@ static __init int svm_hardware_setup(voi + } + } + +- if (vgif) { +- if (!boot_cpu_has(X86_FEATURE_VGIF)) +- vgif = false; +- else +- pr_info("Virtual GIF supported\n"); +- } ++ vgif = false; /* Disabled for CVE-2021-3653 */ + + return 0; + +@@ -3593,7 +3588,13 @@ static void enter_svm_guest_mode(struct + svm->nested.intercept = nested_vmcb->control.intercept; + + svm_flush_tlb(&svm->vcpu, true); +- svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK; ++ ++ svm->vmcb->control.int_ctl &= ++ V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK; ++ ++ svm->vmcb->control.int_ctl |= nested_vmcb->control.int_ctl & ++ (V_TPR_MASK | V_IRQ_INJECTION_BITS_MASK); ++ + if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK) + svm->vcpu.arch.hflags |= HF_VINTR_MASK; + else diff --git a/queue-4.19/series b/queue-4.19/series index 8b286db518d..22857c83abc 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -36,3 +36,5 @@ pci-msi-protect-msi_desc-masked-for-multi-msi.patch vmlinux.lds.h-handle-clang-s-module.-c-d-tor-sections.patch iommu-vt-d-fix-agaw-for-a-supported-48-bit-guest-address-width.patch mac80211-drop-data-frames-without-key-on-encrypted-links.patch +kvm-nsvm-always-intercept-vmload-vmsave-when-nested-cve-2021-3656.patch +kvm-nsvm-avoid-picking-up-unsupported-bits-from-l2-in-int_ctl-cve-2021-3653.patch