tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
"x86 fixes for overflows and other nastiness"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: nVMX: fix x2APIC VTPR read intercept
KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887)
KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow
kvm: svm: fix potential get_num_contig_pages overflow

Linus Torvalds bc5725f9 2f9e10ac

+59 -37
+14 -8
arch/x86/kvm/svm.c
··· 6422 6422 return ret; 6423 6423 } 6424 6424 6425 - static int get_num_contig_pages(int idx, struct page **inpages, 6426 - unsigned long npages) 6425 + static unsigned long get_num_contig_pages(unsigned long idx, 6426 + struct page **inpages, unsigned long npages) 6427 6427 { 6428 6428 unsigned long paddr, next_paddr; 6429 - int i = idx + 1, pages = 1; 6429 + unsigned long i = idx + 1, pages = 1; 6430 6430 6431 6431 /* find the number of contiguous pages starting from idx */ 6432 6432 paddr = __sme_page_pa(inpages[idx]); ··· 6445 6445 6446 6446 static int sev_launch_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp) 6447 6447 { 6448 - unsigned long vaddr, vaddr_end, next_vaddr, npages, size; 6448 + unsigned long vaddr, vaddr_end, next_vaddr, npages, pages, size, i; 6449 6449 struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; 6450 6450 struct kvm_sev_launch_update_data params; 6451 6451 struct sev_data_launch_update_data *data; 6452 6452 struct page **inpages; 6453 - int i, ret, pages; 6453 + int ret; 6454 6454 6455 6455 if (!sev_guest(kvm)) 6456 6456 return -ENOTTY; ··· 6799 6799 struct page **src_p, **dst_p; 6800 6800 struct kvm_sev_dbg debug; 6801 6801 unsigned long n; 6802 - int ret, size; 6802 + unsigned int size; 6803 + int ret; 6803 6804 6804 6805 if (!sev_guest(kvm)) 6805 6806 return -ENOTTY; 6806 6807 6807 6808 if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug))) 6808 6809 return -EFAULT; 6810 + 6811 + if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) 6812 + return -EINVAL; 6813 + if (!debug.dst_uaddr) 6814 + return -EINVAL; 6809 6815 6810 6816 vaddr = debug.src_uaddr; 6811 6817 size = debug.len; ··· 6863 6857 dst_vaddr, 6864 6858 len, &argp->error); 6865 6859 6866 - sev_unpin_memory(kvm, src_p, 1); 6867 - sev_unpin_memory(kvm, dst_p, 1); 6860 + sev_unpin_memory(kvm, src_p, n); 6861 + sev_unpin_memory(kvm, dst_p, n); 6868 6862 6869 6863 if (ret) 6870 6864 goto err;
+45 -29
arch/x86/kvm/vmx/nested.c
··· 500 500 } 501 501 } 502 502 503 + static inline void enable_x2apic_msr_intercepts(unsigned long *msr_bitmap) { 504 + int msr; 505 + 506 + for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) { 507 + unsigned word = msr / BITS_PER_LONG; 508 + 509 + msr_bitmap[word] = ~0; 510 + msr_bitmap[word + (0x800 / sizeof(long))] = ~0; 511 + } 512 + } 513 + 503 514 /* 504 515 * Merge L0's and L1's MSR bitmap, return false to indicate that 505 516 * we do not use the hardware. ··· 552 541 return false; 553 542 554 543 msr_bitmap_l1 = (unsigned long *)kmap(page); 555 - if (nested_cpu_has_apic_reg_virt(vmcs12)) { 556 - /* 557 - * L0 need not intercept reads for MSRs between 0x800 and 0x8ff, it 558 - * just lets the processor take the value from the virtual-APIC page; 559 - * take those 256 bits directly from the L1 bitmap. 560 - */ 561 - for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) { 562 - unsigned word = msr / BITS_PER_LONG; 563 - msr_bitmap_l0[word] = msr_bitmap_l1[word]; 564 - msr_bitmap_l0[word + (0x800 / sizeof(long))] = ~0; 565 - } 566 - } else { 567 - for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) { 568 - unsigned word = msr / BITS_PER_LONG; 569 - msr_bitmap_l0[word] = ~0; 570 - msr_bitmap_l0[word + (0x800 / sizeof(long))] = ~0; 571 - } 572 - } 573 544 574 - nested_vmx_disable_intercept_for_msr( 575 - msr_bitmap_l1, msr_bitmap_l0, 576 - X2APIC_MSR(APIC_TASKPRI), 577 - MSR_TYPE_W); 545 + /* 546 + * To keep the control flow simple, pay eight 8-byte writes (sixteen 547 + * 4-byte writes on 32-bit systems) up front to enable intercepts for 548 + * the x2APIC MSR range and selectively disable them below. 549 + */ 550 + enable_x2apic_msr_intercepts(msr_bitmap_l0); 578 551 579 - if (nested_cpu_has_vid(vmcs12)) { 552 + if (nested_cpu_has_virt_x2apic_mode(vmcs12)) { 553 + if (nested_cpu_has_apic_reg_virt(vmcs12)) { 554 + /* 555 + * L0 need not intercept reads for MSRs between 0x800 556 + * and 0x8ff, it just lets the processor take the value 557 + * from the virtual-APIC page; take those 256 bits 558 + * directly from the L1 bitmap. 559 + */ 560 + for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) { 561 + unsigned word = msr / BITS_PER_LONG; 562 + 563 + msr_bitmap_l0[word] = msr_bitmap_l1[word]; 564 + } 565 + } 566 + 580 567 nested_vmx_disable_intercept_for_msr( 581 568 msr_bitmap_l1, msr_bitmap_l0, 582 - X2APIC_MSR(APIC_EOI), 583 - MSR_TYPE_W); 584 - nested_vmx_disable_intercept_for_msr( 585 - msr_bitmap_l1, msr_bitmap_l0, 586 - X2APIC_MSR(APIC_SELF_IPI), 587 - MSR_TYPE_W); 569 + X2APIC_MSR(APIC_TASKPRI), 570 + MSR_TYPE_R | MSR_TYPE_W); 571 + 572 + if (nested_cpu_has_vid(vmcs12)) { 573 + nested_vmx_disable_intercept_for_msr( 574 + msr_bitmap_l1, msr_bitmap_l0, 575 + X2APIC_MSR(APIC_EOI), 576 + MSR_TYPE_W); 577 + nested_vmx_disable_intercept_for_msr( 578 + msr_bitmap_l1, msr_bitmap_l0, 579 + X2APIC_MSR(APIC_SELF_IPI), 580 + MSR_TYPE_W); 581 + } 588 582 } 589 583 590 584 if (spec_ctrl)