UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
possible by making L0 intercept these instructions.

Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
and thus read/write portions of the host physical memory.

This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
Paolo Bonzini.

Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
CVE-2021-3656
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Ben Romer <benjamin.romer@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 6d9bbc78b642c7f5341c836dfd22ec951ddcc064..188907de62c83f16d1e76746e2900adcc17033e8 100644 (file)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -516,6 +516,9 @@ static void recalc_intercepts(struct vcpu_svm *svm)
        c->intercept_dr = h->intercept_dr | g->intercept_dr;
        c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
        c->intercept = h->intercept | g->intercept;
+
+       c->intercept |= (1ULL << INTERCEPT_VMLOAD);
+       c->intercept |= (1ULL << INTERCEPT_VMSAVE);
 }
 
 static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)