[pve-kernel.git] / patches / kernel / 0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Felix Wilhelm <fwilhelm@google.com>
Date: Mon, 11 Jun 2018 09:43:44 +0200
Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions

VMX instructions executed inside a L1 VM will always trigger a VM exit
even when executed with cpl 3. This means we must perform the
privilege check in software.

Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 arch/x86/kvm/vmx.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1a5617fc8b6a..5c8bd2d61080 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
 		return 1;
 	}
 
+	/* CPL=0 must be checked manually. */
+	if (vmx_get_cpl(vcpu)) {
+		kvm_queue_exception(vcpu, UD_VECTOR);
+		return 1;
+	}
+
 	if (vmx->nested.vmxon) {
 		nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
 		return kvm_skip_emulated_instruction(vcpu);
@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
  */
 static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
 {
+	if (vmx_get_cpl(vcpu)) {
+		kvm_queue_exception(vcpu, UD_VECTOR);
+		return 0;
+	}
+
 	if (!to_vmx(vcpu)->nested.vmxon) {
 		kvm_queue_exception(vcpu, UD_VECTOR);
 		return 0;
@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
 		if (get_vmx_mem_address(vcpu, exit_qualification,
 				vmx_instruction_info, true, &gva))
 			return 1;
-		/* _system ok, as hardware has verified cpl=0 */
+		/* _system ok, nested_vmx_check_permission has verified cpl=0 */
 		kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
 			     &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
 	}
@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
 	if (get_vmx_mem_address(vcpu, exit_qualification,
 			vmx_instruction_info, true, &vmcs_gva))
 		return 1;
-	/* ok to use *_system, as hardware has verified cpl=0 */
+	/* *_system ok, nested_vmx_check_permission has verified cpl=0 */
 	if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
 				 (void *)&to_vmx(vcpu)->nested.current_vmptr,
 				 sizeof(u64), &e)) {
Commit	Line	Data
c0514fa3	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2dc5b5fe TL	2	From: Felix Wilhelm <fwilhelm@google.com>
2dc5b5fe TL	3	Date: Mon, 11 Jun 2018 09:43:44 +0200
c0514fa3	4	Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions
2dc5b5fe TL	5
	6	VMX instructions executed inside a L1 VM will always trigger a VM exit
	7	even when executed with cpl 3. This means we must perform the
	8	privilege check in software.
	9
	10	Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
	11	Cc: stable@vger.kernel.org
	12	Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
	13	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	14	Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
	15	---
	16	arch/x86/kvm/vmx.c \| 15 +++++++++++++--
	17	1 file changed, 13 insertions(+), 2 deletions(-)
	18
	19	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
e2af2a61	20	index 1a5617fc8b6a..5c8bd2d61080 100644
2dc5b5fe TL	21	--- a/arch/x86/kvm/vmx.c
2dc5b5fe TL	22	+++ b/arch/x86/kvm/vmx.c
e2af2a61	23	@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
2dc5b5fe TL	24	return 1;
	25	}
	26
	27	+ /* CPL=0 must be checked manually. */
	28	+ if (vmx_get_cpl(vcpu)) {
	29	+ kvm_queue_exception(vcpu, UD_VECTOR);
	30	+ return 1;
	31	+ }
	32	+
	33	if (vmx->nested.vmxon) {
	34	nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
	35	return kvm_skip_emulated_instruction(vcpu);
e2af2a61	36	@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
2dc5b5fe TL	37	*/
	38	static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
	39	{
	40	+ if (vmx_get_cpl(vcpu)) {
	41	+ kvm_queue_exception(vcpu, UD_VECTOR);
	42	+ return 0;
	43	+ }
	44	+
	45	if (!to_vmx(vcpu)->nested.vmxon) {
	46	kvm_queue_exception(vcpu, UD_VECTOR);
	47	return 0;
e2af2a61	48	@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
2dc5b5fe TL	49	if (get_vmx_mem_address(vcpu, exit_qualification,
	50	vmx_instruction_info, true, &gva))
	51	return 1;
	52	- /* _system ok, as hardware has verified cpl=0 */
	53	+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
	54	kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
	55	&field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
	56	}
e2af2a61	57	@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
2dc5b5fe TL	58	if (get_vmx_mem_address(vcpu, exit_qualification,
	59	vmx_instruction_info, true, &vmcs_gva))
	60	return 1;
	61	- /* ok to use _system, as hardware has verified cpl=0 /
	62	+ /* _system ok, nested_vmx_check_permission has verified cpl=0 /
	63	if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
	64	(void *)&to_vmx(vcpu)->nested.current_vmptr,
	65	sizeof(u64), &e)) {