Commit | Line | Data |
---|---|---|
c32a5136 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
241d0d30 TL |
2 | From: Felix Wilhelm <fwilhelm@google.com> |
3 | Date: Mon, 11 Jun 2018 09:43:44 +0200 | |
c32a5136 | 4 | Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions |
241d0d30 TL |
5 | |
6 | VMX instructions executed inside a L1 VM will always trigger a VM exit | |
7 | even when executed with cpl 3. This means we must perform the | |
8 | privilege check in software. | |
9 | ||
10 | Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks") | |
11 | Cc: stable@vger.kernel.org | |
12 | Signed-off-by: Felix Wilhelm <fwilhelm@google.com> | |
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | |
14 | Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> | |
15 | --- | |
16 | arch/x86/kvm/vmx.c | 15 +++++++++++++-- | |
17 | 1 file changed, 13 insertions(+), 2 deletions(-) | |
18 | ||
19 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c | |
c32a5136 | 20 | index 54980817194a..b2d75b59b6e5 100644 |
241d0d30 TL |
21 | --- a/arch/x86/kvm/vmx.c |
22 | +++ b/arch/x86/kvm/vmx.c | |
c32a5136 | 23 | @@ -7180,6 +7180,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu) |
241d0d30 TL |
24 | return 1; |
25 | } | |
26 | ||
27 | + /* CPL=0 must be checked manually. */ | |
28 | + if (vmx_get_cpl(vcpu)) { | |
29 | + kvm_queue_exception(vcpu, UD_VECTOR); | |
30 | + return 1; | |
31 | + } | |
32 | + | |
33 | if (vmx->nested.vmxon) { | |
34 | nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION); | |
35 | return kvm_skip_emulated_instruction(vcpu); | |
c32a5136 | 36 | @@ -7239,6 +7245,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu) |
241d0d30 TL |
37 | */ |
38 | static int nested_vmx_check_permission(struct kvm_vcpu *vcpu) | |
39 | { | |
40 | + if (vmx_get_cpl(vcpu)) { | |
41 | + kvm_queue_exception(vcpu, UD_VECTOR); | |
42 | + return 0; | |
43 | + } | |
44 | + | |
45 | if (!to_vmx(vcpu)->nested.vmxon) { | |
46 | kvm_queue_exception(vcpu, UD_VECTOR); | |
47 | return 0; | |
c32a5136 | 48 | @@ -7577,7 +7588,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) |
241d0d30 TL |
49 | if (get_vmx_mem_address(vcpu, exit_qualification, |
50 | vmx_instruction_info, true, &gva)) | |
51 | return 1; | |
52 | - /* _system ok, as hardware has verified cpl=0 */ | |
53 | + /* _system ok, nested_vmx_check_permission has verified cpl=0 */ | |
54 | kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, | |
55 | &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); | |
56 | } | |
c32a5136 | 57 | @@ -7720,7 +7731,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) |
241d0d30 TL |
58 | if (get_vmx_mem_address(vcpu, exit_qualification, |
59 | vmx_instruction_info, true, &vmcs_gva)) | |
60 | return 1; | |
61 | - /* ok to use *_system, as hardware has verified cpl=0 */ | |
62 | + /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ | |
63 | if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, | |
64 | (void *)&to_vmx(vcpu)->nested.current_vmptr, | |
65 | sizeof(u64), &e)) { |