kvm: nVMX: Don't allow L2 to access the hardware CR8

Message ID 1528323759-30874-1-git-send-email-stefan.bader@canonical.com
State New
Headers show
Series
  • kvm: nVMX: Don't allow L2 to access the hardware CR8
Related show

Commit Message

Stefan Bader June 6, 2018, 10:22 p.m.
From: Jim Mattson <jmattson@google.com>

If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.

This fixes CVE-2017-12154.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

CVE-2017-12154

(backported from commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/kvm/vmx.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Stefan Bader June 6, 2018, 10:24 p.m. | #1
On 06.06.2018 15:22, Stefan Bader wrote:
> From: Jim Mattson <jmattson@google.com>
> 
> If L1 does not specify the "use TPR shadow" VM-execution control in
> vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
> exiting" VM-execution controls in vmcs02. Failure to do so will give
> the L2 VM unrestricted read/write access to the hardware CR8.
> 
> This fixes CVE-2017-12154.
> 
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> CVE-2017-12154
> 
> (backported from commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---

Messed up the destination, sorry.

>  arch/x86/kvm/vmx.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 45af82c..6f2d4493 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -7837,6 +7837,14 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>  	exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
>  	exec_control &= ~CPU_BASED_TPR_SHADOW;
>  	exec_control |= vmcs12->cpu_based_vm_exec_control;
> +
> +	if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
> +#ifdef CONFIG_X86_64
> +		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
> +				CPU_BASED_CR8_STORE_EXITING;
> +#endif
> +	}
> +
>  	/*
>  	 * Merging of IO and MSR bitmaps not currently supported.
>  	 * Rather, exit every time.
>
Kleber Souza June 6, 2018, 11:19 p.m. | #2
On 06/06/18 15:22, Stefan Bader wrote:
> From: Jim Mattson <jmattson@google.com>
> 
> If L1 does not specify the "use TPR shadow" VM-execution control in
> vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
> exiting" VM-execution controls in vmcs02. Failure to do so will give
> the L2 VM unrestricted read/write access to the hardware CR8.
> 
> This fixes CVE-2017-12154.
> 
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> CVE-2017-12154
> 
> (backported from commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/kvm/vmx.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 45af82c..6f2d4493 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -7837,6 +7837,14 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>  	exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
>  	exec_control &= ~CPU_BASED_TPR_SHADOW;
>  	exec_control |= vmcs12->cpu_based_vm_exec_control;
> +
> +	if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
> +#ifdef CONFIG_X86_64
> +		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
> +				CPU_BASED_CR8_STORE_EXITING;
> +#endif
> +	}
> +
>  	/*
>  	 * Merging of IO and MSR bitmaps not currently supported.
>  	 * Rather, exit every time.
> 

The backport looks correct.

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Khaled Elmously June 7, 2018, 4:45 p.m. | #3
On 2018-06-06 15:22:39 , Stefan Bader wrote:
> From: Jim Mattson <jmattson@google.com>
> 
> If L1 does not specify the "use TPR shadow" VM-execution control in
> vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
> exiting" VM-execution controls in vmcs02. Failure to do so will give
> the L2 VM unrestricted read/write access to the hardware CR8.
> 
> This fixes CVE-2017-12154.
> 
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> CVE-2017-12154
> 
> (backported from commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/kvm/vmx.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 45af82c..6f2d4493 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -7837,6 +7837,14 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>  	exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
>  	exec_control &= ~CPU_BASED_TPR_SHADOW;
>  	exec_control |= vmcs12->cpu_based_vm_exec_control;
> +
> +	if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
> +#ifdef CONFIG_X86_64
> +		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
> +				CPU_BASED_CR8_STORE_EXITING;
> +#endif
> +	}
> +
>  	/*
>  	 * Merging of IO and MSR bitmaps not currently supported.
>  	 * Rather, exit every time.

Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Khaled Elmously June 7, 2018, 9:55 p.m. | #4
Applied to Trusty

On 2018-06-06 15:22:39 , Stefan Bader wrote:
> From: Jim Mattson <jmattson@google.com>
> 
> If L1 does not specify the "use TPR shadow" VM-execution control in
> vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
> exiting" VM-execution controls in vmcs02. Failure to do so will give
> the L2 VM unrestricted read/write access to the hardware CR8.
> 
> This fixes CVE-2017-12154.
> 
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> CVE-2017-12154
> 
> (backported from commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/kvm/vmx.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 45af82c..6f2d4493 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -7837,6 +7837,14 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>  	exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
>  	exec_control &= ~CPU_BASED_TPR_SHADOW;
>  	exec_control |= vmcs12->cpu_based_vm_exec_control;
> +
> +	if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
> +#ifdef CONFIG_X86_64
> +		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
> +				CPU_BASED_CR8_STORE_EXITING;
> +#endif
> +	}
> +
>  	/*
>  	 * Merging of IO and MSR bitmaps not currently supported.
>  	 * Rather, exit every time.
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 45af82c..6f2d4493 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7837,6 +7837,14 @@  static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 	exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
 	exec_control &= ~CPU_BASED_TPR_SHADOW;
 	exec_control |= vmcs12->cpu_based_vm_exec_control;
+
+	if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
+#ifdef CONFIG_X86_64
+		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
+				CPU_BASED_CR8_STORE_EXITING;
+#endif
+	}
+
 	/*
 	 * Merging of IO and MSR bitmaps not currently supported.
 	 * Rather, exit every time.