From patchwork Tue Apr 25 17:57:18 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 754949
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3wC9sT4YxBz9s8c;
	Wed, 26 Apr 2017 03:57:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1d34iQ-0004Bo-9n; Tue, 25 Apr 2017 17:57:30 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.76) (envelope-from <apw@canonical.com>) id 1d34iF-00049Y-B0
	for kernel-team@lists.ubuntu.com; Tue, 25 Apr 2017 17:57:19 +0000
Received: from 1.general.apw.uk.vpn ([10.172.192.78] helo=localhost)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.76) (envelope-from <apw@canonical.com>)
	id 1d34iF-0005hm-0w; Tue, 25 Apr 2017 17:57:19 +0000
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [trusty/master-next 1/1] UBUNTU: SAUCE: KVM has a flaw in INVEPT
	emulation that could crash the host
Date: Tue, 25 Apr 2017 18:57:18 +0100
Message-Id: <20170425175718.25904-2-apw@canonical.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20170425175718.25904-1-apw@canonical.com>
References: <20170425175718.25904-1-apw@canonical.com>
Cc: Andy Whitcroft <apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP

(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)

The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:

	kvm_cpu_vmxon(phys_addr);
	ept_sync_context(0);

(requires nested EPT; full PoC module code attached)

This flaw was introduced in commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).

Original-Patch-By: Minoura Makoto <minoura@valinux.co.jp>
CVE-2017-8106
BugLink: http://bugs.launchpad.net/bugs/1678676
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195167
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 arch/x86/kvm/vmx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 6658c0bf3666..57eae7732493 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6386,6 +6386,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)
 
 	switch (type) {
 	case VMX_EPT_EXTENT_CONTEXT:
+		if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+			break;
 		if ((operand.eptp & eptp_mask) !=
 				(nested_ept_get_cr3(vcpu) & eptp_mask))
 			break;