From patchwork Fri Dec  1 13:15:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1870611
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4ShYVL4Cntz23nT
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Dec 2023 00:16:25 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1r93NP-00082k-55; Fri, 01 Dec 2023 13:16:15 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1r93NJ-000826-W3
 for kernel-team@lists.ubuntu.com; Fri, 01 Dec 2023 13:16:10 +0000
Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com
 [209.85.215.198])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BE2103F18B
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Dec 2023 13:16:09 +0000 (UTC)
Received: by mail-pg1-f198.google.com with SMTP id
 41be03b00d2f7-5c624e68b45so540818a12.3
 for <kernel-team@lists.ubuntu.com>; Fri, 01 Dec 2023 05:16:09 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1701436567; x=1702041367;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=vi5KXcgTvaEwdxeLHFCOsG77TuLrAEFqjwdwNiffqlE=;
 b=J4NonLT3o5jjbnndrN/rikKxd0yDdxQmzSBkPD/yjveXyNG7vCCoUMxxmodKBniUY/
 nspjK71pn+aADyVnDTPfzXP5d9kpGAuoboYryYN6e5fwqs9pJGGU/DnwSS+B5Br6e141
 d6vjc3t+3cLxLBLmTHok1z4Hi6ieiSOFlbuY0lubzsOMyna1X6rZXfaWItTLC5/2K24w
 ejISZwOx/KIx2vvqTv2U+TOZtz5uJ3n4TIJYbRBvfxdWymDKCGb68R4zVO4xBmo/oZJ3
 9fryGL0XHTqqPQyIjXKmGf8k1AJaBei5ztE2uTiwxNRQwp+Th+WymRJdBV5663K2ZfWL
 emSQ==
X-Gm-Message-State: AOJu0YztuNewzaofgFmgldX9KnkgMXsofOKRsGJ3Zr+weVfiHtNgWYyG
 15Z7ZxfpAIepWF4iKDPoZj9LBg/BlRflORAZhRDf6Yi0a/rT/seBKKInCzUDczrXdiUWtgTutj2
 3dZQNJbwQjo7oX7hh003zkBRFBzVegZrsUdZzum3dEucJ94Kd/w==
X-Received: by 2002:a05:6a21:33a2:b0:18b:9031:822a with SMTP id
 yy34-20020a056a2133a200b0018b9031822amr29696412pzb.46.1701436567291;
 Fri, 01 Dec 2023 05:16:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHZfPwb2y/IStr2XLCWPJAmZ9Zc8pYdng3AuDR5BX6uLzVd2zpEXxiac3hjeRxC7tOcYG0u6Q==
X-Received: by 2002:a05:6a21:33a2:b0:18b:9031:822a with SMTP id
 yy34-20020a056a2133a200b0018b9031822amr29696386pzb.46.1701436566920;
 Fri, 01 Dec 2023 05:16:06 -0800 (PST)
Received: from magali.. ([2804:7f0:b442:2377:dd30:3fac:53f2:e6fd])
 by smtp.gmail.com with ESMTPSA id
 fb3-20020a056a002d8300b006bde2480806sm2978028pfb.47.2023.12.01.05.16.05
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 Dec 2023 05:16:06 -0800 (PST)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy][PATCH 1/3] x86/sev: Disable MMIO emulation from user
 mode
Date: Fri,  1 Dec 2023 10:15:55 -0300
Message-Id: <20231201131601.1146971-2-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231201131601.1146971-1-magali.lemes@canonical.com>
References: <20231201131601.1146971-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: "Borislav Petkov (AMD)" <bp@alien8.de>

Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba

A virt scenario can be constructed where MMIO memory can be user memory.
When that happens, a race condition opens between when the hardware
raises the #VC and when the #VC handler gets to emulate the instruction.

If the MOVS is replaced with a MOVS accessing kernel memory in that
small race window, then write to kernel memory happens as the access
checks are not done at emulation time.

Disable MMIO emulation in user mode temporarily until a sensible use
case appears and justifies properly handling the race window.

Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 6797c6d09e50e7ddb1c0f8282ccfb3f1c4d63270 linux-5.15.y)
CVE-2023-46813
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 arch/x86/kernel/sev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index d19d3154a290..a564e319760b 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -1004,6 +1004,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb,
 	enum es_result ret;
 	long *reg_data;
 
+	if (user_mode(ctxt->regs))
+		return ES_UNSUPPORTED;
+
 	switch (insn->opcode.bytes[0]) {
 	/* MMIO Write */
 	case 0x88:

From patchwork Fri Dec  1 13:15:57 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1870614
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4ShYVP0gChz1ySd
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Dec 2023 00:16:28 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1r93NV-00084n-J6; Fri, 01 Dec 2023 13:16:21 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1r93NP-00082l-7U
 for kernel-team@lists.ubuntu.com; Fri, 01 Dec 2023 13:16:15 +0000
Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com
 [209.85.210.198])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id AD1433F18B
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Dec 2023 13:16:14 +0000 (UTC)
Received: by mail-pf1-f198.google.com with SMTP id
 d2e1a72fcca58-6cdce6455c5so2832771b3a.2
 for <kernel-team@lists.ubuntu.com>; Fri, 01 Dec 2023 05:16:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1701436571; x=1702041371;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=dtJDiu/VmyaHRjWOx7mzvKUEEdZVrie2WHlL21GKvr8=;
 b=JxfgBgpORnQwkh1KJbf9OZut+ozAfXwRbxLwuck4GdlXMoGAMh0BwZhBgxSXEMyR+o
 DackpP93s4rv/Wdd+PPkJ0lQPvF5FegMq5mbP0KzQa1j68GVd6sBK+LFOSQnNCcsWpa1
 sNOdt63jGrOIV/OHYfb2GpP+MmHeuKV5Q1pee9B0KJJU4NCcxgbZtcOSJ56MaywsRHWl
 qTtqov0hMppYSz/eIJ4O7csX1VioPY0YERyquvdNmMVBBiwjI7jgx3fUjdgYK4yavES2
 7ac6dKNJIytosRhOwd/62EiarHAE+99Vrj9fpRD/na+Ll/XMMqawlMEAwutSxUm0W4wv
 KPBw==
X-Gm-Message-State: AOJu0YyJU3QWn9gX6PjTYA1FxmtI3kOOX98VmbegQUrb3QafTEPvx/th
 ZckZyrDScZFM1GPJDK3qQc4h4hc2ASF4ZbVAizTejM8wnyD7oJaSxbjhs5H2mMjc3kUNLc3ZrlK
 KJSYIgBOvhJdRIBe6863UCmi99OYHeDqF5OHA7egh3+j0ZnO5QQ==
X-Received: by 2002:a05:6a00:2188:b0:6cb:4c60:7328 with SMTP id
 h8-20020a056a00218800b006cb4c607328mr31318748pfi.23.1701436571248;
 Fri, 01 Dec 2023 05:16:11 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFoqB1eufV+toVNUVzWPx8lA6nr12+bVIcsurT7+tON8K7hUTIgMCAyTeqP6Hp2nHjfpickdw==
X-Received: by 2002:a05:6a00:2188:b0:6cb:4c60:7328 with SMTP id
 h8-20020a056a00218800b006cb4c607328mr31318709pfi.23.1701436570778;
 Fri, 01 Dec 2023 05:16:10 -0800 (PST)
Received: from magali.. ([2804:7f0:b442:2377:dd30:3fac:53f2:e6fd])
 by smtp.gmail.com with ESMTPSA id
 fb3-20020a056a002d8300b006bde2480806sm2978028pfb.47.2023.12.01.05.16.09
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 Dec 2023 05:16:10 -0800 (PST)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy/Lunar][PATCH 2/3] x86/sev: Check IOBM for IOIO exceptions
 from user-space
Date: Fri,  1 Dec 2023 10:15:57 -0300
Message-Id: <20231201131601.1146971-4-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231201131601.1146971-1-magali.lemes@canonical.com>
References: <20231201131601.1146971-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Joerg Roedel <jroedel@suse.de>

Check the IO permission bitmap (if present) before emulating IOIO #VC
exceptions for user-space. These permissions are checked by hardware
already before the #VC is raised, but due to the VC-handler decoding
race it needs to be checked again in software.

Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
CVE-2023-46813
(cherry picked from commit b9cb9c45583b911e0db71d09caa6b56469eb2bdf)
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 arch/x86/boot/compressed/sev.c |  5 +++++
 arch/x86/kernel/sev-shared.c   | 22 +++++++++++++++-------
 arch/x86/kernel/sev.c          | 27 +++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
index e65f0968e0d9..b9b8ff3fe8e9 100644
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -103,6 +103,11 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	return ES_OK;
 }
 
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+	return ES_OK;
+}
+
 #undef __init
 #undef __pa
 #define __init
diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c
index 3a5b0c9c4fcc..ebb24c09ffd6 100644
--- a/arch/x86/kernel/sev-shared.c
+++ b/arch/x86/kernel/sev-shared.c
@@ -653,6 +653,9 @@ static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt,
 static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 {
 	struct insn *insn = &ctxt->insn;
+	size_t size;
+	u64 port;
+
 	*exitinfo = 0;
 
 	switch (insn->opcode.bytes[0]) {
@@ -661,7 +664,7 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0x6d:
 		*exitinfo |= IOIO_TYPE_INS;
 		*exitinfo |= IOIO_SEG_ES;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* OUTS opcodes */
@@ -669,41 +672,43 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0x6f:
 		*exitinfo |= IOIO_TYPE_OUTS;
 		*exitinfo |= IOIO_SEG_DS;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* IN immediate opcodes */
 	case 0xe4:
 	case 0xe5:
 		*exitinfo |= IOIO_TYPE_IN;
-		*exitinfo |= (u8)insn->immediate.value << 16;
+		port	   = (u8)insn->immediate.value & 0xffff;
 		break;
 
 	/* OUT immediate opcodes */
 	case 0xe6:
 	case 0xe7:
 		*exitinfo |= IOIO_TYPE_OUT;
-		*exitinfo |= (u8)insn->immediate.value << 16;
+		port	   = (u8)insn->immediate.value & 0xffff;
 		break;
 
 	/* IN register opcodes */
 	case 0xec:
 	case 0xed:
 		*exitinfo |= IOIO_TYPE_IN;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	/* OUT register opcodes */
 	case 0xee:
 	case 0xef:
 		*exitinfo |= IOIO_TYPE_OUT;
-		*exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+		port	   = ctxt->regs->dx & 0xffff;
 		break;
 
 	default:
 		return ES_DECODE_FAILED;
 	}
 
+	*exitinfo |= port << 16;
+
 	switch (insn->opcode.bytes[0]) {
 	case 0x6c:
 	case 0x6e:
@@ -713,12 +718,15 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	case 0xee:
 		/* Single byte opcodes */
 		*exitinfo |= IOIO_DATA_8;
+		size       = 1;
 		break;
 	default:
 		/* Length determined by instruction parsing */
 		*exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16
 						     : IOIO_DATA_32;
+		size       = (insn->opnd_bytes == 2) ? 2 : 4;
 	}
+
 	switch (insn->addr_bytes) {
 	case 2:
 		*exitinfo |= IOIO_ADDR_16;
@@ -734,7 +742,7 @@ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
 	if (insn_has_rep_prefix(insn))
 		*exitinfo |= IOIO_REP;
 
-	return ES_OK;
+	return vc_ioio_check(ctxt, (u16)port, size);
 }
 
 static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index b09172592e02..94233f7ad93d 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -512,6 +512,33 @@ static enum es_result vc_slow_virt_to_phys(struct ghcb *ghcb, struct es_em_ctxt
 	return ES_OK;
 }
 
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+	BUG_ON(size > 4);
+
+	if (user_mode(ctxt->regs)) {
+		struct thread_struct *t = &current->thread;
+		struct io_bitmap *iobm = t->io_bitmap;
+		size_t idx;
+
+		if (!iobm)
+			goto fault;
+
+		for (idx = port; idx < port + size; ++idx) {
+			if (test_bit(idx, iobm->bitmap))
+				goto fault;
+		}
+	}
+
+	return ES_OK;
+
+fault:
+	ctxt->fi.vector = X86_TRAP_GP;
+	ctxt->fi.error_code = 0;
+
+	return ES_EXCEPTION;
+}
+
 /* Include code shared with pre-decompression boot stage */
 #include "sev-shared.c"
 

From patchwork Fri Dec  1 13:16:00 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1870621
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4ShYVc6Gs8z24DQ
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Dec 2023 00:16:40 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1r93Nd-0008B3-RI; Fri, 01 Dec 2023 13:16:29 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1r93NT-00083s-GS
 for kernel-team@lists.ubuntu.com; Fri, 01 Dec 2023 13:16:19 +0000
Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com
 [209.85.210.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 01F4E3F65A
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Dec 2023 13:16:19 +0000 (UTC)
Received: by mail-pf1-f200.google.com with SMTP id
 d2e1a72fcca58-6cdec0b65c4so1611114b3a.0
 for <kernel-team@lists.ubuntu.com>; Fri, 01 Dec 2023 05:16:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1701436577; x=1702041377;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=uHfIOUgbKVzPc+C53c3LQBWvXaQSd9bDrjuW73N009M=;
 b=R5J3PwO3qjmtk5N7UpFoSiScKikFEL4kca2f93Z9byynRsz90k7//CE6h1Rj7R0j60
 igplqaQnyft0cpOfRBoTJRB6gMTKgn91JbLv10uTvcHUGFYKiPPNvAikk1H/6B+VE7vc
 A0c10uIzxxtfEOPywgg40fR/3KsmvE9Li6mO6RvWObRlmL6WYTkz2WKnT2NT8aYkTqdv
 E6C0TmEnsam0FOCBVAgBaKmDLK+L0/IsQ4Bg1qVTefbyx9jpZ/lvSMzjQgYpGtgt0DDJ
 FB3VLt7b5t1TDMSy3euftKJrkdGGTnXMyrOm/QQFmpcC1eIPYXSRdf0/VwH0DIden2eS
 CIpA==
X-Gm-Message-State: AOJu0Yy1GBFqak0bs8i8qdw9xoqyffrtXqWHA59/OYejQ+wE0vme52n0
 qq6IproQ+9OWZ6A9ecKCUYASQy8KFyzTev8jkBL2PdJbeYUkPmXj7vOQs3a3DrIK654nB4fJ+Pk
 lVSD1X087TiIL1Sbo/AkZnCcoaUwwNk/yFVQyPVQWVhw76yku9g==
X-Received: by 2002:a05:6a00:2348:b0:6cd:dc73:1478 with SMTP id
 j8-20020a056a00234800b006cddc731478mr11038014pfj.5.1701436576681;
 Fri, 01 Dec 2023 05:16:16 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IHDvX/DPA9gzUDHoMOZRHgmqqbvv5xKKUA2wFKmCuceX255k/QTTTolv6RKQcrwF1oS4bfpUQ==
X-Received: by 2002:a05:6a00:2348:b0:6cd:dc73:1478 with SMTP id
 j8-20020a056a00234800b006cddc731478mr11037971pfj.5.1701436576037;
 Fri, 01 Dec 2023 05:16:16 -0800 (PST)
Received: from magali.. ([2804:7f0:b442:2377:dd30:3fac:53f2:e6fd])
 by smtp.gmail.com with ESMTPSA id
 fb3-20020a056a002d8300b006bde2480806sm2978028pfb.47.2023.12.01.05.16.14
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 Dec 2023 05:16:15 -0800 (PST)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Lunar][PATCH 3/3] x86/sev: Check for user-space IOIO pointing
 to kernel space
Date: Fri,  1 Dec 2023 10:16:00 -0300
Message-Id: <20231201131601.1146971-7-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231201131601.1146971-1-magali.lemes@canonical.com>
References: <20231201131601.1146971-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Joerg Roedel <jroedel@suse.de>

Check the memory operand of INS/OUTS before emulating the instruction.
The #VC exception can get raised from user-space, but the memory operand
can be manipulated to access kernel memory before the emulation actually
begins and after the exception handler has run.

  [ bp: Massage commit message. ]

Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
(cherry picked from commit 63e44bc52047f182601e7817da969a105aa1f721)
CVE-2023-46813
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 arch/x86/boot/compressed/sev.c |  5 +++++
 arch/x86/kernel/sev-shared.c   | 31 +++++++++++++++++++++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
index b9b8ff3fe8e9..9c91cc40f456 100644
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -108,6 +108,11 @@ static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t si
 	return ES_OK;
 }
 
+static bool fault_in_kernel_space(unsigned long address)
+{
+	return false;
+}
+
 #undef __init
 #undef __pa
 #define __init
diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c
index ebb24c09ffd6..8abd18811238 100644
--- a/arch/x86/kernel/sev-shared.c
+++ b/arch/x86/kernel/sev-shared.c
@@ -589,6 +589,23 @@ void __init do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code)
 	sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ);
 }
 
+static enum es_result vc_insn_string_check(struct es_em_ctxt *ctxt,
+					   unsigned long address,
+					   bool write)
+{
+	if (user_mode(ctxt->regs) && fault_in_kernel_space(address)) {
+		ctxt->fi.vector     = X86_TRAP_PF;
+		ctxt->fi.error_code = X86_PF_USER;
+		ctxt->fi.cr2        = address;
+		if (write)
+			ctxt->fi.error_code |= X86_PF_WRITE;
+
+		return ES_EXCEPTION;
+	}
+
+	return ES_OK;
+}
+
 static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
 					  void *src, char *buf,
 					  unsigned int data_size,
@@ -596,7 +613,12 @@ static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
 					  bool backwards)
 {
 	int i, b = backwards ? -1 : 1;
-	enum es_result ret = ES_OK;
+	unsigned long address = (unsigned long)src;
+	enum es_result ret;
+
+	ret = vc_insn_string_check(ctxt, address, false);
+	if (ret != ES_OK)
+		return ret;
 
 	for (i = 0; i < count; i++) {
 		void *s = src + (i * data_size * b);
@@ -617,7 +639,12 @@ static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt,
 					   bool backwards)
 {
 	int i, s = backwards ? -1 : 1;
-	enum es_result ret = ES_OK;
+	unsigned long address = (unsigned long)dst;
+	enum es_result ret;
+
+	ret = vc_insn_string_check(ctxt, address, true);
+	if (ret != ES_OK)
+		return ret;
 
 	for (i = 0; i < count; i++) {
 		void *d = dst + (i * data_size * s);