4ac9db0e26
- CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537) - CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534) - CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522) - CVE-2014-8480 CVE-2014-8481 kvm: NULL pointer dereference during rip relative instruction emulation (rhbz 1156615 1156616)
90 lines
2.9 KiB
Diff
90 lines
2.9 KiB
Diff
From: Andy Honig <ahonig@google.com>
|
|
Date: Fri, 24 Oct 2014 17:07:13 +0200
|
|
Subject: [PATCH] KVM: x86: Prevent host from panicking on shared MSR writes.
|
|
|
|
The previous patch blocked invalid writes directly when the MSR
|
|
is written. As a precaution, prevent future similar mistakes by
|
|
gracefulling handle GPs caused by writes to shared MSRs.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Andrew Honig <ahonig@google.com>
|
|
[Remove parts obsoleted by Nadav's patch. - Paolo]
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
---
|
|
arch/x86/include/asm/kvm_host.h | 2 +-
|
|
arch/x86/kvm/vmx.c | 7 +++++--
|
|
arch/x86/kvm/x86.c | 11 ++++++++---
|
|
3 files changed, 14 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
|
|
index ccc94de4ac49..6ed0c30d6a0c 100644
|
|
--- a/arch/x86/include/asm/kvm_host.h
|
|
+++ b/arch/x86/include/asm/kvm_host.h
|
|
@@ -1064,7 +1064,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm,
|
|
unsigned long address);
|
|
|
|
void kvm_define_shared_msr(unsigned index, u32 msr);
|
|
-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
|
|
+int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
|
|
|
|
bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
|
|
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
index 148020a7dd98..7e2c098b59c9 100644
|
|
--- a/arch/x86/kvm/vmx.c
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
@@ -2659,12 +2659,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
|
|
default:
|
|
msr = find_msr_entry(vmx, msr_index);
|
|
if (msr) {
|
|
+ u64 old_msr_data = msr->data;
|
|
msr->data = data;
|
|
if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
|
|
preempt_disable();
|
|
- kvm_set_shared_msr(msr->index, msr->data,
|
|
- msr->mask);
|
|
+ ret = kvm_set_shared_msr(msr->index, msr->data,
|
|
+ msr->mask);
|
|
preempt_enable();
|
|
+ if (ret)
|
|
+ msr->data = old_msr_data;
|
|
}
|
|
break;
|
|
}
|
|
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
|
index 5a7195573a32..0033df32a745 100644
|
|
--- a/arch/x86/kvm/x86.c
|
|
+++ b/arch/x86/kvm/x86.c
|
|
@@ -229,20 +229,25 @@ static void kvm_shared_msr_cpu_online(void)
|
|
shared_msr_update(i, shared_msrs_global.msrs[i]);
|
|
}
|
|
|
|
-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
|
|
+int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
|
|
{
|
|
unsigned int cpu = smp_processor_id();
|
|
struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
|
|
+ int err;
|
|
|
|
if (((value ^ smsr->values[slot].curr) & mask) == 0)
|
|
- return;
|
|
+ return 0;
|
|
smsr->values[slot].curr = value;
|
|
- wrmsrl(shared_msrs_global.msrs[slot], value);
|
|
+ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
|
|
+ if (err)
|
|
+ return 1;
|
|
+
|
|
if (!smsr->registered) {
|
|
smsr->urn.on_user_return = kvm_on_user_return;
|
|
user_return_notifier_register(&smsr->urn);
|
|
smsr->registered = true;
|
|
}
|
|
+ return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
|
|
|
|
--
|
|
1.9.3
|
|
|