4ac9db0e26
- CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537) - CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534) - CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522) - CVE-2014-8480 CVE-2014-8481 kvm: NULL pointer dereference during rip relative instruction emulation (rhbz 1156615 1156616)
79 lines
2.8 KiB
Diff
79 lines
2.8 KiB
Diff
From: Petr Matousek <pmatouse@redhat.com>
|
|
Date: Fri, 24 Oct 2014 17:07:18 +0200
|
|
Subject: [PATCH] kvm: vmx: handle invvpid vm exit gracefully
|
|
|
|
On systems with invvpid instruction support (corresponding bit in
|
|
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
|
|
causes vm exit, which is currently not handled and results in
|
|
propagation of unknown exit to userspace.
|
|
|
|
Fix this by installing an invvpid vm exit handler.
|
|
|
|
This is CVE-2014-3646.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
---
|
|
arch/x86/include/uapi/asm/vmx.h | 2 ++
|
|
arch/x86/kvm/vmx.c | 9 ++++++++-
|
|
2 files changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h
|
|
index 0e79420376eb..990a2fe1588d 100644
|
|
--- a/arch/x86/include/uapi/asm/vmx.h
|
|
+++ b/arch/x86/include/uapi/asm/vmx.h
|
|
@@ -67,6 +67,7 @@
|
|
#define EXIT_REASON_EPT_MISCONFIG 49
|
|
#define EXIT_REASON_INVEPT 50
|
|
#define EXIT_REASON_PREEMPTION_TIMER 52
|
|
+#define EXIT_REASON_INVVPID 53
|
|
#define EXIT_REASON_WBINVD 54
|
|
#define EXIT_REASON_XSETBV 55
|
|
#define EXIT_REASON_APIC_WRITE 56
|
|
@@ -114,6 +115,7 @@
|
|
{ EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \
|
|
{ EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \
|
|
{ EXIT_REASON_INVD, "INVD" }, \
|
|
+ { EXIT_REASON_INVVPID, "INVVPID" }, \
|
|
{ EXIT_REASON_INVPCID, "INVPCID" }
|
|
|
|
#endif /* _UAPIVMX_H */
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
index 7e2c098b59c9..cf3cd079ec52 100644
|
|
--- a/arch/x86/kvm/vmx.c
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
@@ -6746,6 +6746,12 @@ static int handle_invept(struct kvm_vcpu *vcpu)
|
|
return 1;
|
|
}
|
|
|
|
+static int handle_invvpid(struct kvm_vcpu *vcpu)
|
|
+{
|
|
+ kvm_queue_exception(vcpu, UD_VECTOR);
|
|
+ return 1;
|
|
+}
|
|
+
|
|
/*
|
|
* The exit handlers return 1 if the exit was handled fully and guest execution
|
|
* may resume. Otherwise they set the kvm_run parameter to indicate what needs
|
|
@@ -6791,6 +6797,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
|
|
[EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait,
|
|
[EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor,
|
|
[EXIT_REASON_INVEPT] = handle_invept,
|
|
+ [EXIT_REASON_INVVPID] = handle_invvpid,
|
|
};
|
|
|
|
static const int kvm_vmx_max_exit_handlers =
|
|
@@ -7026,7 +7033,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
|
|
case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
|
|
case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
|
|
case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
|
|
- case EXIT_REASON_INVEPT:
|
|
+ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
|
|
/*
|
|
* VMX instructions trap unconditionally. This allows L1 to
|
|
* emulate them for its L2 guest, i.e., allows 3-level nesting!
|
|
--
|
|
1.9.3
|
|
|