AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-19 10:57:01 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
acff78477b
linux_dsm_epyc7002/arch/x86
History
Marc Orr acff78477b KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887) 
The nested_vmx_prepare_msr_bitmap() function doesn't directly guard the
x2APIC MSR intercepts with the "virtualize x2APIC mode" MSR. As a
result, we discovered the potential for a buggy or malicious L1 to get
access to L0's x2APIC MSRs, via an L2, as follows.

1. L1 executes WRMSR(IA32_SPEC_CTRL, 1). This causes the spec_ctrl
variable, in nested_vmx_prepare_msr_bitmap() to become true.
2. L1 disables "virtualize x2APIC mode" in VMCS12.
3. L1 enables "APIC-register virtualization" in VMCS12.

Now, KVM will set VMCS02's x2APIC MSR intercepts from VMCS12, and then
set "virtualize x2APIC mode" to 0 in VMCS02. Oops.

This patch closes the leak by explicitly guarding VMCS02's x2APIC MSR
intercepts with VMCS12's "virtualize x2APIC mode" control.

The scenario outlined above and fix prescribed here, were verified with
a related patch in kvm-unit-tests titled "Add leak scenario to
virt_x2apic_mode_test".

Note, it looks like this issue may have been introduced inadvertently
during a merge---see 15303ba5d1.

Signed-off-by: Marc Orr <marcorr@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-04-05 21:08:22 +02:00
..
boot x86/boot: Fix incorrect ifdeffery scope 2019-03-27 14:00:51 +01:00
configs Merge branch 'akpm' (patches from Andrew) 2019-03-07 19:25:37 -08:00
crypto crypto: x86/poly1305 - Clear key material from stack in SSE2 variant 2019-02-28 14:17:59 +08:00
entry pidfd patches for v5.1-rc1 2019-03-16 13:47:14 -07:00
events perf/x86/intel: Make dev_attr_allow_tsx_force_abort static 2019-03-17 08:40:18 +01:00
hyperv x86/hyperv: Prevent potential NULL pointer dereference 2019-03-21 12:24:39 +01:00
ia32 a.out: remove core dumping support 2019-03-05 10:00:35 -08:00
include A collection of x86 and ARM bugfixes, and some improvements to documentation. 2019-03-31 08:55:59 -07:00
kernel x86/resctrl: Remove unused variable 2019-03-24 22:09:27 +01:00
kvm KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887) 2019-04-05 21:08:22 +02:00
lib x86/lib: Fix indentation issue, remove extra tab 2019-03-21 12:24:38 +01:00
math-emu Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
mm x86/mm: Don't exceed the valid physical address space 2019-03-28 14:13:51 +01:00
net x32: bpf: implement jitting of JMP32 2019-01-26 13:33:02 -08:00
oprofile
pci x86/PCI: Fixup RTIT_BAR of Intel Denverton Trace Hub 2019-02-07 08:43:58 -06:00
platform x86/realmode: Make set_real_mode_mem() static inline 2019-03-29 10:16:27 +01:00
power mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
purgatory kbuild: move bin2c back to scripts/ from scripts/basic/ 2018-07-18 01:18:05 +09:00
ras
realmode x86/realmode: Make set_real_mode_mem() static inline 2019-03-29 10:16:27 +01:00
tools x86: Clean up 'sizeof x' => 'sizeof(x)' 2018-10-29 07:13:28 +01:00
um Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
video
xen Merge branch 'akpm' (patches from Andrew) 2019-03-12 10:39:53 -07:00
.gitignore
Kbuild KVM: x86: Allow Qemu/KVM to use PVH entry point 2018-12-13 13:41:49 -05:00
Kconfig x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y 2019-03-28 13:34:58 +01:00
Kconfig.cpu x86/cpu: Create Hygon Dhyana architecture support file 2018-09-27 16:14:05 +02:00
Kconfig.debug efi/x86: Convert x86 EFI earlyprintk into generic earlycon implementation 2019-02-04 08:27:30 +01:00
Makefile x86/retpolines: Disable switch jump tables when retpolines are enabled 2019-03-28 13:39:48 +01:00
Makefile_32.cpu
Makefile.um x86, powerpc: Remove -funit-at-a-time compiler option entirely 2018-12-09 11:55:32 +01:00