Commit a642fc305053cc1c6e47e4f4df327895747ab485
Committed by
Paolo Bonzini
Paolo Bonzini
1 parent
d1442d85cc
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
kvm: vmx: handle invvpid vm exit gracefully
On systems with invvpid instruction support (corresponding bit in IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid causes vm exit, which is currently not handled and results in propagation of unknown exit to userspace. Fix this by installing an invvpid vm exit handler. This is CVE-2014-3646. Cc: stable@vger.kernel.org Signed-off-by: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Showing 2 changed files with 10 additions and 1 deletions Side-by-side Diff
arch/x86/include/uapi/asm/vmx.h
| ... | ... | @@ -67,6 +67,7 @@ |
| 67 | 67 | #define EXIT_REASON_EPT_MISCONFIG 49 |
| 68 | 68 | #define EXIT_REASON_INVEPT 50 |
| 69 | 69 | #define EXIT_REASON_PREEMPTION_TIMER 52 |
| 70 | +#define EXIT_REASON_INVVPID 53 | |
| 70 | 71 | #define EXIT_REASON_WBINVD 54 |
| 71 | 72 | #define EXIT_REASON_XSETBV 55 |
| 72 | 73 | #define EXIT_REASON_APIC_WRITE 56 |
| ... | ... | @@ -114,6 +115,7 @@ |
| 114 | 115 | { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \ |
| 115 | 116 | { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \ |
| 116 | 117 | { EXIT_REASON_INVD, "INVD" }, \ |
| 118 | + { EXIT_REASON_INVVPID, "INVVPID" }, \ | |
| 117 | 119 | { EXIT_REASON_INVPCID, "INVPCID" } |
| 118 | 120 | |
| 119 | 121 | #endif /* _UAPIVMX_H */ |
arch/x86/kvm/vmx.c
| ... | ... | @@ -6746,6 +6746,12 @@ |
| 6746 | 6746 | return 1; |
| 6747 | 6747 | } |
| 6748 | 6748 | |
| 6749 | +static int handle_invvpid(struct kvm_vcpu *vcpu) | |
| 6750 | +{ | |
| 6751 | + kvm_queue_exception(vcpu, UD_VECTOR); | |
| 6752 | + return 1; | |
| 6753 | +} | |
| 6754 | + | |
| 6749 | 6755 | /* |
| 6750 | 6756 | * The exit handlers return 1 if the exit was handled fully and guest execution |
| 6751 | 6757 | * may resume. Otherwise they set the kvm_run parameter to indicate what needs |
| ... | ... | @@ -6791,6 +6797,7 @@ |
| 6791 | 6797 | [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait, |
| 6792 | 6798 | [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor, |
| 6793 | 6799 | [EXIT_REASON_INVEPT] = handle_invept, |
| 6800 | + [EXIT_REASON_INVVPID] = handle_invvpid, | |
| 6794 | 6801 | }; |
| 6795 | 6802 | |
| 6796 | 6803 | static const int kvm_vmx_max_exit_handlers = |
| ... | ... | @@ -7026,7 +7033,7 @@ |
| 7026 | 7033 | case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: |
| 7027 | 7034 | case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: |
| 7028 | 7035 | case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: |
| 7029 | - case EXIT_REASON_INVEPT: | |
| 7036 | + case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: | |
| 7030 | 7037 | /* |
| 7031 | 7038 | * VMX instructions trap unconditionally. This allows L1 to |
| 7032 | 7039 | * emulate them for its L2 guest, i.e., allows 3-level nesting! |
