superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/arch
History
Alexandru Matei b2de2b4d4e KVM: VMX: Fix crash due to uninitialized current_vmcs 
commit 93827a0a36 upstream.

KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as
a nested hypervisor on top of Hyper-V. When MSR bitmap is updated,
evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark
that the msr bitmap was changed.

vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr
-> vmx_msr_bitmap_l01_changed which in the end calls this function. The
function checks for current_vmcs if it is null but the check is
insufficient because current_vmcs is not initialized. Because of this, the
code might incorrectly write to the structure pointed by current_vmcs value
left by another task. Preemption is not disabled, the current task can be
preempted and moved to another CPU while current_vmcs is accessed multiple
times from evmcs_touch_msr_bitmap() which leads to crash.

The manipulation of MSR bitmaps by callers happens only for vmcs01 so the
solution is to use vmx->vmcs01.vmcs instead of current_vmcs.

  BUG: kernel NULL pointer dereference, address: 0000000000000338
  PGD 4e1775067 P4D 0
  Oops: 0002 [#1] PREEMPT SMP NOPTI
  ...
  RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]
  ...
  Call Trace:
   vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]
   vmx_vcpu_create+0xe6/0x540 [kvm_intel]
   kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]
   kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]
   kvm_vm_ioctl+0x53f/0x790 [kvm]
   __x64_sys_ioctl+0x8a/0xc0
   do_syscall_64+0x5c/0x90
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: ceef7d10df ("KVM: x86: VMX: hyper-v: Enlightened MSR-Bitmap support")
Cc: stable@vger.kernel.org
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
Link: https://lore.kernel.org/r/20230123221208.4964-1-alexandru.matei@uipath.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-03-10 09:34:11 +01:00
..
alpha alpha/boot/tools/objstrip: fix the check for ELF header 2023-03-10 09:33:30 +01:00
arc
arm ARM: dts: exynos: correct HDMI phy compatible in Exynos4 2023-03-10 09:34:07 +01:00
arm64 arm64: zynqmp: Enable hs termination flag for USB dwc3 controller 2023-03-10 09:33:46 +01:00
csky
hexagon
ia64 ia64: fix build error due to switch case label appearing next to declaration 2023-02-09 11:28:23 +01:00
loongarch LoongArch, bpf: Use 4 instructions for function address in JIT 2023-03-10 09:33:06 +01:00
m68k m68k: Check syscall_trace_enter() return code 2023-03-10 09:33:51 +01:00
microblaze
mips of/fdt: run soc memory setup when early_init_dt_scan_memory fails 2023-01-12 12:02:51 +01:00
nios2
openrisc
parisc parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case 2023-02-09 11:28:20 +01:00
powerpc powerpc: Remove linker flag from KBUILD_AFLAGS 2023-03-10 09:33:41 +01:00
riscv RISC-V: time: initialize hrtimer based broadcast clock event device 2023-03-10 09:33:03 +01:00
s390 KVM: s390: disable migration mode when dirty tracking is disabled 2023-03-10 09:34:05 +01:00
sh sh: define RUNTIME_DISCARD_EXIT 2023-02-25 11:25:42 +01:00
sparc sparc: allow PM configs for sparc32 COMPILE_TEST 2023-03-10 09:33:27 +01:00
um um: virt-pci: Avoid GCC non-NULL warning 2023-01-07 11:11:52 +01:00
x86 KVM: VMX: Fix crash due to uninitialized current_vmcs 2023-03-10 09:34:11 +01:00
xtensa xtensa: add __umulsidi3 helper 2023-01-07 11:11:46 +01:00
.gitignore
Kconfig