From patchwork Tue Apr 16 12:35:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julian Stecklina X-Patchwork-Id: 13631776 Received: from DEU01-BE0-obe.outbound.protection.outlook.com (mail-be0deu01on2104.outbound.protection.outlook.com [40.107.127.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E409B101D4; Tue, 16 Apr 2024 12:36:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.127.104 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713271005; cv=fail; b=kgatMyPFPX0I1k+69jVNKp4y0BxCFlUFzJIo4sgJ0SZxT/gzKMroyygxbqkZwVOTLFiP7wKTRjuwkEuWwL/TN+IbqKty6WgkjoZ5blZJsn5YsnkxHmwQfoAX5cU9RDKvy6zHN1W3OmtbGKixykhlLsccYkco77W5mNXY9I7pheY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713271005; c=relaxed/simple; bh=PaQi7Kdg+bSprtejyY3NaMGR8af5tS/cAE59T4HAdv0=; h=From:To:Cc:Subject:Date:Message-ID:Content-Type:MIME-Version; b=uqkMquYot1HBWCiGD2gbhJ/NKJjiENfLhpw506Mb2oUGwzZlPahfAvj8C5LyWQNBLoi8G6PHDKRVKvaMaxceJqpKSrHMrURWKg5fDD3IKQWhACbVTz28NKv/eXogYyXWoeaG9A0e15jDltpau+xzbxIP9MRuKC7FI5wrWNWwvXk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cyberus-technology.de; spf=pass smtp.mailfrom=cyberus-technology.de; dkim=pass (2048-bit key) header.d=cyberus-technology.de header.i=@cyberus-technology.de header.b=H57J/a7b; arc=fail smtp.client-ip=40.107.127.104 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cyberus-technology.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cyberus-technology.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cyberus-technology.de header.i=@cyberus-technology.de header.b="H57J/a7b" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M72vljV2SBTYQZs/FehW4F5hLnfLlCqc/cuHGn2aFd2YrnACDgwQWdFFTLcLBHqq3RuLWoCuYgXXoAiYJGBQ+nRSBoxXC3+El0TFLivpOLi2WO4B5CJSMhjgpGxZ75Yf0L8VhQcPLyOfbO95m7HgALJKr5jSsVta2tGrgDTroRxl8QZ1VT2l01UdP2M0IEt4ll6/HxG9WrjaiumY3rSTYMKz49dSwng4sGFU/yjfUBMsNWAPVW04mb2kp4Sn8byOxfVc4TP265F8JOGhGMybqoi4eaMCZacLP9W+T4FwJXRWqDFSnfCxau+58j6f/gKInkQ7XEeRWbJh1FroJqZQrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7RaaYZ/Ezw21a6jN9N1MR606d2UFF0BBp5iTDn6vPHc=; b=jGTCmTy3noxTU0mtvBf6Dbv91BCvIlHf0cAGZFeSzfipizR6yeUuPhj7WFKlRhKZSQt6a1LM7H3aLEt8VTxUkERRUEwsdjChyoPPM/lxaHny6/oFLDCSRRyJIlz+74lv4vjUExMeXDY7+RkBY4lAnMi9b442k21dE+svZU9SxYIuNpHpRJ0PSnpet/dT5fUwgp29fILGfzN5NtzAJJtv+UNQIgvW+QPyOxH+k+MtzBh0CmhWVbzO5RTkwe+jqUp2KKWtGoBHnHRT6O1mrG+OYfEI3llbTehMIH++crOEYv1CCHWVWr7szWsxsxnX33P+TW3QCEFpTQtpYR9NsnPJiA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cyberus-technology.de; dmarc=pass action=none header.from=cyberus-technology.de; dkim=pass header.d=cyberus-technology.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyberus-technology.de; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7RaaYZ/Ezw21a6jN9N1MR606d2UFF0BBp5iTDn6vPHc=; b=H57J/a7bh5xJ80fvXfIIpf426yVugwWUbDXNH48s/wIEu/FnUXfP8ZcIuFpG7CCCbDJiuEiaFVYhmlkFJrbYsS2gfKeZQvTZs086oB5m8grQbbPApTNRjqBk6Pwm+JrisY8vV9guQTpIyYDiQV2YSxJhEfoJInMC3QsrULyzBJPWOBAJTK8ilzhkSogwUcogxaW8sF/f/kUXQBPwYYYnlz7B5c7oWl12Mwl/4xKQ14dEYAsmPl8IDdveAQ+S7BQ95JiY257JWG/j2qibkD1ooWbljWAw0PwxzM45Q3RNuK0/RvXV830RsYlJSGI7ySGZ/npsKrsnrHYqa4MQq98ndw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cyberus-technology.de; Received: from FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:38::7) by FR2P281MB1543.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:90::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Tue, 16 Apr 2024 12:36:38 +0000 Received: from FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM ([fe80::cd58:a187:5d01:55f5]) by FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM ([fe80::cd58:a187:5d01:55f5%6]) with mapi id 15.20.7452.049; Tue, 16 Apr 2024 12:36:38 +0000 From: Julian Stecklina To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" Cc: Thomas Prescher , Julian Stecklina , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] KVM: nVMX: fix CR4_READ_SHADOW when L0 updates CR4 during a signal Date: Tue, 16 Apr 2024 14:35:56 +0200 Message-ID: <20240416123558.212040-1-julian.stecklina@cyberus-technology.de> X-Mailer: git-send-email 2.43.2 X-ClientProxiedBy: MA2P292CA0026.ESPP292.PROD.OUTLOOK.COM (2603:10a6:250::12) To FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:38::7) Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: FR2P281MB2329:EE_|FR2P281MB1543:EE_ X-MS-Office365-Filtering-Correlation-Id: 5a5f1b05-de4c-4a1e-a355-08dc5e11dc72 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +vNTtfVdsVui/hQRR+5jU8gWU03ea8Z4GjDhqthOoQg/jD7QRtGbOvzVqHGcH3D+EfgNBroMmZgOgJMWS7IriCmo+2kAtTjf5MhoapyYu6aV2q+79afM6cl2DuB2Yfl/rc570Fm1WDFUFUeepNyPvMlWXfYZn0gCT7pry6aQI5iY9rG9y5RDxdVXTOV5MB+LJmJdzTQUq5085eZ7Ksd43wQTMEUm6r6q9h0iulZhPMvm+lnmr3NslvMoZWy5gouiwCkTW4lFf9VuUyktP9d2M2kwZk8v7sboh3P7oNql0/d5ceWwuP2WlId7zyETlNUh9IFkKLheEJKhDW5QQzbXLCcSg8+lBdXW+94GmtRLa5w+JomdCzsYjyrBc48gowmlK1sdPKSFs77mOh1RE8OMr2DfEIbSCnX2BHpkrEynZZPLTIqoWksyrcF2g3J3KZwdau1zlob0PiTChCon08J3Z5OOy/3cGSJvP5wA2xKB5eaGt1QiAMw/Iq4RAsocoYXyNgaYzW21RMZAIdqctAkDqNNR8wmUoC9hf0dddX2Bm48Inx1nbUR2vYClYBs/R30jiocwrQbIw5sDg7uyyf8E+w6deQIEVxmE4SYa+Nqknbo9qA8XES35LmDXXT1Kpi4TP37cJ+OXUH7Ex7jNyub37+DUt8gm5JpN/IHKb50WbFMZfx7wzyZtT5EohkafaarGfHY6Ro7s2BJuZ+fVDzyo7OtT2hlKlL4vWfxW9oygOV96K/be8H1uiJweQ58uU2hCz2g77LVpzfmQOUsNYkTjZjgg6NEUYxC1VwZ5j0lfZmdXFLGL79V9Cm6ZaO1bcZkegAd2U63SdOx4J6BfB39uu1GCZ7MLE5ZEgNi7r/1DnFmUkx6NOgsMx+QjKP6/KDykwIkLRvXFKNcI3hAhMH46Lw0GcaTadbiAF94+W8RTuXn26rrsQ9abO1uDfstpfeF5JlnhwJhZBT4MVdeWNSovsNc14QTKt5BhOCGieX8gBJKVDMoR7waLZWn1ZMVXP+P2dT5MJNCZ/avLZ6DQbp9Sg4mW7O6n14nSuNMuCyiZK8YDPECcFVUiIEO4uoqp3xThvj5JbafppUGeMx++OVWiHO0TcYbfkIvXGGTU/Zo68y63KQje4aBbxnjwoH1dAop3NcaAa4UlYHbsf8FJkqJliDnxFsikNcnbd+i6H2cTc++KKjtKVqBvMUDyJB92jncmLuAupWgvUMcKahgknElpxqM1z1vqFYhIrHNhQIVbxLykivGhZdGLU65FxOw8DP5kTkS4AyFdlyER6ZpkuIpNSA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(7416005)(376005)(1800799015)(366007)(52116005)(38350700005);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: mUYSpRUs8SNZuhhpPdAO4waLeoDnjYiZ1xTRSDM7fGp2cbyY+akneOaGj80gyqcw6837IcIlkhtwF+iGniJUTQAecVSBTKGwnUiktjH+eZimM0VwhX/FkYTPNMXW2lY375+daOSmAGEISDGCjZlwz08kAYwCrVkuS/Tr7pKfcF7/8xEg/r1hvd2doLzzLjcIUCCraSTGfxBsMqkkr2HRTEPa/bdMBuAQca7QOGUW4CsrY9l+SWqxrIw8HW505kGru2E4N2O+GnH/2jAuLQiUzXA+ZT37HRt9JT9oneCfqpqiaqEdrjVr2bINhPMEFRpxhS1TWgsb30PAlcXXTMdbGOxS+VOCeHw6jsKlXQSqCid6YlkMDXz2AfCvgvZSBZ5DI0Iz7lZrKEO9fYAGbMxYx1xchBPivfEXdHbXWXspvIrivysdXHllwlKJ+luqv7wM4iPkIxaEmVpKylwlXjlUYBEuC+PmvAQwggXpma4QO58FN85paGkTOPA/DBBsWZsKww/HDFme70WmlTw2l8ThKVzDjcG8jq9+pv+uK1QzYBl5K14Dop2N+ERN74FOIVm74NnnwkPJz+62X4C3ZUvxAwx1u20rFogiTZiUSvCxxF9j/oxWi7sezzrYpimeJg4EzjwexjOWDAEMSWGVt+oWQX9KRZhSsgItE5zJBCbFlJ7TBpme1kcKkztJmpIMckW5Yco+ZJF3ta/fvqxJtXoUdH+8LOjp1KHkEOT/wmUYi0H8kapHLHTxzirEc1VNHTvLq/OT0ZCtjaAR2G0hdL4DXm6BvlS7sVZm6e6vycl+vk8YLfUQXTv/WgHm3DKRnWBhsOlPTTKBdOiWDdl2ANhOyvBFN5CLw451HvRVyIJJApp4sLzpfuvnYF3UQcGqNgkPmx9NFZ0F9iC53EcbVAYKMaU7Nl6VEyaLbp9UOXNU9tlupy6eP/PmSV5aEHbyQfdlTBrMOfMtZMKld5fvdUrVxMOgPNHI48Bilz4dlPXRll6k//w56ttnCQ4dZmBRs2VDEgyp3soBsLChLRtBsszqsCf8KFV/9J6LvRYEl/niZde3fnFzc+aIjana0YjjoPT3ki2aMwaYQJFAK8mywZ5Q6/NY2dMcJCrR2/csGaUOeOzeQgcBIin5wlOIH8DPq6F7U0dqaGPFaOqEH2iKGBK4Ko6QhdCxzp+4vkP+z6OrjzMlmrHXqCzWIR3MRw33kbezAeFOZZU3MUF9+ZOQr2gTkiBVHSn+vcbgqF31HadycrDtiS9PWLYPCK/ox5Z4stSg/eUMx3JwwXA7siYZS/3MMtv14oKX27jcHYNgsLXjiiMBQuHKTu7A4SqhL8YZI1XfqmOZInJxu+Xla/WbJSZyEhEXlasS2WkJBpUMozLXgriE55tiTrLZr58zsdHiKmfXUfFcZUM96xhJKxhRUidKENWp+/UFsY5I/s36TygwDTbnGBWfEWem61nhp8pWVT5EXeLJqTCZEE4N1gH6mSwvgUIVTqVkQh4ci+euVvJIdfWc83NhNqv8ZHXinHzpIOnbWjqwZpms0edB4BZzn2ZJkdBx8o9eIN8pPD8M0rm+wyoZ+8xXvT7Zl1or8x8FMqXgPhgwvrcnG5Vwcsz+XLaUSzilt6Th9n0CklZ+SpUxHcU= X-OriginatorOrg: cyberus-technology.de X-MS-Exchange-CrossTenant-Network-Message-Id: 5a5f1b05-de4c-4a1e-a355-08dc5e11dc72 X-MS-Exchange-CrossTenant-AuthSource: FR2P281MB2329.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2024 12:36:38.7138 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f4e0f4e0-9d68-4bd6-a95b-0cba36dbac2e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3Ve3BSVMTG8EUL5E8/sY+Agm/CBL0j4mQ8Kl+N6YSXyWuqbDaNw8t1m+xXwnKU0lN3/QlRKm0vQ0kmf5Rx0hCMYXNChJWj0xmN1CMWF47/vo3RkdvUY7Vt5kxYyk8iGU X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB1543 From: Thomas Prescher This issue occurs when the kernel is interrupted by a signal while running a L2 guest. If the signal is meant to be delivered to the L0 VMM, and L0 updates CR4 for L1, i.e. when the VMM sets KVM_SYNC_X86_SREGS in kvm_run->kvm_dirty_regs, the kernel programs an incorrect read shadow value for L2's CR4. The result is that the guest can read a value for CR4 where bits from L1 have leaked into L2. We found this issue by running uXen [1] as L2 in VirtualBox/KVM [2]. The issue can also easily be reproduced in Qemu/KVM if we force a sreg sync on each call to KVM_RUN [3]. The issue can also be reproduced by running a L2 Windows 10. In the Windows case, CR4.VMXE leaks from L1 to L2 causing the OS to blue-screen with a kernel thread exception during TLB invalidation where the following code sequence triggers the issue: mov rax, cr4 <--- L2 reads CR4 with contents from L1 mov rcx, cr4 btc 0x7, rax <--- L2 toggles CR4.PGE mov cr4, rax <--- #GP because L2 writes CR4 with reserved bits set mov cr4, rcx The existing code seems to fixup CR4_READ_SHADOW after calling vmx_set_cr4 except in __set_sregs_common. While we could fix it there as well, it's easier to just handle it centrally. There might be a similar issue with CR0. [1] https://github.com/OpenXT/uxen [2] https://github.com/cyberus-technology/virtualbox-kvm [3] https://github.com/tpressure/qemu/commit/d64c9d5e76f3f3b747bea7653d677bd61e13aafe Signed-off-by: Julian Stecklina Signed-off-by: Thomas Prescher --- arch/x86/kvm/vmx/vmx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6780313914f8..0d4af00245f3 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -3474,7 +3474,11 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); } - vmcs_writel(CR4_READ_SHADOW, cr4); + if (is_guest_mode(vcpu)) + vmcs_writel(CR4_READ_SHADOW, nested_read_cr4(get_vmcs12(vcpu))); + else + vmcs_writel(CR4_READ_SHADOW, cr4); + vmcs_writel(GUEST_CR4, hw_cr4); if ((cr4 ^ old_cr4) & (X86_CR4_OSXSAVE | X86_CR4_PKE))