| From d74fcfc1f0ff4b6c26ecef1f9e48d8089ab4eaac Mon Sep 17 00:00:00 2001 |
| From: Sean Christopherson <sean.j.christopherson@intel.com> |
| Date: Thu, 2 Jul 2020 19:17:14 -0700 |
| Subject: KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode |
| |
| From: Sean Christopherson <sean.j.christopherson@intel.com> |
| |
| commit d74fcfc1f0ff4b6c26ecef1f9e48d8089ab4eaac upstream. |
| |
| Inject a #GP on MOV CR4 if CR4.LA57 is toggled in 64-bit mode, which is |
| illegal per Intel's SDM: |
| |
| CR4.LA57 |
| 57-bit linear addresses (bit 12 of CR4) ... blah blah blah ... |
| This bit cannot be modified in IA-32e mode. |
| |
| Note, the pseudocode for MOV CR doesn't call out the fault condition, |
| which is likely why the check was missed during initial development. |
| This is arguably an SDM bug and will hopefully be fixed in future |
| release of the SDM. |
| |
| Fixes: fd8cb433734ee ("KVM: MMU: Expose the LA57 feature to VM.") |
| Cc: stable@vger.kernel.org |
| Reported-by: Sebastien Boeuf <sebastien.boeuf@intel.com> |
| Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> |
| Message-Id: <20200703021714.5549-1-sean.j.christopherson@intel.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/x86.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/arch/x86/kvm/x86.c |
| +++ b/arch/x86/kvm/x86.c |
| @@ -980,6 +980,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, u |
| if (is_long_mode(vcpu)) { |
| if (!(cr4 & X86_CR4_PAE)) |
| return 1; |
| + if ((cr4 ^ old_cr4) & X86_CR4_LA57) |
| + return 1; |
| } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE) |
| && ((cr4 ^ old_cr4) & pdptr_bits) |
| && !load_pdptrs(vcpu, vcpu->arch.walk_mmu, |
