releases/4.14.68/kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sun Aug 26 09:13:00 CEST 2018
 From: Sean Christopherson <sean.j.christopherson@intel.com>
 Date: Thu, 19 Jul 2018 10:31:00 -0700
 Subject: KVM: vmx: use local variable for current_vmptr when emulating VMPTRST

 From: Sean Christopherson <sean.j.christopherson@intel.com>

 [ Upstream commit 0a06d4256674c4e041945b52044941995fee237d ]

 Do not expose the address of vmx->nested.current_vmptr to
 kvm_write_guest_virt_system() as the resulting __copy_to_user()
 call will trigger a WARN when CONFIG_HARDENED_USERCOPY is
 enabled.

 Opportunistically clean up variable names in handle_vmptrst()
 to improve readability, e.g. vmcs_gva is misleading as the
 memory operand of VMPTRST is plain memory, not a VMCS.

 Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
 Tested-by: Peter Shier <pshier@google.com>
 Reviewed-by: Peter Shier <pshier@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  arch/x86/kvm/vmx.c |   15 +++++++--------
  1 file changed, 7 insertions(+), 8 deletions(-)

 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -8108,21 +8108,20 @@ static int handle_vmptrld(struct kvm_vcp
  /* Emulate the VMPTRST instruction */
  static int handle_vmptrst(struct kvm_vcpu *vcpu)
  {
 -	unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
 -	u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
 -	gva_t vmcs_gva;
 +	unsigned long exit_qual = vmcs_readl(EXIT_QUALIFICATION);
 +	u32 instr_info = vmcs_read32(VMX_INSTRUCTION_INFO);
 +	gpa_t current_vmptr = to_vmx(vcpu)->nested.current_vmptr;
  	struct x86_exception e;
 +	gva_t gva;

  	if (!nested_vmx_check_permission(vcpu))
  		return 1;

 -	if (get_vmx_mem_address(vcpu, exit_qualification,
 -			vmx_instruction_info, true, &vmcs_gva))
 +	if (get_vmx_mem_address(vcpu, exit_qual, instr_info, true, &gva))
  		return 1;
  	/* *_system ok, nested_vmx_check_permission has verified cpl=0 */
 -	if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
 -					(void *)&to_vmx(vcpu)->nested.current_vmptr,
 -					sizeof(u64), &e)) {
 +	if (kvm_write_guest_virt_system(vcpu, gva, (void *)&current_vmptr,
 +					sizeof(gpa_t), &e)) {
  		kvm_inject_page_fault(vcpu, &e);
  		return 1;
  	}
	From foo@baz Sun Aug 26 09:13:00 CEST 2018
	From: Sean Christopherson <sean.j.christopherson@intel.com>
	Date: Thu, 19 Jul 2018 10:31:00 -0700
	Subject: KVM: vmx: use local variable for current_vmptr when emulating VMPTRST

	From: Sean Christopherson <sean.j.christopherson@intel.com>

	[ Upstream commit 0a06d4256674c4e041945b52044941995fee237d ]

	Do not expose the address of vmx->nested.current_vmptr to
	kvm_write_guest_virt_system() as the resulting __copy_to_user()
	call will trigger a WARN when CONFIG_HARDENED_USERCOPY is
	enabled.

	Opportunistically clean up variable names in handle_vmptrst()
	to improve readability, e.g. vmcs_gva is misleading as the
	memory operand of VMPTRST is plain memory, not a VMCS.

	Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
	Tested-by: Peter Shier <pshier@google.com>
	Reviewed-by: Peter Shier <pshier@google.com>
	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	arch/x86/kvm/vmx.c \| 15 +++++++--------
	1 file changed, 7 insertions(+), 8 deletions(-)

	--- a/arch/x86/kvm/vmx.c
	+++ b/arch/x86/kvm/vmx.c
	@@ -8108,21 +8108,20 @@ static int handle_vmptrld(struct kvm_vcp
	/* Emulate the VMPTRST instruction */
	static int handle_vmptrst(struct kvm_vcpu *vcpu)
	{
	- unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
	- u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
	- gva_t vmcs_gva;
	+ unsigned long exit_qual = vmcs_readl(EXIT_QUALIFICATION);
	+ u32 instr_info = vmcs_read32(VMX_INSTRUCTION_INFO);
	+ gpa_t current_vmptr = to_vmx(vcpu)->nested.current_vmptr;
	struct x86_exception e;
	+ gva_t gva;

	if (!nested_vmx_check_permission(vcpu))
	return 1;

	- if (get_vmx_mem_address(vcpu, exit_qualification,
	- vmx_instruction_info, true, &vmcs_gva))
	+ if (get_vmx_mem_address(vcpu, exit_qual, instr_info, true, &gva))
	return 1;
	/* _system ok, nested_vmx_check_permission has verified cpl=0 /
	- if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
	- (void *)&to_vmx(vcpu)->nested.current_vmptr,
	- sizeof(u64), &e)) {
	+ if (kvm_write_guest_virt_system(vcpu, gva, (void *)&current_vmptr,
	+ sizeof(gpa_t), &e)) {
	kvm_inject_page_fault(vcpu, &e);
	return 1;
	}