| From fce7e152ffc8f89d02a80617b16c7aa1527847c8 Mon Sep 17 00:00:00 2001 |
| From: Vitaly Kuznetsov <vkuznets@redhat.com> |
| Date: Mon, 28 Jun 2021 12:44:20 +0200 |
| Subject: KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA |
| |
| From: Vitaly Kuznetsov <vkuznets@redhat.com> |
| |
| commit fce7e152ffc8f89d02a80617b16c7aa1527847c8 upstream. |
| |
| APM states that #GP is raised upon write to MSR_VM_HSAVE_PA when |
| the supplied address is not page-aligned or is outside of "maximum |
| supported physical address for this implementation". |
| page_address_valid() check seems suitable. Also, forcefully page-align |
| the address when it's written from VMM. |
| |
| Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> |
| Message-Id: <20210628104425.391276-2-vkuznets@redhat.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> |
| [Add comment about behavior for host-provided values. - Paolo] |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/kvm/svm/svm.c | 11 ++++++++++- |
| 1 file changed, 10 insertions(+), 1 deletion(-) |
| |
| --- a/arch/x86/kvm/svm/svm.c |
| +++ b/arch/x86/kvm/svm/svm.c |
| @@ -2982,7 +2982,16 @@ static int svm_set_msr(struct kvm_vcpu * |
| svm_disable_lbrv(vcpu); |
| break; |
| case MSR_VM_HSAVE_PA: |
| - svm->nested.hsave_msr = data; |
| + /* |
| + * Old kernels did not validate the value written to |
| + * MSR_VM_HSAVE_PA. Allow KVM_SET_MSR to set an invalid |
| + * value to allow live migrating buggy or malicious guests |
| + * originating from those kernels. |
| + */ |
| + if (!msr->host_initiated && !page_address_valid(vcpu, data)) |
| + return 1; |
| + |
| + svm->nested.hsave_msr = data & PAGE_MASK; |
| break; |
| case MSR_VM_CR: |
| return svm_set_vm_cr(vcpu, data); |
