* Invert the mask of bits that we pick from L2 in
nested_vmcb02_prepare_control
* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr
This fixes a security issue that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit 4d9059df57cb3b8ff07cea55ba439fa3c846ef80 linux-5.4.y)
CVE-2021-3653
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kamal Mostafa <email address hidden>
Acked-by: Ian May <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
This reverts commit ba798c67f196aa2719a0ca1544d2d7c72b713d05.
When launching L2 Linux guests on systems with VGIF support, they would
fail to boot, not showing any console output.
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kamal Mostafa <email address hidden>
Acked-by: Ian May <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
001ba8e...
by
Maxim Levitsky <email address hidden>
UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested
If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
possible by making L0 intercept these instructions.
Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
and thus read/write portions of the host physical memory.
This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
Paolo Bonzini.
Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
Signed-off-by: Maxim Levitsky <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
CVE-2021-3656
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Ben Romer <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
ba798c6...
by
Maxim Levitsky <email address hidden>
UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
This fixes CVE-2021-3653 that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.
The bug was discovered by Maxim Levitsky.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
CVE-2021-3653
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Ben Romer <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>