Re: [PATCH] kvm: nVMX: Don't allow L2 to access the hardware CR8

Jim Mattson <jmattson@xxxxxxxxxx> · Wed, 13 Sep 2017 13:39:51 -0700

I take it back. Your proposed V-x configuration isn't supported by kvm
at all. CPU_BASED_CR8_LOAD_EXITING and CPU_BASED_CR8_STORE_EXITING are
in the minimum required primary processor-based VM-execution controls
enforced by setup_vmcs_config(). So...someone else has already made
sure that setting these bits to 1 is supported. :-)

On Wed, Sep 13, 2017 at 8:31 AM, Jim Mattson <jmattson@xxxxxxxxxx> wrote:
> Good point. I think the best solution is to require 'use TPR shadow'
> for vmcs12 if the hardware doesn't support CR8-{load,store} exiting.
>
> If the hardware supports neither 'use TPR shadow' nor CR8-{load,store}
> exiting, then we have to somehow restrict L1 and L2 VMs to legacy mode
> (or just give up on VT-x altogether).
>
> On Wed, Sep 13, 2017 at 5:20 AM, David Hildenbrand <david@xxxxxxxxxx> wrote:
>> On 12.09.2017 22:02, Jim Mattson wrote:
>>> If L1 does not specify the "use TPR shadow" VM-execution control in
>>> vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
>>> exiting" VM-execution controls in vmcs02. Failure to do so will give
>>> the L2 VM unrestricted read/write access to the hardware CR8.
>>>
>>> This fixes CVE-2017-12154.
>>>
>>> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
>>> ---
>>>  arch/x86/kvm/vmx.c | 5 +++++
>>>  1 file changed, 5 insertions(+)
>>>
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index c6efc1f88b25..885b7eed4320 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -10525,6 +10525,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
>>>       if (exec_control & CPU_BASED_TPR_SHADOW) {
>>>               vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
>>>               vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
>>> +     } else {
>>> +#ifdef CONFIG_X86_64
>>> +             exec_control |= CPU_BASED_CR8_LOAD_EXITING |
>>> +                             CPU_BASED_CR8_STORE_EXITING;
>>> +#endif
>>>       }
>>>
>>>       /*
>>>
>>
>> Don't you have to make sure that setting these bits to 1 is supported?
>> (yes, there could be strange configurations - nested nested ...)
>>
>> --
>>
>> Thanks,
>>
>> David