Due to a combination of a bug in nEPT (patch 1), and a broken safety
net elsewhere in the MMU code (patch 2), a malicious guest could use
nested EPT to overwrite kernel memory. In particular, the arrays in
struct guest_walker could be accessed with index -1 and the "level" and
"max_level" fields overwritten:
struct guest_walker {
int level;
unsigned max_level;
gfn_t table_gfn[PT_MAX_FULL_LEVELS];
...
}
Because the level field is used as an index into array, it is at least
possible to overwrite the kernel stack and this should be treated as a
possible guest-to-host escape on Intel hosts with nested virtualization
enabled.
While the incorrect code in patch 1 is present since Linux 3.12, the
bug only affects Linux kernels 4.6 and newer. Therefore, stable kernels
only need to apply the second patch, which has the advantage of applying
more cleanly.
The bug was discovered by Ladislav (Ladi) Prosek from Red Hat.
Thanks,
Paolo
Ladi Prosek (2):
KVM: nVMX: update last_nonleaf_level when initializing nested EPT
KVM: MMU: always terminate page walks at level 1
arch/x86/kvm/mmu.c | 15 ++++++++-------
arch/x86/kvm/paging_tmpl.h | 3 ++-
2 files changed, 10 insertions(+), 8 deletions(-)
--
1.8.3.1
