If split lock detect is on (warn/fatal), #AC handler calls die() when split lock happens in kernel. Malicous guest can exploit the KVM emulator to trigger split lock #AC in kernel[1]. So just emulating the access as a write if it's a split-lock access (the same as access spans page) to avoid malicious attacking kernel. More discussion can be found [2][3]. [1] https://lore.kernel.org/lkml/8c5b11c9-58df-38e7-a514-dc12d687b198@xxxxxxxxxx/ [2] https://lkml.kernel.org/r/20200131200134.GD18946@xxxxxxxxxxxxxxx [3] https://lkml.kernel.org/r/20200227001117.GX9940@xxxxxxxxxxxxxxx Suggested-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> Signed-off-by: Xiaoyao Li <xiaoyao.li@xxxxxxxxx> --- arch/x86/include/asm/cpu.h | 2 ++ arch/x86/kernel/cpu/intel.c | 6 ++++++ arch/x86/kvm/x86.c | 7 ++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h index ff567afa6ee1..d2071f6a35ac 100644 --- a/arch/x86/include/asm/cpu.h +++ b/arch/x86/include/asm/cpu.h @@ -44,6 +44,7 @@ unsigned int x86_stepping(unsigned int sig); extern void __init cpu_set_core_cap_bits(struct cpuinfo_x86 *c); extern void switch_to_sld(unsigned long tifn); extern bool handle_user_split_lock(unsigned long ip); +extern bool split_lock_detect_on(void); #else static inline void __init cpu_set_core_cap_bits(struct cpuinfo_x86 *c) {} static inline void switch_to_sld(unsigned long tifn) {} @@ -51,5 +52,6 @@ static inline bool handle_user_split_lock(unsigned long ip) { return false; } +static inline bool split_lock_detect_on(void) { return false; } #endif #endif /* _ASM_X86_CPU_H */ diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index c401d174c8db..de94957a11a4 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -1102,6 +1102,12 @@ static void split_lock_init(struct cpuinfo_x86 *c) sld_state = sld_disable; } +bool split_lock_detect_on(void) +{ + return sld_state == sld_warn || sld_state == sld_fatal; +} +EXPORT_SYMBOL_GPL(split_lock_detect_on); + bool handle_user_split_lock(unsigned long ip) { if (sld_state == sld_fatal) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 5de200663f51..1a0e6c0b1b39 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5873,6 +5873,7 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, { struct kvm_host_map map; struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + u64 page_line_mask = PAGE_MASK; gpa_t gpa; char *kaddr; bool exchanged; @@ -5887,7 +5888,11 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, (gpa & PAGE_MASK) == APIC_DEFAULT_PHYS_BASE) goto emul_write; - if (((gpa + bytes - 1) & PAGE_MASK) != (gpa & PAGE_MASK)) + if (split_lock_detect_on()) + page_line_mask = ~(cache_line_size() - 1); + + /* when write spans page or spans cache when SLD enabled */ + if (((gpa + bytes - 1) & page_line_mask) != (gpa & page_line_mask)) goto emul_write; if (kvm_vcpu_map(vcpu, gpa_to_gfn(gpa), &map)) -- 2.20.1
