[PATCH v2] KVM: nVMX: fix the layout of struct kvm_vmx_nested_state_hdr

Vitaly Kuznetsov <vkuznets@xxxxxxxxxx> · Mon, 13 Jul 2020 18:22:06 +0200

Before commit 850448f35aaf ("KVM: nVMX: Fix VMX preemption timer
migration") struct kvm_vmx_nested_state_hdr looked like:

struct kvm_vmx_nested_state_hdr {
        __u64 vmxon_pa;
        __u64 vmcs12_pa;
        struct {
                __u16 flags;
        } smm;
}

The ABI got broken by the above mentioned commit and an attempt
to fix that was made in commit 83d31e5271ac ("KVM: nVMX: fixes for
preemption timer migration") which made the structure look like:

struct kvm_vmx_nested_state_hdr {
        __u64 vmxon_pa;
        __u64 vmcs12_pa;
        struct {
                __u16 flags;
        } smm;
        __u32 flags;
        __u64 preemption_timer_deadline;
};

The problem with this layout is that before both changes compilers were
allocating 24 bytes for this and although smm.flags is padded to 8 bytes,
it is initialized as a 2 byte value. Chances are that legacy userspaces
using old layout will be passing uninitialized bytes which will slip into
what is now known as 'flags'.

Suggested-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
Fixes: 850448f35aaf ("KVM: nVMX: Fix VMX preemption timer migration")
Fixes: 83d31e5271ac ("KVM: nVMX: fixes for preemption timer migration")
Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
---
- The patch breaks ABI so it needs to go into 5.8.

- This is a successor of "[PATCH] KVM: nVMX: properly pad struct
 kvm_vmx_nested_state_hdr"
---
 Documentation/virt/kvm/api.rst  | 5 +++--
 arch/x86/include/uapi/asm/kvm.h | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index 320788f81a05..e75992ad856a 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -4345,8 +4345,9 @@ Errors:
 	struct {
 		__u16 flags;
 	} smm;
-
-	__u32 flags;
+	__u16 pad16;
+	__u32 pad32;
+	__u64 flags;
 	__u64 preemption_timer_deadline;
   };
 
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index 0780f97c1850..4ecc6bd49818 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -414,8 +414,9 @@ struct kvm_vmx_nested_state_hdr {
 	struct {
 		__u16 flags;
 	} smm;
-
-	__u32 flags;
+	__u16 pad16;
+	__u32 pad32;
+	__u64 flags;
 	__u64 preemption_timer_deadline;
 };
 
-- 
2.25.4







