From: Like Xu <likexu@xxxxxxxxxxx>
A malicious user space can bypass xstate_get_guest_group_perm() in the
KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
since the validity check of xcr0 depends only on guest_supported_xcr0.
Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at KVM_GET_SUPPORTED_CPUID")
Signed-off-by: Like Xu <likexu@xxxxxxxxxxx>
---
arch/x86/kvm/cpuid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 3902c28fb6cb..1bd4d560cbdd 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
vcpu->arch.guest_supported_xcr0 = 0;
else
vcpu->arch.guest_supported_xcr0 =
- (best->eax | ((u64)best->edx << 32)) & supported_xcr0;
+ (best->eax | ((u64)best->edx << 32)) &
+ (supported_xcr0 & xstate_get_guest_group_perm());
/*
* Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1) enumerate
--
2.33.1
