> From: Like Xu <like.xu.linux@xxxxxxxxx>
> Sent: Sunday, January 23, 2022 1:50 PM
>
> From: Like Xu <likexu@xxxxxxxxxxx>
>
> A malicious user space can bypass xstate_get_guest_group_perm() in the
> KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
> since the validity check of xcr0 depends only on guest_supported_xcr0.
Unpermitted xfeatures cannot pass kvm_check_cpuid()...
>
> Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at
> KVM_GET_SUPPORTED_CPUID")
> Signed-off-by: Like Xu <likexu@xxxxxxxxxxx>
> ---
> arch/x86/kvm/cpuid.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 3902c28fb6cb..1bd4d560cbdd 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct
> kvm_vcpu *vcpu)
> vcpu->arch.guest_supported_xcr0 = 0;
> else
> vcpu->arch.guest_supported_xcr0 =
> - (best->eax | ((u64)best->edx << 32)) &
> supported_xcr0;
> + (best->eax | ((u64)best->edx << 32)) &
> + (supported_xcr0 & xstate_get_guest_group_perm());
>
> /*
> * Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1)
> enumerate
> --
> 2.33.1
