On 24/1/2022 3:06 pm, Tian, Kevin wrote:
From: Like Xu <like.xu.linux@xxxxxxxxx>
Sent: Sunday, January 23, 2022 1:50 PM
From: Like Xu <likexu@xxxxxxxxxxx>
A malicious user space can bypass xstate_get_guest_group_perm() in the
KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
since the validity check of xcr0 depends only on guest_supported_xcr0.
Unpermitted xfeatures cannot pass kvm_check_cpuid()...
Indeed, 5ab2f45bba4894a0db4af8567da3efd6228dd010.
This part of logic is pretty fragile and fragmented due to semantic
inconsistencies between supported_xcr0 and guest_supported_xcr0
in other three places:
- __do_cpuid_func
- kvm_mpx_supported
- kvm_vcpu_ioctl_x86_set_xsave
Have you identified all their areas of use ?
Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at
KVM_GET_SUPPORTED_CPUID")
Signed-off-by: Like Xu <likexu@xxxxxxxxxxx>
---
arch/x86/kvm/cpuid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 3902c28fb6cb..1bd4d560cbdd 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct
kvm_vcpu *vcpu)
vcpu->arch.guest_supported_xcr0 = 0;
else
vcpu->arch.guest_supported_xcr0 =
- (best->eax | ((u64)best->edx << 32)) &
supported_xcr0;
+ (best->eax | ((u64)best->edx << 32)) &
+ (supported_xcr0 & xstate_get_guest_group_perm());
/*
* Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1)
enumerate
--
2.33.1