Sean Christopherson <seanjc@xxxxxxxxxx> writes:
> Reject Hyper-V hypercalls if the guest specifies a non-zero variable size
> header (var_cnt in KVM) for a hypercall that has a fixed header size.
> Per the TLFS:
>
> It is illegal to specify a non-zero variable header size for a
> hypercall that is not explicitly documented as accepting variable sized
> input headers. In such a case the hypercall will result in a return
> code of HV_STATUS_INVALID_HYPERCALL_INPUT.
>
> Note, at least some of the various DEBUG commands likely aren't allowed
> to use variable size headers, but the TLFS documentation doesn't clearly
> state what is/isn't allowed. Omit them for now to avoid unnecessary
> breakage.
>
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> ---
> arch/x86/kvm/hyperv.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
> index f33a5e890048..522ccd2f0db4 100644
> --- a/arch/x86/kvm/hyperv.c
> +++ b/arch/x86/kvm/hyperv.c
> @@ -2250,14 +2250,14 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
>
> switch (hc.code) {
> case HVCALL_NOTIFY_LONG_SPIN_WAIT:
> - if (unlikely(hc.rep)) {
> + if (unlikely(hc.rep || hc.var_cnt)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
> kvm_vcpu_on_spin(vcpu, true);
> break;
> case HVCALL_SIGNAL_EVENT:
> - if (unlikely(hc.rep)) {
> + if (unlikely(hc.rep || hc.var_cnt)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
> @@ -2267,7 +2267,7 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
> fallthrough; /* maybe userspace knows this conn_id */
> case HVCALL_POST_MESSAGE:
> /* don't bother userspace if it has no way to handle it */
> - if (unlikely(hc.rep || !to_hv_synic(vcpu)->active)) {
> + if (unlikely(hc.rep || hc.var_cnt || !to_hv_synic(vcpu)->active)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
> @@ -2280,14 +2280,14 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
> kvm_hv_hypercall_complete_userspace;
> return 0;
> case HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST:
> - if (unlikely(!hc.rep_cnt || hc.rep_idx)) {
> + if (unlikely(!hc.rep_cnt || hc.rep_idx || hc.var_cnt)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
> ret = kvm_hv_flush_tlb(vcpu, &hc, false);
> break;
> case HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE:
> - if (unlikely(hc.rep)) {
> + if (unlikely(hc.rep || hc.var_cnt)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
> @@ -2308,7 +2308,7 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
> ret = kvm_hv_flush_tlb(vcpu, &hc, true);
> break;
> case HVCALL_SEND_IPI:
> - if (unlikely(hc.rep)) {
> + if (unlikely(hc.rep || hc.var_cnt)) {
> ret = HV_STATUS_INVALID_HYPERCALL_INPUT;
> break;
> }
Reviewed-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
--
Vitaly
