Patch "KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA" has been added to the 5.12-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 19 Jul 2021 10:57:43 +0200

This is a note to let you know that I've just added the patch titled

    KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA

to the 5.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-nsvm-check-the-value-written-to-msr_vm_hsave_pa.patch
and it can be found in the queue-5.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From fce7e152ffc8f89d02a80617b16c7aa1527847c8 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Date: Mon, 28 Jun 2021 12:44:20 +0200
Subject: KVM: nSVM: Check the value written to MSR_VM_HSAVE_PA

From: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>

commit fce7e152ffc8f89d02a80617b16c7aa1527847c8 upstream.

APM states that #GP is raised upon write to MSR_VM_HSAVE_PA when
the supplied address is not page-aligned or is outside of "maximum
supported physical address for this implementation".
page_address_valid() check seems suitable. Also, forcefully page-align
the address when it's written from VMM.

Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Message-Id: <20210628104425.391276-2-vkuznets@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
[Add comment about behavior for host-provided values. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/x86/kvm/svm/svm.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2982,7 +2982,16 @@ static int svm_set_msr(struct kvm_vcpu *
 			svm_disable_lbrv(vcpu);
 		break;
 	case MSR_VM_HSAVE_PA:
-		svm->nested.hsave_msr = data;
+		/*
+		 * Old kernels did not validate the value written to
+		 * MSR_VM_HSAVE_PA.  Allow KVM_SET_MSR to set an invalid
+		 * value to allow live migrating buggy or malicious guests
+		 * originating from those kernels.
+		 */
+		if (!msr->host_initiated && !page_address_valid(vcpu, data))
+			return 1;
+
+		svm->nested.hsave_msr = data & PAGE_MASK;
 		break;
 	case MSR_VM_CR:
 		return svm_set_vm_cr(vcpu, data);


Patches currently in stable-queue which might be from vkuznets@xxxxxxxxxx are

queue-5.12/kvm-nsvm-check-the-value-written-to-msr_vm_hsave_pa.patch






