This is a note to let you know that I've just added the patch titled
KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format
to the 6.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
kvm-x86-smm-number-of-gprs-in-the-smram-image-depends-on-the-image-format.patch
and it can be found in the queue-6.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 696db303e54f7352623d9f640e6c51d8fa9d5588 Mon Sep 17 00:00:00 2001
From: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
Date: Tue, 25 Oct 2022 15:47:32 +0300
Subject: KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format
From: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
commit 696db303e54f7352623d9f640e6c51d8fa9d5588 upstream.
On 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will
access 16 gprs to 32-bit smram image, causing out-ouf-bound ram
access.
On 32 bit host, the rsm_load_state_64/enter_smm_save_state_64
is compiled out, thus access overflow can't happen.
Fixes: b443183a25ab61 ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM")
Signed-off-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
Reviewed-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Message-Id: <20221025124741.228045-15-mlevitsk@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/kvm/emulate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2430,7 +2430,7 @@ static int rsm_load_state_32(struct x86_
ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0);
- for (i = 0; i < NR_EMULATOR_GPRS; i++)
+ for (i = 0; i < 8; i++)
*reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
val = GET_SMSTATE(u32, smstate, 0x7fcc);
@@ -2487,7 +2487,7 @@ static int rsm_load_state_64(struct x86_
u16 selector;
int i, r;
- for (i = 0; i < NR_EMULATOR_GPRS; i++)
+ for (i = 0; i < 16; i++)
*reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);
Patches currently in stable-queue which might be from mlevitsk@xxxxxxxxxx are
queue-6.0/kvm-x86-emulator-update-the-emulation-mode-after-cr0-write.patch
queue-6.0/kvm-x86-emulator-update-the-emulation-mode-after-rsm.patch
queue-6.0/kvm-x86-emulator-introduce-emulator_recalc_and_set_mode.patch
queue-6.0/kvm-x86-emulator-em_sysexit-should-update-ctxt-mode.patch
queue-6.0/kvm-x86-smm-number-of-gprs-in-the-smram-image-depends-on-the-image-format.patch
