This is a note to let you know that I've just added the patch titled KVM: x86: forcibly leave nested mode on vCPU reset to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: kvm-x86-forcibly-leave-nested-mode-on-vcpu-reset.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From ed129ec9057f89d615ba0c81a4984a90345a1684 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk@xxxxxxxxxx> Date: Thu, 3 Nov 2022 16:13:46 +0200 Subject: KVM: x86: forcibly leave nested mode on vCPU reset From: Maxim Levitsky <mlevitsk@xxxxxxxxxx> commit ed129ec9057f89d615ba0c81a4984a90345a1684 upstream. While not obivous, kvm_vcpu_reset() leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping. On SVM, it is possible to have a vCPU reset while in guest mode because unlike VMX, on SVM, INIT's are not latched in SVM non root mode and in addition to that L1 doesn't have to intercept triple fault, which should also trigger L1's reset if happens in L2 while L1 didn't intercept it. If one of the above conditions happen, KVM will continue to use vmcb02 while not having in the guest mode. Later the IA32_EFER will be cleared which will lead to freeing of the nested guest state which will (correctly) free the vmcb02, but since KVM still uses it (incorrectly) this will lead to a use after free and kernel crash. This issue is assigned CVE-2022-3344 Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx> Message-Id: <20221103141351.50662-5-mlevitsk@xxxxxxxxxx> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/kvm/x86.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11111,8 +11111,18 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcp unsigned long new_cr0; u32 eax, dummy; + /* + * SVM doesn't unconditionally VM-Exit on INIT and SHUTDOWN, thus it's + * possible to INIT the vCPU while L2 is active. Force the vCPU back + * into L1 as EFER.SVME is cleared on INIT (along with all other EFER + * bits), i.e. virtualization is disabled. + */ + if (is_guest_mode(vcpu)) + kvm_leave_nested(vcpu); + kvm_lapic_reset(vcpu, init_event); + WARN_ON_ONCE(is_guest_mode(vcpu) || is_smm(vcpu)); vcpu->arch.hflags = 0; vcpu->arch.smi_pending = 0; Patches currently in stable-queue which might be from mlevitsk@xxxxxxxxxx are queue-5.15/kvm-x86-nsvm-harden-svm_free_nested-against-freeing-vmcb02-while-still-in-use.patch queue-5.15/kvm-x86-forcibly-leave-nested-mode-on-vcpu-reset.patch queue-5.15/kvm-x86-nsvm-leave-nested-mode-on-vcpu-free.patch queue-5.15/kvm-x86-add-kvm_leave_nested.patch queue-5.15/kvm-x86-remove-exit_int_info-warning-in-svm_handle_exit.patch