[PATCH 5.4 0/1] KVM: backport fix for CVE-2021-38198

Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx> · Wed, 11 Aug 2021 18:46:28 +0300

The backport was validated by running the kvm-unit-tests testcase [1] mentioned
in the commit message.

Before the patch
----------------
root@intel-x86-64:~# modprobe kvm_intel ept=0
root@intel-x86-64:~# cat /sys/module/kvm_intel/parameters/ept
N
root@intel-x86-64:~# ./access
BUILD_HEAD=ba3c9773
timeout -k 1s --foreground 3600 /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none -serial stdio -device pci-testdev -machine accel=kvm -kernel /tmp/tmp.V6ME9Ebamh -smp 1 -cpu max # -initrd /tmp/tmp.DycLfAySkL
enabling apic
starting test

run
CR4.PKE not available, disabling PKE tests
..........................................................................................
test pte.p pte.rw pte.user pte.a pte.d pde.p pde.rw pde.user pde.a pdpte.ro user write: FAIL: unexpected access
Dump mapping: address: 0x1234c0200000
------L4: 5d72027
------L3: 5d71025
------L2: 5d74027
------L1: 2000067
check_effective_sp_permissions: write access at4 should fail

5898246 tests, 1 failures
FAIL access

After the patch
---------------
root@intel-x86-64:~# modprobe kvm_intel ept=0
root@intel-x86-64:~# cat /sys/module/kvm_intel/parameters/ept
N
root@intel-x86-64:~# ./access
BUILD_HEAD=ba3c9773
timeout -k 1s --foreground 3600 /usr/bin/qemu-system-x86_64 --no-reboot -nodefaults -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none -serial stdio -device pci-testdev -machine accel=kvm -kernel /tmp/tmp.UmWsRrn6l0 -smp 1 -cpu max # -initrd /tmp/tmp.Up02J8RkHY
enabling apic
starting test

run
CR4.PKE not available, disabling PKE tests
..........................................................................................
5898246 tests, 0 failures
PASS access

[1] https://gitlab.com/kvm-unit-tests/kvm-unit-tests/-/commit/47fd6bc54674fb1d8a29c55305042689e8692522

Lai Jiangshan (1):
  KVM: X86: MMU: Use the correct inherited permissions to get shadow
    page

 Documentation/virt/kvm/mmu.txt |  4 ++--
 arch/x86/kvm/paging_tmpl.h     | 14 +++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

-- 
2.25.1