On Wed, Sep 21, 2022 at 11:58:51AM +0300, Ovidiu Panait wrote: > From: Mingwei Zhang <mizhang@xxxxxxxxxx> > > commit 683412ccf61294d727ead4a73d97397396e69a6b upstream. > > Flush the CPU caches when memory is reclaimed from an SEV guest (where > reclaim also includes it being unmapped from KVM's memslots). Due to lack > of coherency for SEV encrypted memory, failure to flush results in silent > data corruption if userspace is malicious/broken and doesn't ensure SEV > guest memory is properly pinned and unpinned. > > Cache coherency is not enforced across the VM boundary in SEV (AMD APM > vol.2 Section 15.34.7). Confidential cachelines, generated by confidential > VM guests have to be explicitly flushed on the host side. If a memory page > containing dirty confidential cachelines was released by VM and reallocated > to another user, the cachelines may corrupt the new user at a later time. > > KVM takes a shortcut by assuming all confidential memory remain pinned > until the end of VM lifetime. Therefore, KVM does not flush cache at > mmu_notifier invalidation events. Because of this incorrect assumption and > the lack of cache flushing, malicous userspace can crash the host kernel: > creating a malicious VM and continuously allocates/releases unpinned > confidential memory pages when the VM is running. > > Add cache flush operations to mmu_notifier operations to ensure that any > physical memory leaving the guest VM get flushed. In particular, hook > mmu_notifier_invalidate_range_start and mmu_notifier_release events and > flush cache accordingly. The hook after releasing the mmu lock to avoid > contention with other vCPUs. > > Cc: stable@xxxxxxxxxxxxxxx > Suggested-by: Sean Christpherson <seanjc@xxxxxxxxxx> > Reported-by: Mingwei Zhang <mizhang@xxxxxxxxxx> > Signed-off-by: Mingwei Zhang <mizhang@xxxxxxxxxx> > Message-Id: <20220421031407.2516575-4-mizhang@xxxxxxxxxx> > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > [OP: adjusted KVM_X86_OP_OPTIONAL() -> KVM_X86_OP_NULL, applied > kvm_arch_guest_memory_reclaimed() call in kvm_set_memslot()] > Signed-off-by: Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx> > --- > This fixes CVE-2022-0171. Now queued up, thanks. greg k-h
