6a5acf7...
by
Maxim Levitsky <email address hidden>
UBUNTU: SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested
If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable
Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor),
then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only
possible by making L0 intercept these instructions.
Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted,
and thus read/write portions of the host physical memory.
This fixes CVE-2021-3656, which was discovered by Maxim Levitsky and
Paolo Bonzini.
Fixes: 89c8a4984fc9 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature")
Signed-off-by: Maxim Levitsky <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
CVE-2021-3656
[cascardo: applied 5.4 version considering svm.c split, adding to nested.c]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Ben Romer <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
0ae55cb...
by
Maxim Levitsky <email address hidden>
UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
This fixes CVE-2021-3653 that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.
The bug was discovered by Maxim Levitsky.
Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
CVE-2021-3653
[cascardo: svm_clr_intercept is clr_intercept due to missing
a284ba56a0a4b5a84733a19934196c19277b1b07]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Ben Romer <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
As a preparatory change for implementing nSVM-specific PGD switch
(following nVMX' nested_vmx_load_cr3()), introduce nested_svm_load_cr3()
instead of relying on kvm_set_cr3().
No functional change intended.
Signed-off-by: Vitaly Kuznetsov <email address hidden>
Message-Id: <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
(cherry picked from commit 62156f6cd15ab27cf19a97161b5f1820951a36b1)
CVE-2021-3653
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Ben Romer <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>