Commit 2307af1c authored Jun 29, 2018 by Liran Alon Committed by Paolo Bonzini Jul 18, 2018

KVM: VMX: Mark VMXArea with revision_id of physical CPU even when eVMCS enabled



When eVMCS is enabled, all VMCS allocated to be used by KVM are marked
with revision_id of KVM_EVMCS_VERSION instead of revision_id reported
by MSR_IA32_VMX_BASIC.

However, even though not explictly documented by TLFS, VMXArea passed
as VMXON argument should still be marked with revision_id reported by
physical CPU.

This issue was found by the following setup:
* L0 = KVM which expose eVMCS to it's L1 guest.
* L1 = KVM which consume eVMCS reported by L0.
This setup caused the following to occur:
1) L1 execute hardware_enable().
2) hardware_enable() calls kvm_cpu_vmxon() to execute VMXON.
3) L0 intercept L1 VMXON and execute handle_vmon() which notes
vmxarea->revision_id != VMCS12_REVISION and therefore fails with
nested_vmx_failInvalid() which sets RFLAGS.CF.
4) L1 kvm_cpu_vmxon() don't check RFLAGS.CF for failure and therefore
hardware_enable() continues as usual.
5) L1 hardware_enable() then calls ept_sync_global() which executes
INVEPT.
6) L0 intercept INVEPT and execute handle_invept() which notes
!vmx->nested.vmxon and thus raise a #UD to L1.
7) Raised #UD caused L1 to panic.

Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Cc: stable@vger.kernel.org
Fixes: 773e8a04
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 9432a317

arch/x86/kvm/vmx.c

+21 −6

Original line number	Diff line number	Diff line
		@@ -4108,10 +4108,6 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
		vmcs_conf->order = get_order(vmcs_conf->size);
		vmcs_conf->basic_cap = vmx_msr_high & ~0x1fff;

		/* KVM supports Enlightened VMCS v1 only */
		if (static_branch_unlikely(&enable_evmcs))
		vmcs_conf->revision_id = KVM_EVMCS_VERSION;
		else
		vmcs_conf->revision_id = vmx_msr_low;

		vmcs_conf->pin_based_exec_ctrl = _pin_based_exec_control;
		@@ -4182,7 +4178,13 @@ static struct vmcs *alloc_vmcs_cpu(int cpu)
		return NULL;
		vmcs = page_address(pages);
		memset(vmcs, 0, vmcs_config.size);
		vmcs->revision_id = vmcs_config.revision_id; /* vmcs revision id */

		/* KVM supports Enlightened VMCS v1 only */
		if (static_branch_unlikely(&enable_evmcs))
		vmcs->revision_id = KVM_EVMCS_VERSION;
		else
		vmcs->revision_id = vmcs_config.revision_id;

		return vmcs;
		}

		@@ -4341,6 +4343,19 @@ static __init int alloc_kvm_area(void)
		return -ENOMEM;
		}

		/*
		* When eVMCS is enabled, alloc_vmcs_cpu() sets
		* vmcs->revision_id to KVM_EVMCS_VERSION instead of
		* revision_id reported by MSR_IA32_VMX_BASIC.
		*
		* However, even though not explictly documented by
		* TLFS, VMXArea passed as VMXON argument should
		* still be marked with revision_id reported by
		* physical CPU.
		*/
		if (static_branch_unlikely(&enable_evmcs))
		vmcs->revision_id = vmcs_config.revision_id;

		per_cpu(vmxarea, cpu) = vmcs;
		}
		return 0;