arch/x86/kvm/cpuid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
From: Like Xu <likexu@tencent.com>
A malicious user space can bypass xstate_get_guest_group_perm() in the
KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
since the validity check of xcr0 depends only on guest_supported_xcr0.
Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at KVM_GET_SUPPORTED_CPUID")
Signed-off-by: Like Xu <likexu@tencent.com>
---
arch/x86/kvm/cpuid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 3902c28fb6cb..1bd4d560cbdd 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
vcpu->arch.guest_supported_xcr0 = 0;
else
vcpu->arch.guest_supported_xcr0 =
- (best->eax | ((u64)best->edx << 32)) & supported_xcr0;
+ (best->eax | ((u64)best->edx << 32)) &
+ (supported_xcr0 & xstate_get_guest_group_perm());
/*
* Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1) enumerate
--
2.33.1
> From: Like Xu <like.xu.linux@gmail.com>
> Sent: Sunday, January 23, 2022 1:50 PM
>
> From: Like Xu <likexu@tencent.com>
>
> A malicious user space can bypass xstate_get_guest_group_perm() in the
> KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
> since the validity check of xcr0 depends only on guest_supported_xcr0.
Unpermitted xfeatures cannot pass kvm_check_cpuid()...
>
> Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at
> KVM_GET_SUPPORTED_CPUID")
> Signed-off-by: Like Xu <likexu@tencent.com>
> ---
> arch/x86/kvm/cpuid.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 3902c28fb6cb..1bd4d560cbdd 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct
> kvm_vcpu *vcpu)
> vcpu->arch.guest_supported_xcr0 = 0;
> else
> vcpu->arch.guest_supported_xcr0 =
> - (best->eax | ((u64)best->edx << 32)) &
> supported_xcr0;
> + (best->eax | ((u64)best->edx << 32)) &
> + (supported_xcr0 & xstate_get_guest_group_perm());
>
> /*
> * Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1)
> enumerate
> --
> 2.33.1
On 24/1/2022 3:06 pm, Tian, Kevin wrote:
>> From: Like Xu <like.xu.linux@gmail.com>
>> Sent: Sunday, January 23, 2022 1:50 PM
>>
>> From: Like Xu <likexu@tencent.com>
>>
>> A malicious user space can bypass xstate_get_guest_group_perm() in the
>> KVM_GET_SUPPORTED_CPUID mechanism and obtain unpermitted xfeatures,
>> since the validity check of xcr0 depends only on guest_supported_xcr0.
>
> Unpermitted xfeatures cannot pass kvm_check_cpuid()...
Indeed, 5ab2f45bba4894a0db4af8567da3efd6228dd010.
This part of logic is pretty fragile and fragmented due to semantic
inconsistencies between supported_xcr0 and guest_supported_xcr0
in other three places:
- __do_cpuid_func
- kvm_mpx_supported
- kvm_vcpu_ioctl_x86_set_xsave
Have you identified all their areas of use ?
>
>>
>> Fixes: 445ecdf79be0 ("kvm: x86: Exclude unpermitted xfeatures at
>> KVM_GET_SUPPORTED_CPUID")
>> Signed-off-by: Like Xu <likexu@tencent.com>
>> ---
>> arch/x86/kvm/cpuid.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
>> index 3902c28fb6cb..1bd4d560cbdd 100644
>> --- a/arch/x86/kvm/cpuid.c
>> +++ b/arch/x86/kvm/cpuid.c
>> @@ -266,7 +266,8 @@ static void kvm_vcpu_after_set_cpuid(struct
>> kvm_vcpu *vcpu)
>> vcpu->arch.guest_supported_xcr0 = 0;
>> else
>> vcpu->arch.guest_supported_xcr0 =
>> - (best->eax | ((u64)best->edx << 32)) &
>> supported_xcr0;
>> + (best->eax | ((u64)best->edx << 32)) &
>> + (supported_xcr0 & xstate_get_guest_group_perm());
>>
>> /*
>> * Bits 127:0 of the allowed SECS.ATTRIBUTES (CPUID.0x12.0x1)
>> enumerate
>> --
>> 2.33.1
>
© 2016 - 2026 Red Hat, Inc.