From nobody Fri Oct 24 20:28:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FEB8C00140 for ; Mon, 15 Aug 2022 20:14:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230148AbiHOUOo (ORCPT ); Mon, 15 Aug 2022 16:14:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346252AbiHOULF (ORCPT ); Mon, 15 Aug 2022 16:11:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24332F5B1; Mon, 15 Aug 2022 11:57:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A0FF26122B; Mon, 15 Aug 2022 18:57:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93178C433C1; Mon, 15 Aug 2022 18:57:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660589842; bh=RIXvlqtErnqUU+6Rz5r6bqonG4MImcLLPCMCxhVxYak=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tqGkbgvEZ/o9lOfx40o80z6FKF6ELopALkQS2HdJay9YVqtz/hhUopdEuh6cCbEF7 KWXKsZfkn7lHSm1nKx2C9RW05yDkToFVizFeiOOCk18iZlo1bN5GRsApsgQKpJv4Hj B7K60YOB0IKNsxpicBNiVG3dy6qM9SJYc1RFjono= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.18 0034/1095] KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks Date: Mon, 15 Aug 2022 19:50:33 +0200 Message-Id: <20220815180430.794025583@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Sean Christopherson commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac upstream. Check that the guest (L2) and host (L1) CR4 values that would be loaded by nested VM-Enter and VM-Exit respectively are valid with respect to KVM's (L0 host) allowed CR4 bits. Failure to check KVM reserved bits would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or failed VM-Entry) by massaging guest CPUID to allow features that are not supported by KVM. Amusingly, KVM itself is an accomplice in its doom, as KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for L2 based on L1's CPUID model. Note, although nested_{guest,host}_cr4_valid() are _currently_ used if and only if the vCPU is post-VMXON (nested.vmxon =3D=3D true), that may not be true in the future, e.g. emulating VMXON has a bug where it doesn't check the allowed/required CR0/CR4 bits. Cc: stable@vger.kernel.org Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX o= peration") Signed-off-by: Sean Christopherson Message-Id: <20220607213604.3346000-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx/nested.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/vmx/nested.h +++ b/arch/x86/kvm/vmx/nested.h @@ -281,7 +281,8 @@ static inline bool nested_cr4_valid(stru u64 fixed0 =3D to_vmx(vcpu)->nested.msrs.cr4_fixed0; u64 fixed1 =3D to_vmx(vcpu)->nested.msrs.cr4_fixed1; =20 - return fixed_bits_valid(val, fixed0, fixed1); + return fixed_bits_valid(val, fixed0, fixed1) && + __kvm_is_valid_cr4(vcpu, val); } =20 /* No difference in the restrictions on guest and host CR4 in VMX operatio= n. */