From nobody Wed Apr  8 04:46:08 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B437F3EAC68
	for <linux-kernel@vger.kernel.org>; Tue, 10 Mar 2026 20:24:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773174267; cv=none;
 b=JA/4tnhvaSH4mpAm6h57Hg6ounkwRiVX+YcnV1VdT4s/1qA4C9xyMVfSZFUZax/HUnGmXQHA0LHqDvonp9mWPAvWIIiT27kZbApQp2cOcT0IMscFoHgQDLsXzgRiLGeskY3qQHhOU5ago9auLb/uhQF67+X6FtqPp1jkIs0B9Mw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773174267; c=relaxed/simple;
	bh=XzfjV0NwKwYFZsCPkm9GQbhIVKJ1rr5+J23oLRZx2CI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=WtOEKLjdjW6BjD2Jj46TXr9yyhq3u44esBJPLBACTgJjRId2VHDAvHhGZ4sA8wiNh+ibYavi5/bJ9I8V2461j3alnPyduNwJXOXj7vG+e8R9kYDc/9yaxjl2KX/eb1vll96YSjVP2VEfXAzNrgfUokfSQtQDqOgUi7U5y66Q8f0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=cn1AjjU2;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=LdzuRbb8; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="cn1AjjU2";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="LdzuRbb8"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1773174264;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8TGyObaOA+0rXaSG+XOwiWbo5MYOrwO/NaEY5gkjsyg=;
	b=cn1AjjU2nLIH6KVFkAjtpPpY5wBwHVs1RDF8z4mJyFnmstxT+5S3+e6kMAPLdWli88ojxc
	8kJGIWR4wH/rmf62Gp0xAySZHkUXQnfqYLkgzQKDTv5aNMYPUe6y5nhHAnkBn3B6YA6UXT
	h47AIG02hXHnlgBRjVQWkB72FjUdWXk=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-12-nIvclmCJMh6-QZIdPxHArw-1; Tue, 10 Mar 2026 16:24:23 -0400
X-MC-Unique: nIvclmCJMh6-QZIdPxHArw-1
X-Mimecast-MFC-AGG-ID: nIvclmCJMh6-QZIdPxHArw_1773174263
Received: by mail-wm1-f72.google.com with SMTP id
 5b1f17b1804b1-4853ae7d672so16390135e9.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 10 Mar 2026 13:24:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1773174262; x=1773779062;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8TGyObaOA+0rXaSG+XOwiWbo5MYOrwO/NaEY5gkjsyg=;
        b=LdzuRbb8MobO9rreTqNhgtujUtTvdKApvNz5U6dOahThNtXueTsMHKOKI+9dYa5Bwy
         LBWW5msVfzBvQs/31I1OGkV7Hhbt4eBigX38SGzau5/kzQ5iQfdSLFfGgyO/ByFKBXYq
         ugi8SuTRq6q0jeA7O+DdgTaMeYRuJ5UyLa6up+SR6yI6ZkoUpRzob0DlP95ANFPR28tu
         LneNS+S+ArcIz3fdD847WPEg9+uxXj+IW83q+eeUJuYoQsDhKEutgtqi+w/JnehX5ofq
         lFAg0kXNl9/vbgspixVvfQv5GK/pnozkdllyJyKXLMkrmCU3/eJZkhKClTop/hk3AJFm
         exUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773174262; x=1773779062;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8TGyObaOA+0rXaSG+XOwiWbo5MYOrwO/NaEY5gkjsyg=;
        b=k9uYEK8U5YVFc4bUk2ZlEqyp8JXED8G/frTPEWlhXoeycKXBxWnddTK3R3dysCAL10
         Wb/VMyOpNUVxt2iwkkRlboZkMdYgTG4jB68PV/2SX/YEDWtD1adH8MNuAG/W7ulpmWZB
         NrRm32H4+kGL8HekaxsOKcKSjuYNFr78DKXWUi7GGql6qmkP2ecT90l+aDkzJBniTECG
         15WG/bYZLLOuTgkCIUlVgoIIMFRehASkeETC4/2Z2rbc8QStm+yCYRvWhc9TnknTEd2c
         p5cqkZPdmfBuETY5pouYudJUFAwBIbJH7EbtmpEGI4rNqzHK3ytwHzloZHUYWTqjCHhc
         CuTA==
X-Gm-Message-State: AOJu0Yxk8IljPNPCW3pzDk+BABAU/c2wkKYbeEa4raFBrVTS1JVK8SGJ
	Fjof555gUO7U2Qnz/5Fjn+0Kv7T6PKZrkrGcwmtL36n2ryvBNvQX5NjW1IDoy9wnuOp29BijJur
	Bme6bGmbp/JES7Yy1WR6nIcN776yeei7mlF06svkKXcXM6MSgaTAHXdR/6D4u0M+Rl+LzAaMM+Q
	8hSx/lt7qENLtDDmCWYinFk8KxPZrEjSOGr8ZoJllTf/zLl7u36g==
X-Gm-Gg: ATEYQzwE3gdwVpMw5AW6m/O5ZV+GC5xJflolM4zpir7REDcO1KJN3nKfqSbnuKrgcFz
	POoaBLJ7ZZUiVcFrki80ZdpglV9u+BrTNYJsbASe9SqliPwOCxaS1plxsFX2MeENj1K3/nQ0+Mz
	iE9ah8kL6ieBxf617xlaBxYa+Dohzebq9lLRVRK/C+kkYPCb6ye4VIE5ysXbU5FgCLGMAELGlXT
	C4Cx2uW9OuZB+nLq752PxJtyYBcitiWcWK4kBm7I+nMhcxXIHpsTF4kn4xPaETzA7L6tyCDwdCS
	3cd5UwEl5wK4wCJWY8evmtmXttEQV8CAbQO2IeOe/yYOEQrHKbTZpkIFsscackJrHyChzNn5A6R
	a3tVgCMmuhjoePa9dq8e8oe9Jqf+HeAuewBwb7oc9nTvdszIPX7zGQgz+FyXyDIL7jg5aUe/J5Z
	V+qYHy2pKjKQgVSYdmKLFPr5yfJIE=
X-Received: by 2002:a05:600c:1d16:b0:483:1403:c47f with SMTP id
 5b1f17b1804b1-4854b0a6fcamr2153875e9.6.1773174261681;
        Tue, 10 Mar 2026 13:24:21 -0700 (PDT)
X-Received: by 2002:a05:600c:1d16:b0:483:1403:c47f with SMTP id
 5b1f17b1804b1-4854b0a6fcamr2153445e9.6.1773174261198;
        Tue, 10 Mar 2026 13:24:21 -0700 (PDT)
Received: from [192.168.10.48] ([151.95.144.138])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4854b0cc00asm1231095e9.7.2026.03.10.13.24.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Mar 2026 13:24:19 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: seanjc@google.com,
	xinyang@anthropic.com,
	stable@vger.kernel.org
Subject: [PATCH 2/5] KVM: SVM: check validity of VMCB when returning from SMM
Date: Tue, 10 Mar 2026 21:24:11 +0100
Message-ID: <20260310202414.406078-3-pbonzini@redhat.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260310202414.406078-1-pbonzini@redhat.com>
References: <20260310202414.406078-1-pbonzini@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The VMCB12 is stored in guest memory and can be mangled while in SMM; it
is then reloaded by svm_leave_smm(), but it is not checked again for
validity.

Move the check code out of vmx_set_nested_state()
(the other "not a VMLAUNCH/VMRESUME" path that emulates a nested vmentry)
and reuse it in svm_leave_smm().

Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/kvm/svm/nested.c | 12 ++++++++++--
 arch/x86/kvm/svm/svm.c    |  4 ++++
 arch/x86/kvm/svm/svm.h    |  1 +
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 7b61124051a7..de9906adb73b 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -419,6 +419,15 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu=
 *vcpu)
 	return __nested_vmcb_check_controls(vcpu, ctl);
 }
=20
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu)
+{
+	if (!nested_vmcb_check_save(vcpu) ||
+	    !nested_vmcb_check_controls(vcpu))
+		return -EINVAL;
+
+	return 0;
+}
+
 /*
  * If a feature is not advertised to L1, clear the corresponding vmcb12
  * intercept.
@@ -1034,8 +1043,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu)
 	nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
 	nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
=20
-	if (!nested_vmcb_check_save(vcpu) ||
-	    !nested_vmcb_check_controls(vcpu)) {
+	if (nested_svm_check_cached_vmcb12(vcpu) < 0) {
 		vmcb12->control.exit_code    =3D SVM_EXIT_ERR;
 		vmcb12->control.exit_info_1  =3D 0;
 		vmcb12->control.exit_info_2  =3D 0;
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 477fda63653b..95495048902c 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4890,6 +4890,10 @@ static int svm_leave_smm(struct kvm_vcpu *vcpu, cons=
t union kvm_smram *smram)
 	vmcb12 =3D map.hva;
 	nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
 	nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
+
+	if (nested_svm_check_cached_vmcb12(vcpu) < 0)
+		goto unmap_save;
+
 	ret =3D enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12, f=
alse);
=20
 	if (ret)
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index ebd7b36b1ceb..6942e6b0eda6 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -797,6 +797,7 @@ static inline int nested_svm_simple_vmexit(struct vcpu_=
svm *svm, u32 exit_code)
=20
 int nested_svm_exit_handled(struct vcpu_svm *svm);
 int nested_svm_check_permissions(struct kvm_vcpu *vcpu);
+int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu);
 int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
 			       bool has_error_code, u32 error_code);
 int nested_svm_exit_special(struct vcpu_svm *svm);
--=20
2.53.0