[linux] 02/02: [x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon May 23 01:48:00 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 5bec7a0097cf4c57eeca03bba7c8eebacea56029
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon May 23 02:35:36 2016 +0100
[x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440)
---
debian/changelog | 1 +
...ore-complete-state-update-on-apicv-on-off.patch | 101 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 103 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2644177..5767ec0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -94,6 +94,7 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
* aufs: Update support patches to aufs4.5-20160523
- mmap: Fix use-after-free in remap_file_pages(2)
* Revert "stmmac: Fix 'eth0: No PHY found' regression" (Closes: #823493)
+ * [x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 21 May 2016 16:47:59 +0200
diff --git a/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
new file mode 100644
index 0000000..ca5e6ad
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
@@ -0,0 +1,101 @@
+From: Roman Kagan <rkagan at virtuozzo.com>
+Subject: kvm:vmx: more complete state update on APICv on/off
+Date: Wed, 18 May 2016 17:48:20 +0300
+Origin: http://article.gmane.org/gmane.comp.emulators.kvm.devel/152191
+
+The function to update APICv on/off state (in particular, to deactivate
+it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust
+APICv-related fields among secondary processor-based VM-execution
+controls.
+
+As a result, Windows 2012 guests would get stuck when SynIC-based
+auto-EOI interrupt intersected with e.g. an IPI in the guest.
+
+In addition, the MSR intercept bitmap wasn't updated to correspond to
+whether "virtualize x2APIC mode" was enabled. This path used not to be
+triggered, since Windows didn't use x2APIC but rather their own
+synthetic APIC access MSRs; however it represented a security risk
+because the guest running in a SynIC-enabled VM could switch to x2APIC
+and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang
+<yang.zhang.wz at gmail.com> for spotting this).
+
+The patch fixes those omissions.
+
+Signed-off-by: Roman Kagan <rkagan at virtuozzo.com>
+Cc: Steve Rutherford <srutherford at google.com>
+Cc: Yang Zhang <yang.zhang.wz at gmail.com>
+---
+ arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2397,7 +2397,9 @@ static void vmx_set_msr_bitmap(struct kv
+
+ if (is_guest_mode(vcpu))
+ msr_bitmap = vmx_msr_bitmap_nested;
+- else if (vcpu->arch.apic_base & X2APIC_ENABLE) {
++ else if (cpu_has_secondary_exec_ctrls() &&
++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ if (is_long_mode(vcpu))
+ msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
+ else
+@@ -4758,6 +4760,19 @@ static void vmx_refresh_apicv_exec_ctrl(
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx));
++ if (cpu_has_secondary_exec_ctrls()) {
++ if (kvm_vcpu_apicv_active(vcpu))
++ vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
++ SECONDARY_EXEC_APIC_REGISTER_VIRT |
++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++ else
++ vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
++ SECONDARY_EXEC_APIC_REGISTER_VIRT |
++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++ }
++
++ if (cpu_has_vmx_msr_bitmap())
++ vmx_set_msr_bitmap(vcpu);
+ }
+
+ static u32 vmx_exec_control(struct vcpu_vmx *vmx)
+@@ -6313,23 +6328,20 @@ static __init int hardware_setup(void)
+
+ set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
+
+- if (enable_apicv) {
+- for (msr = 0x800; msr <= 0x8ff; msr++)
+- vmx_disable_intercept_msr_read_x2apic(msr);
+-
+- /* According SDM, in x2apic mode, the whole id reg is used.
+- * But in KVM, it only use the highest eight bits. Need to
+- * intercept it */
+- vmx_enable_intercept_msr_read_x2apic(0x802);
+- /* TMCCT */
+- vmx_enable_intercept_msr_read_x2apic(0x839);
+- /* TPR */
+- vmx_disable_intercept_msr_write_x2apic(0x808);
+- /* EOI */
+- vmx_disable_intercept_msr_write_x2apic(0x80b);
+- /* SELF-IPI */
+- vmx_disable_intercept_msr_write_x2apic(0x83f);
+- }
++ for (msr = 0x800; msr <= 0x8ff; msr++)
++ vmx_disable_intercept_msr_read_x2apic(msr);
++
++ /* According SDM, in x2apic mode, the whole id reg is used. But in
++ * KVM, it only use the highest eight bits. Need to intercept it */
++ vmx_enable_intercept_msr_read_x2apic(0x802);
++ /* TMCCT */
++ vmx_enable_intercept_msr_read_x2apic(0x839);
++ /* TPR */
++ vmx_disable_intercept_msr_write_x2apic(0x808);
++ /* EOI */
++ vmx_disable_intercept_msr_write_x2apic(0x80b);
++ /* SELF-IPI */
++ vmx_disable_intercept_msr_write_x2apic(0x83f);
+
+ if (enable_ept) {
+ kvm_mmu_set_mask_ptes(0ull,
diff --git a/debian/patches/series b/debian/patches/series
index b3a2c96..d9d98dc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -139,6 +139,7 @@ bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
# ABI maintenance
+bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
debian/ib-fix-abi-change-in-4.5.3.patch
debian/v4l2-fix-abi-changes-in-4.5.3.patch
debian/cgroup-fix-abi-change-in-4.5.3.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list