diff options
| author | Petr Matousek <pmatouse@redhat.com> | 2014-09-23 14:22:30 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-24 07:21:17 -0400 |
| commit | a642fc305053cc1c6e47e4f4df327895747ab485 (patch) | |
| tree | 48da06189a7291eb22fb92520c75ccf7f5a88e58 /arch/x86/kvm | |
| parent | d1442d85cc30ea75f7d399474ca738e0bc96f715 (diff) | |
kvm: vmx: handle invvpid vm exit gracefully
On systems with invvpid instruction support (corresponding bit in
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
causes vm exit, which is currently not handled and results in
propagation of unknown exit to userspace.
Fix this by installing an invvpid vm exit handler.
This is CVE-2014-3646.
Cc: stable@vger.kernel.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86/kvm')
| -rw-r--r-- | arch/x86/kvm/vmx.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 7e2c098b59c9..cf3cd079ec52 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c | |||
| @@ -6746,6 +6746,12 @@ static int handle_invept(struct kvm_vcpu *vcpu) | |||
| 6746 | return 1; | 6746 | return 1; |
| 6747 | } | 6747 | } |
| 6748 | 6748 | ||
| 6749 | static int handle_invvpid(struct kvm_vcpu *vcpu) | ||
| 6750 | { | ||
| 6751 | kvm_queue_exception(vcpu, UD_VECTOR); | ||
| 6752 | return 1; | ||
| 6753 | } | ||
| 6754 | |||
| 6749 | /* | 6755 | /* |
| 6750 | * The exit handlers return 1 if the exit was handled fully and guest execution | 6756 | * The exit handlers return 1 if the exit was handled fully and guest execution |
| 6751 | * may resume. Otherwise they set the kvm_run parameter to indicate what needs | 6757 | * may resume. Otherwise they set the kvm_run parameter to indicate what needs |
| @@ -6791,6 +6797,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = { | |||
| 6791 | [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait, | 6797 | [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait, |
| 6792 | [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor, | 6798 | [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor, |
| 6793 | [EXIT_REASON_INVEPT] = handle_invept, | 6799 | [EXIT_REASON_INVEPT] = handle_invept, |
| 6800 | [EXIT_REASON_INVVPID] = handle_invvpid, | ||
| 6794 | }; | 6801 | }; |
| 6795 | 6802 | ||
| 6796 | static const int kvm_vmx_max_exit_handlers = | 6803 | static const int kvm_vmx_max_exit_handlers = |
| @@ -7026,7 +7033,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) | |||
| 7026 | case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: | 7033 | case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: |
| 7027 | case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: | 7034 | case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: |
| 7028 | case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: | 7035 | case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: |
| 7029 | case EXIT_REASON_INVEPT: | 7036 | case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: |
| 7030 | /* | 7037 | /* |
| 7031 | * VMX instructions trap unconditionally. This allows L1 to | 7038 | * VMX instructions trap unconditionally. This allows L1 to |
| 7032 | * emulate them for its L2 guest, i.e., allows 3-level nesting! | 7039 | * emulate them for its L2 guest, i.e., allows 3-level nesting! |