OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
876,046 Commits 4 Branches 0 Tags 2 GiB
C 97.7%
Assembly 1.3%
Makefile 0.4%
Shell 0.3%
Python 0.1%
Other 0.1%
Go to file
Sean Christopherson 9d9933f7f3 KVM: x86: Don't let userspace set host-reserved cr4 bits 
commit b11306b53b upstream.

Calculate the host-reserved cr4 bits at runtime based on the system's
capabilities (using logic similar to __do_cpuid_func()), and use the
dynamically generated mask for the reserved bit check in kvm_set_cr4()
instead using of the static CR4_RESERVED_BITS define.  This prevents
userspace from "enabling" features in cr4 that are not supported by the
system, e.g. by ignoring KVM_GET_SUPPORTED_CPUID and specifying a bogus
CPUID for the vCPU.

Allowing userspace to set unsupported bits in cr4 can lead to a variety
of undesirable behavior, e.g. failed VM-Enter, and in general increases
KVM's attack surface.  A crafty userspace can even abuse CR4.LA57 to
induce an unchecked #GP on a WRMSR.

On a platform without LA57 support:

  KVM_SET_CPUID2 // CPUID_7_0_ECX.LA57 = 1
  KVM_SET_SREGS  // CR4.LA57 = 1
  KVM_SET_MSRS   // KERNEL_GS_BASE = 0x0004000000000000
  KVM_RUN

leads to a #GP when writing KERNEL_GS_BASE into hardware:

  unchecked MSR access error: WRMSR to 0xc0000102 (tried to write 0x0004000000000000)
  at rIP: 0xffffffffa00f239a (vmx_prepare_switch_to_guest+0x10a/0x1d0 [kvm_intel])
  Call Trace:
   kvm_arch_vcpu_ioctl_run+0x671/0x1c70 [kvm]
   kvm_vcpu_ioctl+0x36b/0x5d0 [kvm]
   do_vfs_ioctl+0xa1/0x620
   ksys_ioctl+0x66/0x70
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x4c/0x170
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7fc08133bf47

Note, the above sequence fails VM-Enter due to invalid guest state.
Userspace can allow VM-Enter to succeed (after the WRMSR #GP) by adding
a KVM_SET_SREGS w/ CR4.LA57=0 after KVM_SET_MSRS, in which case KVM will
technically leak the host's KERNEL_GS_BASE into the guest.  But, as
KERNEL_GS_BASE is a userspace-defined value/address, the leak is largely
benign as a malicious userspace would simply be exposing its own data to
the guest, and attacking a benevolent userspace would require multiple
bugs in the userspace VMM.

Cc: stable@vger.kernel.org
Cc: Jun Nakajima <jun.nakajima@intel.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-02-11 04:35:41 -08:00
Documentation PM / devfreq: Add new name attribute for sysfs 2020-02-05 21:22:40 +00:00
LICENSES
arch KVM: x86: Don't let userspace set host-reserved cr4 bits 2020-02-11 04:35:41 -08:00
block block: fix memleak of bio integrity data 2020-01-26 10:01:09 +01:00
certs
crypto crypto: api - Fix race condition in crypto_spawn_alg 2020-02-11 04:35:31 -08:00
drivers bcache: add readahead cache policy options via sysfs interface 2020-02-11 04:35:37 -08:00
fs aio: prevent potential eventfd recursion on poll 2020-02-11 04:35:37 -08:00
include x86/kvm: Cache gfn to pfn translation 2020-02-11 04:35:40 -08:00
init Revert "um: Enable CONFIG_CONSTRUCTORS" 2020-02-01 09:34:53 +00:00
ipc ipc/msg.c: consolidate all xxxctl_down() functions 2020-02-11 04:35:07 -08:00
kernel bpf, devmap: Pass lockdep expression to RCU lists 2020-02-11 04:35:29 -08:00
lib lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() 2020-02-11 04:35:14 -08:00
mm mm: move_pages: report the number of non-attempted pages 2020-02-11 04:35:13 -08:00
net sunrpc: expiry_time should be seconds not timeval 2020-02-11 04:35:35 -08:00
samples samples/bpf: Xdp_redirect_cpu fix missing tracepoint attach 2020-02-11 04:35:29 -08:00
scripts scripts/find-unused-docs: Fix massive false positives 2020-02-11 04:35:23 -08:00
security tomoyo: Use atomic_t for statistics counter 2020-02-05 21:22:41 +00:00
sound ASoC: SOF: core: release resources on errors in probe_continue 2020-02-11 04:35:27 -08:00
tools tools/kvm_stat: Fix kvm_exit filter name 2020-02-11 04:35:36 -08:00
usr gen_initramfs_list.sh: fix 'bad variable name' error 2020-01-09 10:20:00 +01:00
virt x86/kvm: Cache gfn to pfn translation 2020-02-11 04:35:40 -08:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore Modules updates for v5.4 2019-09-22 10:34:46 -07:00
.mailmap ARM: SoC fixes 2019-11-10 13:41:59 -08:00
COPYING
CREDITS MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer 2019-10-10 08:12:51 -07:00
Kbuild
Kconfig
MAINTAINERS MAINTAINERS: correct entries for ISDN/mISDN section 2020-02-11 04:35:06 -08:00
Makefile Linux 5.4.18 2020-02-05 21:22:53 +00:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.