Commit 1f74d79
KVM: X86: Fix userspace set invalid CR4
commit 3ca9419 upstream.
Reported by syzkaller:
WARNING: CPU: 0 PID: 6544 at /home/kernel/data/kvm/arch/x86/kvm//vmx/vmx.c:4689 handle_desc+0x37/0x40 [kvm_intel]
CPU: 0 PID: 6544 Comm: a.out Tainted: G OE 5.3.0-rc4+ #4
RIP: 0010:handle_desc+0x37/0x40 [kvm_intel]
Call Trace:
vmx_handle_exit+0xbe/0x6b0 [kvm_intel]
vcpu_enter_guest+0x4dc/0x18d0 [kvm]
kvm_arch_vcpu_ioctl_run+0x407/0x660 [kvm]
kvm_vcpu_ioctl+0x3ad/0x690 [kvm]
do_vfs_ioctl+0xa2/0x690
ksys_ioctl+0x6d/0x80
__x64_sys_ioctl+0x1a/0x20
do_syscall_64+0x74/0x720
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When CR4.UMIP is set, guest should have UMIP cpuid flag. Current
kvm set_sregs function doesn't have such check when userspace inputs
sregs values. SECONDARY_EXEC_DESC is enabled on writes to CR4.UMIP
in vmx_set_cr4 though guest doesn't have UMIP cpuid flag. The testcast
triggers handle_desc warning when executing ltr instruction since
guest architectural CR4 doesn't set UMIP. This patch fixes it by
adding valid CR4 and CPUID combination checking in __set_sregs.
syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=138efb99600000
Reported-by: syzbot+0f1819555fbdce992df9@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>1 parent b1344c6 commit 1f74d79
1 file changed
+21
-17
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
884 | 884 | | |
885 | 885 | | |
886 | 886 | | |
887 | | - | |
| 887 | + | |
888 | 888 | | |
889 | | - | |
890 | | - | |
891 | | - | |
892 | | - | |
893 | 889 | | |
894 | | - | |
| 890 | + | |
895 | 891 | | |
896 | 892 | | |
897 | | - | |
| 893 | + | |
898 | 894 | | |
899 | 895 | | |
900 | | - | |
| 896 | + | |
901 | 897 | | |
902 | 898 | | |
903 | | - | |
| 899 | + | |
904 | 900 | | |
905 | 901 | | |
906 | | - | |
| 902 | + | |
907 | 903 | | |
908 | 904 | | |
909 | | - | |
| 905 | + | |
910 | 906 | | |
911 | 907 | | |
912 | | - | |
| 908 | + | |
913 | 909 | | |
914 | 910 | | |
| 911 | + | |
| 912 | + | |
| 913 | + | |
| 914 | + | |
| 915 | + | |
| 916 | + | |
| 917 | + | |
| 918 | + | |
| 919 | + | |
| 920 | + | |
| 921 | + | |
| 922 | + | |
915 | 923 | | |
916 | 924 | | |
917 | 925 | | |
| |||
8598 | 8606 | | |
8599 | 8607 | | |
8600 | 8608 | | |
8601 | | - | |
8602 | | - | |
8603 | | - | |
8604 | | - | |
8605 | 8609 | | |
8606 | 8610 | | |
8607 | 8611 | | |
| |||
8620 | 8624 | | |
8621 | 8625 | | |
8622 | 8626 | | |
8623 | | - | |
| 8627 | + | |
8624 | 8628 | | |
8625 | 8629 | | |
8626 | 8630 | | |
| |||
0 commit comments