Skip to content

Commit 727ba74

Browse files
felixwilhelmbonzini
authored andcommitted
kvm: nVMX: Enforce cpl=0 for VMX instructions
VMX instructions executed inside a L1 VM will always trigger a VM exit even when executed with cpl 3. This means we must perform the privilege check in software. Fixes: 70f3aac("kvm: nVMX: Remove superfluous VMX instruction fault checks") Cc: stable@vger.kernel.org Signed-off-by: Felix Wilhelm <fwilhelm@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 parent f4160e4 commit 727ba74

File tree

1 file changed

+13
-2
lines changed

1 file changed

+13
-2
lines changed

Diff for: arch/x86/kvm/vmx.c

+13-2
Original file line numberDiff line numberDiff line change
@@ -7905,6 +7905,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
79057905
return 1;
79067906
}
79077907

7908+
/* CPL=0 must be checked manually. */
7909+
if (vmx_get_cpl(vcpu)) {
7910+
kvm_queue_exception(vcpu, UD_VECTOR);
7911+
return 1;
7912+
}
7913+
79087914
if (vmx->nested.vmxon) {
79097915
nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
79107916
return kvm_skip_emulated_instruction(vcpu);
@@ -7964,6 +7970,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
79647970
*/
79657971
static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
79667972
{
7973+
if (vmx_get_cpl(vcpu)) {
7974+
kvm_queue_exception(vcpu, UD_VECTOR);
7975+
return 0;
7976+
}
7977+
79677978
if (!to_vmx(vcpu)->nested.vmxon) {
79687979
kvm_queue_exception(vcpu, UD_VECTOR);
79697980
return 0;
@@ -8283,7 +8294,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
82838294
if (get_vmx_mem_address(vcpu, exit_qualification,
82848295
vmx_instruction_info, true, &gva))
82858296
return 1;
8286-
/* _system ok, as hardware has verified cpl=0 */
8297+
/* _system ok, nested_vmx_check_permission has verified cpl=0 */
82878298
kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
82888299
&field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
82898300
}
@@ -8448,7 +8459,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
84488459
if (get_vmx_mem_address(vcpu, exit_qualification,
84498460
vmx_instruction_info, true, &vmcs_gva))
84508461
return 1;
8451-
/* ok to use *_system, as hardware has verified cpl=0 */
8462+
/* *_system ok, nested_vmx_check_permission has verified cpl=0 */
84528463
if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
84538464
(void *)&to_vmx(vcpu)->nested.current_vmptr,
84548465
sizeof(u64), &e)) {

0 commit comments

Comments
 (0)