• Radim Krčmář's avatar
    KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC · e90c6ad2
    Radim Krčmář authored
    commit d048c098 upstream.
    
    msr bitmap can be used to avoid a VM exit (interception) on guest MSR
    accesses.  In some configurations of VMX controls, the guest can even
    directly access host's x2APIC MSRs.  See SDM 29.5 VIRTUALIZING MSR-BASED
    APIC ACCESSES.
    
    L2 could read all L0's x2APIC MSRs and write TPR, EOI, and SELF_IPI.
    To do so, L1 would first trick KVM to disable all possible interceptions
    by enabling APICv features and then would turn those features off;
    nested_vmx_merge_msr_bitmap() only disabled interceptions, so VMX would
    not intercept previously enabled MSRs even though they were not safe
    with the new configuration.
    
    Correctly re-enabling interceptions is not enough as a second bug would
    still allow L1+L2 to access host's MSRs: msr bitmap was shared for all
    VMCSs, so L1 could trigger a race to get the desired combination of msr
    bitmap and VMX controls.
    
    This fix allocates a msr bitmap for every L1 VCPU, allows only safe
    x2APIC MSRs from L1's msr bitmap, and disables msr bitmaps if they would
    have to intercept everything anyway.
    
    Fixes: 3af18d9c ("KVM: nVMX: Prepare for using hardware MSR bitmap")
    Reported-by: default avatarJim Mattson <jmattson@google.com>
    Suggested-by: default avatarWincy Van <fanwenyi0529@gmail.com>
    Reviewed-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    [bwh: Backported to 4.4:
     - handle_vmon() doesn't allocate a cached vmcs12
     - Adjust context]
    Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e90c6ad2
vmx.c 309 KB