• Paul Mackerras's avatar
    KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE · 93d17397
    Paul Mackerras authored
    It turns out that if the guest does a H_CEDE while the CPU is in
    a transactional state, and the H_CEDE does a nap, and the nap
    loses the architected state of the CPU (which is is allowed to do),
    then we lose the checkpointed state of the virtual CPU.  In addition,
    the transactional-memory state recorded in the MSR gets reset back
    to non-transactional, and when we try to return to the guest, we take
    a TM bad thing type of program interrupt because we are trying to
    transition from non-transactional to transactional with a hrfid
    instruction, which is not permitted.
    
    The result of the program interrupt occurring at that point is that
    the host CPU will hang in an infinite loop with interrupts disabled.
    Thus this is a denial of service vulnerability in the host which can
    be triggered by any guest (and depending on the guest kernel, it can
    potentially triggered by unprivileged userspace in the guest).
    
    This vulnerability has been assigned the ID CVE-2016-5412.
    
    To fix this, we save the TM state before napping and restore it
    on exit from the nap, when handling a H_CEDE in real mode.  The
    case where H_CEDE exits to host virtual mode is already OK (as are
    other hcalls which exit to host virtual mode) because the exit
    path saves the TM state.
    
    Cc: stable@vger.kernel.org # v3.15+
    Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
    93d17397
book3s_hv_rmhandlers.S 67 KB