| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 May 2010 16:04:45 +0200 From: Joerg Roedel <joerg.roedel@....com> To: Avi Kivity <avi@...hat.com>, Marcelo Tosatti <mtosatti@...hat.com> CC: <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Joerg Roedel <joerg.roedel@....com> Subject: [PATCH 5/5] KVM: SVM: Don't allow nested guest to VMMCALL into host This patch disables the possibility for a l2-guest to do a VMMCALL directly into the host. This would happen if the l1-hypervisor doesn't intercept VMMCALL and the l2-guest executes this instruction. Signed-off-by: Joerg Roedel <joerg.roedel@....com> --- arch/x86/kvm/svm.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index bc087c7..2e9b57a 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -2036,6 +2036,9 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm) svm->vmcb->control.intercept_cr_write &= ~INTERCEPT_CR8_MASK; } + /* We don't want to see VMMCALLs from a nested guest */ + svm->vmcb->control.intercept &= ~(1ULL << INTERCEPT_VMMCALL); + /* * We don't want a nested guest to be more powerful than the guest, so * all intercepts are ORed -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists