| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c090efb3-ef82-499f-a5e0-360fc8420fb7@tum.de> Date: Wed, 25 Jun 2025 15:53:19 +0200 From: Manuel Andreas <manuel.andreas@....de> To: kvm@...r.kernel.org, linux-kernel@...r.kernel.org Cc: Vitaly Kuznetsov <vkuznets@...hat.com>, Sean Christopherson <seanjc@...gle.com>, pbonzini@...hat.com Subject: [PATCH] x86/hyper-v: Filter non-canonical addresses passed via HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST(_EX) In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While the AMD variant (INVLPGA) will silently ignore the non-canonical address and perform a no-op, the Intel variant (INVVPID) will fail and end up in invvpid_error, where a WARN_ONCE is triggered: invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: <TASK> vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] ? __pfx_vmx_flush_tlb_gva+0x10/0x10 [kvm_intel] ? kfifo_copy_out+0xcf/0x120 kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] ? __pfx_kvm_hv_vcpu_flush_tlb+0x10/0x10 [kvm] ? kvm_pmu_is_valid_msr+0x6e/0x80 [kvm] ? kvm_get_msr_common+0x219/0x20f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] /* ... */ Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption. The following patch addresses the issue by skipping non-canonical GVAs before calling the architecture-specific invalidation primitive. I've validated it against a PoC and the issue seems to be fixed. Signed-off-by: Manuel Andreas <manuel.andreas@....de> Suggested-by: Vitaly Kuznetsov <vkuznets@...hat.com> --- arch/x86/kvm/hyperv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 24f0318c50d7..644a7aae6dab 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -1979,6 +1979,9 @@ int kvm_hv_vcpu_flush_tlb(struct kvm_vcpu *vcpu) if (entries[i] == KVM_HV_TLB_FLUSHALL_ENTRY) goto out_flush_all; + if (is_noncanonical_invlpg_address(entries[i], vcpu)) + continue; + /* * Lower 12 bits of 'address' encode the number of additional * pages to flush. -- 2.50.0
Powered by blists - more mailing lists