| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aQuqC6Nh4--OV0Je@google.com>
Date: Wed, 5 Nov 2025 11:48:27 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Yosry Ahmed <yosry.ahmed@...ux.dev>
Cc: Paolo Bonzini <pbonzini@...hat.com>, Jim Mattson <jmattson@...gle.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel
Subject: Re: [PATCH 3/3] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
On Fri, Oct 24, 2025, Yosry Ahmed wrote:
> When emulating L2 instructions, svm_check_intercept() checks whether a
> write to CR0 should trigger a synthesized #VMEXIT with
> SVM_EXIT_CR0_SEL_WRITE. However, it does not check whether L1 enabled
> the intercept for SVM_EXIT_WRITE_CR0, which has higher priority
> according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
>
> When both selective and non-selective CR0-write
> intercepts are active at the same time, the non-selective
> intercept takes priority. With respect to exceptions, the
> priority of this inter
>
> Make sure L1 does NOT intercept SVM_EXIT_WRITE_CR0 before checking if
> SVM_EXIT_CR0_SEL_WRITE needs to be injected.
>
> Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
> Cc: stable@...r.kernel
> Signed-off-by: Yosry Ahmed <yosry.ahmed@...ux.dev>
> ---
> arch/x86/kvm/svm/svm.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 9ea0ff136e299..4f79c4d837535 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -4533,12 +4533,22 @@ static int svm_check_intercept(struct kvm_vcpu *vcpu,
> if (info->intercept == x86_intercept_cr_write)
> icpt_info.exit_code += info->modrm_reg;
>
> + /*
> + * If the write is indeed to CR0, check whether the exit_code
> + * needs to be converted to SVM_EXIT_CR0_SEL_WRITE. Intercepting
> + * SVM_EXIT_WRITE_CR0 has higher priority than
> + * SVM_EXIT_CR0_SEL_WRITE, so this is only relevant if L1 sets
> + * INTERCEPT_SELECTIVE_CR0 but not INTERCEPT_CR0_WRITE.
> + */
> if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||
Oof, the existing is all kinds of confusing. Even with your comment, it took me
a few seconds to understand how/where the exit_code is being modified. Eww.
Any objection to opportunistically fixing this up to the (completely untested)
below when applying?
/*
* Adjust the exit code accordingly if a CR other than CR0 is
* being written, and skip straight to the common handling as
* only CR0 has an additional selective intercept.
*/
if (info->intercept == x86_intercept_cr_write && info->modrm_reg) {
icpt_info.exit_code += info->modrm_reg;
break;
}
/*
* Convert the exit_code to SVM_EXIT_CR0_SEL_WRITE if L1 set
* INTERCEPT_SELECTIVE_CR0 but not INTERCEPT_CR0_WRITE, as the
* unconditional intercept has higher priority.
*/
if (vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_CR0_WRITE) ||
!(vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SELECTIVE_CR0)))
break;
> - info->intercept == x86_intercept_clts)
> + vmcb12_is_intercept(&svm->nested.ctl,
> + INTERCEPT_CR0_WRITE) ||
> + !(vmcb12_is_intercept(&svm->nested.ctl,
> + INTERCEPT_SELECTIVE_CR0)))
Let these poke out.
> break;
>
> - if (!(vmcb12_is_intercept(&svm->nested.ctl,
> - INTERCEPT_SELECTIVE_CR0)))
> + /* CLTS never triggers INTERCEPT_SELECTIVE_CR0 */
> + if (info->intercept == x86_intercept_clts)
> break;
>
> /* LMSW always triggers INTERCEPT_SELECTIVE_CR0 */
> --
> 2.51.1.821.gb6fe4d2222-goog
>
Powered by blists - more mailing lists