Google Git
Sign in
cos / third_party / kernel / 7c1c96ffb658fbfe66c5ebed6bcb5909837bc267
commit7c1c96ffb658fbfe66c5ebed6bcb5909837bc267[log] [tgz]
authorMaxim Levitsky <mlevitsk@redhat.com>Thu Jul 15 01:56:24 2021 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Aug 18 08:57:04 2021 +0200
treea1754859d4783dd92faf2da6c221bd941fcb6f5b
parent456fd889227fd52e70e6aa8d127cdf92a347fec8 [diff]
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)

commit 0f923e07124df069ba68d8bb12324398f4b6b709 upstream.

* Invert the mask of bits that we pick from L2 in
  nested_vmcb02_prepare_control

* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr

This fixes a security issue that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.

Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2 files changed
tree: a1754859d4783dd92faf2da6c221bd941fcb6f5b
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README