e3860871e09a81fc13a6b4babad5986a4b5b657f - third_party/kernel

commit	e3860871e09a81fc13a6b4babad5986a4b5b657f	[log] [tgz]
author	Joerg Roedel <jroedel@suse.de>	Mon Oct 16 14:42:50 2023 +0200
committer	He Gao <hegao@google.com>	Fri Nov 10 21:20:09 2023 +0000
tree	1cdfaa9581c310cff67cb7db52f2f5f6207a0389
parent	aeb8eaef4ab8de2ae772efb5fa98668cb22f4a2b [diff]

x86/sev: Check for user-space IOIO pointing to kernel space

Upstream commit: 63e44bc52047f182601e7817da969a105aa1f721

Check the memory operand of INS/OUTS before emulating the instruction.
The #VC exception can get raised from user-space, but the memory operand
can be manipulated to access kernel memory before the emulation actually
begins and after the exception handler has run.

  [ bp: Massage commit message. ]

Cherry-pick to release branch to fix CVE-2023-46813.

BUG=b/309761155
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2023-46813 in the Linux kernel.

Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Change-Id: I157d3b16de1043eb705436f2bf68afbc43412e4d
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/60999
Reviewed-by: Anil Altinay <aaltinay@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

2 files changed

tree: 1cdfaa9581c310cff67cb7db52f2f5f6207a0389