[Bug,195167] New: INVEPT might crash the host
diff mbox

Message ID bug-195167-28872@https.bugzilla.kernel.org/
State New
Headers show

Commit Message

bugzilla-daemon@bugzilla.kernel.org March 31, 2017, 2:30 a.m. UTC
https://bugzilla.kernel.org/show_bug.cgi?id=195167

            Bug ID: 195167
           Summary: INVEPT might crash the host
           Product: Virtualization
           Version: unspecified
    Kernel Version: 3.11 - 3.14
          Hardware: x86-64
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: minoura@valinux.co.jp
        Regression: No

Created attachment 255653
  --> https://bugzilla.kernel.org/attachment.cgi?id=255653&action=edit
build and insmod'ing the module on a guest linux crashes the host

KVM in linux 3.11 - 3.14 (including long term supported 3.12.72) has a
flaw in INVEPT emulation that could crash the host.

[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at
0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0 
[ 1046.390273] Oops: 0000 [#1] SMP 

(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)

The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:

        kvm_cpu_vmxon(phys_addr);
        ept_sync_context(0);

(requires nested EPT; full PoC module code attached)

This flaw was introduced in commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.

a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:

Comments

bugzilla-daemon@bugzilla.kernel.org April 24, 2017, 8:45 p.m. UTC | #1
https://bugzilla.kernel.org/show_bug.cgi?id=195167

Tyler Hicks (tyhicks@canonical.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tyhicks@canonical.com

--- Comment #1 from Tyler Hicks (tyhicks@canonical.com) ---
I've requested a CVE for this issue via https://cveform.mitre.org/
bugzilla-daemon@bugzilla.kernel.org April 24, 2017, 10:12 p.m. UTC | #2
https://bugzilla.kernel.org/show_bug.cgi?id=195167

--- Comment #2 from Tyler Hicks (tyhicks@canonical.com) ---
MITRE has assigned CVE-2017-8106 to this issue.

Patch
diff mbox

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@  static int handle_invept(struct kvm_vcpu *vcpu)

        switch (type) {
        case VMX_EPT_EXTENT_CONTEXT:
+               if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+                       break;
                if ((operand.eptp & eptp_mask) !=
                                (nested_ept_get_cr3(vcpu) & eptp_mask))
                        break;