From patchwork Sat Feb 3 12:45:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 13544233 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C417A5D902 for ; Sat, 3 Feb 2024 12:45:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964361; cv=none; b=KxjD7pvUdQlhhJxQnknSLerLYqYx/8w2r6iz9Y8Ix9hHxvfvWiYOQnbg1RhCrjt6bbZlThx8s1/PHKNO78PkioT8zsGA3Rtv+vXecM1YRIhue+dU3ChA6II8hvUCAG3kL3+b0xd+7Yq/Kuulp2RpWTT+hSHmpbC/u8dNlqmjSls= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964361; c=relaxed/simple; bh=25rp9n2B2HiuMlBHXHSpXOP3K8wAuEP3Smlh+qkb//g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=sw0xjdXGj4aiK6cREsuKV8Mk0TLCwwVD3G00KGoMUBIu59ek5l73NrvFfosjPaTCIo0znnfjlMOIV9Pppi9HTiwiEIVsTi5wtLCxNam/pLqnrtjo6S4oeyr96X/Xef9IazoVdXyE52o5PKHqa6pYvm1Xjhb2v49yqkU4hASEmyE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=ooj5B2vV; arc=none smtp.client-ip=209.85.167.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="ooj5B2vV" Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5113ab4ef05so1248889e87.0 for ; Sat, 03 Feb 2024 04:45:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1706964358; x=1707569158; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ldiXw6iKTj6ew0H41N2nrtPVJNRJtpC6kz2Ut3MX0fc=; b=ooj5B2vVwS8VjDDfvJjaQcJ+voaH8hBglnnkc0fD+scGo//g7h2dIkdCqz627thmRL 2mQAzHeocedDutGfAMDEZvTHG0JmjWinUSlNYeg341ISMTJyRjB/3tcWzrpcsVr8MbY9 KQSBp0r0pjFTdUIkzpkzOvumZhjb/2UHPf6Q3GpdKIf5cPSYmuuzBOQne8XmDsjInlle lO03wrclt8Xmj7d04N9jnWNBR+u8MAYd5iGcbxv0RufLgfYcAl3PeFEkkU89g/HbMfOQ cq6vhgMVji5hwz4yY2rADoSwMJnKbOm/r7lHqpFlzjz6xIYRcqMBrV8fUUn3+UuVkIIo U/Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706964358; x=1707569158; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ldiXw6iKTj6ew0H41N2nrtPVJNRJtpC6kz2Ut3MX0fc=; b=ZHoPsJfCFwpA7Ps5Lm6Kiqwl5cAkKaj6pEFt+lUY+iNfCeKCHtxpFkZBPosH6Vs82u wkz0Rj1EC5GlPzMRUdvQPhRz6x1RxP1qtcJSpra8bD/T4xIltmCsxAd7qAa+e0B3Lgx3 taXP5o7DyQj+fl6XWGQT7+BdWEprvvdGWNi2d+Xtb4xTprZU6Zg9F+58xv4B1MjMF19h 5D1vBijrG/m2/NcJPy3Amb8kybdkbPiDPaDINzgGt14zml0wqC2KH8th++EzaXbJIy0C NUtcYnjMhrDW2Zxus3eMew7+WhsvXoVw5bsHYXIhuPQHQB/oLSdASswyU+l/AA+m3cdd Mamg== X-Gm-Message-State: AOJu0YwlUWgn0yQYMWgYxqNiwzK8/quD1d8BrapVlb0Tu3sGEWZieAcr Ut9G567DYBHFBj5bXdK5hWyjwIb2Cv5NRWlb3PlRbv3H+vZyiUS9mDPnF4k5GZJToCe0wbz2AIB x X-Google-Smtp-Source: AGHT+IEOoWV9xJQtdCPkR/XkACG5CrGdZDfuhbpExBvDp7lGAp/pYEr6qDnuR5QGDUYqkoVclQEkPA== X-Received: by 2002:a05:6512:2809:b0:511:2ddd:1aa8 with SMTP id cf9-20020a056512280900b005112ddd1aa8mr5946496lfb.36.1706964357320; Sat, 03 Feb 2024 04:45:57 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCUH+pQqQ/YkFHBB9zml61DUxjA+C/8K9ykGo2G3rXkeZ/275Wz47t1h9CQEX8z8+T8ky9wEU3rZABB31IIoUZEGwVjKxevgRUURCHjN9tv54w1+xvKmK/OM7GV3 Received: from x1.fosdem.net ([2001:67c:1810:f051:d51b:7b6:cc25:3002]) by smtp.gmail.com with ESMTPSA id i11-20020a170906250b00b00a36c58ba621sm1942015ejb.119.2024.02.03.04.45.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 04:45:56 -0800 (PST) From: Mathias Krause To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, Mathias Krause Subject: [PATCH 1/3] KVM: x86: Fix KVM_GET_MSRS stack info leak Date: Sat, 3 Feb 2024 13:45:20 +0100 Message-Id: <20240203124522.592778-2-minipli@grsecurity.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240203124522.592778-1-minipli@grsecurity.net> References: <20240203124522.592778-1-minipli@grsecurity.net> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Commit 6abe9c1386e5 ("KVM: X86: Move ignore_msrs handling upper the stack") changed the 'ignore_msrs' handling, including sanitizing return values to the caller. This was fine until commit 12bc2132b15e ("KVM: X86: Do the same ignore_msrs check for feature msrs") which allowed non-existing feature MSRs to be ignored, i.e. to not generate an error on the ioctl() level. It even tried to preserve the sanitization of the return value. However, the logic is flawed, as '*data' will be overwritten again with the uninitialized stack value of msr.data. Fix this by simplifying the logic and always initializing msr.data, vanishing the need for an additional error exit path. Fixes: 12bc2132b15e ("KVM: X86: Do the same ignore_msrs check for feature msrs") Signed-off-by: Mathias Krause Reviewed-by: Xiaoyao Li --- arch/x86/kvm/x86.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 363b1c080205..13ec948f3241 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1704,22 +1704,17 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data) struct kvm_msr_entry msr; int r; + /* Unconditionally clear the output for simplicity */ + msr.data = 0; msr.index = index; r = kvm_get_msr_feature(&msr); - if (r == KVM_MSR_RET_INVALID) { - /* Unconditionally clear the output for simplicity */ - *data = 0; - if (kvm_msr_ignored_check(index, 0, false)) - r = 0; - } - - if (r) - return r; + if (r == KVM_MSR_RET_INVALID && kvm_msr_ignored_check(index, 0, false)) + r = 0; *data = msr.data; - return 0; + return r; } static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) From patchwork Sat Feb 3 12:45:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 13544234 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 377815D903 for ; Sat, 3 Feb 2024 12:45:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964362; cv=none; b=GkJI902BqC7l4WnwBQlO70CG/uCAWaPyjZjyaibL4EW3p73zexgJYYVTB0cb0U8hITisrgnXvhxzJshIDdLinbz5lLVGNalCbfMIwQYgOctdMdo/ToD0LV65LBHTrO9/DAT3EbwqV91RZyumBUc6cIG4Uw5n29SV1d33ePbPp5U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964362; c=relaxed/simple; bh=XBz/dO19eqCPUEcsTAhFxDMoCs6XkMQB8FUROTqppSA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=d48sp2EoFtjgN0oj//pcYZyquEQaIeot8m6qsAp1UOpd527YFHV5QUk6onh0Rm1j4XtOf80p3uf83RBU7vs7m941fmlgT92CPXSUXMcz8SbzFwmfuz0MQtiDcu/36brEOkPDDQc0oC4e1ZkiY6rPg5RKOGpkKZx+O0Wg7aInYVo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=Xi5gL22k; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="Xi5gL22k" Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-a293f2280c7so400385966b.1 for ; Sat, 03 Feb 2024 04:45:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1706964358; x=1707569158; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mFcda2O3NqzDf7IyZCYrS8EarLi31HtEhwHagWzWtLU=; b=Xi5gL22kClnGsOPfIdWqActeAMoqH7AY9X0DDEv6yvRNjaeKhxqo9OsVaaEJfB/qul 32woM6bZ8wIbzFoBMEghHOYBAxfmpKilg61ePQLrxV8bYHfmOT8SmZuxmpmoyouy7moE 70v7dpx+j+FhOb0iQ9SFmZLQBII4Ap/t93iF4rLVRWYV95AoNE3FR/fTrWpOhSex85Ul ZHuRX7ZA5SkLyucuIfKfaUruObCYZsSG5KCDQ8EjaK762L/jIuPEloJEt95T20iKD81i rRTNwRF9qFnfhCCfZ0u5bOQYSprN9bFfcvBwnTt4WFOYn3LaaSJe+c/JfwTeqmMnceOD /btQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706964358; x=1707569158; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mFcda2O3NqzDf7IyZCYrS8EarLi31HtEhwHagWzWtLU=; b=sTh9i+cEp0B+0GvauV+JZqilMPLWAwc8yGFn1blfBnoc+O+Kq6DhCF7S4JksDVpt7Y dn+lJ7Uj4LVEPtDRJ/AA9X1MKhTvyAu0t5s4PSw4Ybni13A66qduKO6zDYCsdNNU74mu 1rUV6FnDvxLZaVxdd+WClZJPUsy4A0g3W49k6e/NDiHtrDikPDI5vGNc0M2uOEsWA8uE sj3FQGyKzlI2mavcVtPfgIKJA08+7XFfmdfpyP7k4Fgw4nsXGSEPK1VscZV/0l8dvWgr LjiuhF+jWUbTbcSN/pt8z+CFw/mLsuYrtfsaGPAHyZ3KDEyQrLEIY6heqFgrrAkLEOHo WfQQ== X-Gm-Message-State: AOJu0YyB/aEsOvyTCE09Pw7/cUPBH6K4nzmQxWWRKS07DNUalz03Jubb pW6uTELR6esbd78kLLi6uhnVyJuAcqF1CE24ztcmJ3+eWMBjGqbxYxHF9JP/jo0= X-Google-Smtp-Source: AGHT+IE/8UmxuMROQtSM81U8CGDLixlD/Ih8pjpgLBKAcL3n4tL07qciYMUnYoFwbW2KJz79y0BCsw== X-Received: by 2002:a17:906:1c59:b0:a37:69d4:b392 with SMTP id l25-20020a1709061c5900b00a3769d4b392mr319322ejg.2.1706964358068; Sat, 03 Feb 2024 04:45:58 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCUFhtX041ZLvjTS2y/JMOHQU0ODGlyjafr4FPvnTi8+GmW0HE0u0lpy2+mNaEGA7LC+9wfwHO/XPTHf3GjTvUHnltA0Ks492cztJbYzN+B7c5NNB7oXio2ya4HT Received: from x1.fosdem.net ([2001:67c:1810:f051:d51b:7b6:cc25:3002]) by smtp.gmail.com with ESMTPSA id i11-20020a170906250b00b00a36c58ba621sm1942015ejb.119.2024.02.03.04.45.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 04:45:57 -0800 (PST) From: Mathias Krause To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] KVM: x86: Simplify kvm_vcpu_ioctl_x86_get_debugregs() Date: Sat, 3 Feb 2024 13:45:21 +0100 Message-Id: <20240203124522.592778-3-minipli@grsecurity.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240203124522.592778-1-minipli@grsecurity.net> References: <20240203124522.592778-1-minipli@grsecurity.net> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Take 'dr6' from the arch part directly as already done for 'dr7'. There's no need to take the clunky route via kvm_get_dr(). Signed-off-by: Mathias Krause Reviewed-by: Xiaoyao Li Signed-off-by: Sean Christopherson Acked-by: Mathias Krause --- arch/x86/kvm/x86.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 13ec948f3241..0f958dcf8458 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5504,12 +5504,9 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu, struct kvm_debugregs *dbgregs) { - unsigned long val; - memset(dbgregs, 0, sizeof(*dbgregs)); memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db)); - kvm_get_dr(vcpu, 6, &val); - dbgregs->dr6 = val; + dbgregs->dr6 = vcpu->arch.dr6; dbgregs->dr7 = vcpu->arch.dr7; } From patchwork Sat Feb 3 12:45:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 13544235 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 107B05D911 for ; Sat, 3 Feb 2024 12:46:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964366; cv=none; b=quJRQfHHtLdNgV8ItsfybQF0ieC4oNG+Ehoehoc+cLFEjb9pkPsUSfVXHc50mQSjEeJoSpUQl37moeNYqK2f8QDjG/3vhhfsRtDi6e7+RLy7ofWTbBYoaM3ds29RvlRpv5h8iORgXFxlR6YyWfG7Y+p8RyH2wcn2VkMLuW7kkxg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706964366; c=relaxed/simple; bh=2C/lBPGgw35xKUUT+TSTkIl00FYT1lgXCPI4v1lLSH8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FaPjxQ/VYFBWO5VpUvByl3+v6RwJfw2E0NSShnwsa8+AsYmONuyg9p+nlYC7KS8EcfPQ9g/NnnlKQkMZlRjfHWEhOKY/1yhf23wslGT0jXYo0dH/dy6DZa7yNFkMYwAjCuOTt6PgdWOOBPWWJzJVloK6LOTQaJ7zK2Rf9A5a3BY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net; spf=pass smtp.mailfrom=opensrcsec.com; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b=kIJLyRO+; arc=none smtp.client-ip=209.85.167.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=grsecurity.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensrcsec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=grsecurity.net header.i=@grsecurity.net header.b="kIJLyRO+" Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-51124d86022so4777357e87.0 for ; Sat, 03 Feb 2024 04:46:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grsecurity.net; s=grsec; t=1706964359; x=1707569159; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vg2BmUaHuPeKYpoaY9EQkW970I7eWQW9doIaoyWAUis=; b=kIJLyRO+Edhwf9ZKV9RDcQSgMGaJVFKvd6bulNYxCpyErw7Q2TQUC+isPIPlDkvbIn W5z0TaT43dMx8QOe5pOG/F7ztyvbB2WwXJ/pzzFc+0K1utipQ+aemVwRJLT/BKDMX0FP McaUzApeBoFzDWUxl2z4GF//BN9Ds4z4SsXa64bXnhdQFUzOL9SX5mXFQfTDNBCYheyO DaEuoMq6sT++Uz6VOtOCfBtaTrlOZccMc0B32tRtKEa+P+X/fO/lVItbO8ZFysCHfL/r oNWIDdEqFUvy1NNFLbYRKbsSBInTFB6kBOZGehfi/dnrV36qRl1eFafkgtIxsegCeWb3 gH9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706964359; x=1707569159; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vg2BmUaHuPeKYpoaY9EQkW970I7eWQW9doIaoyWAUis=; b=QnN/QbmXlrNIYa04bYiLkFJyq8+P+PkToKy2hFYdbU3rMn3Jr3b8Dqb+vhSvPyIc9I Dm5N7vgQ37gF/VQNYok2ULO6qr3KGATMrXCYjSxBAecBnImeUJqqtbFo3B3Vd7q/X7Yz JkHMvpnILX2iPVxMh+MgyUhuHE/Et/me1ytiDa3V9UXd10itjh+LFjElzBuTToN2P6gB Qbs4VkQWAifhOr86v9QDRpHC8XM6qB2ZgUcLqWetSK2YF01oH9ZrVDdOt2b/otMj+f/0 CguvHZ8djkxkDo9fsY7ZPMDNL0iNLzx+dRZch6zxaUs2/SJeBC7eNDGAniAAFpN64xXM 6N8w== X-Gm-Message-State: AOJu0YzBVhudyAc/NM9oupAja+x8WRkiZgOqBZfiKk7rzzLtyXr4EfAJ dGuMWv/E4wg8VgX3GroPP6AJ9QGvQT5L3jc22FDqVo7T2B7jNU1RDrvFcXoijwI= X-Google-Smtp-Source: AGHT+IHLaJp0UIkY+26LBCOE/Q93lwK8V4vDaMqjE89YFITfGERlrudcPjVRLHoL3FyDX2x2GcOFQw== X-Received: by 2002:a05:6512:3e05:b0:511:3232:954f with SMTP id i5-20020a0565123e0500b005113232954fmr5562711lfv.2.1706964359090; Sat, 03 Feb 2024 04:45:59 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCUl2TbQyK5bxtm25un3MxLgtNkDy9oSr2NtlP52Mpw+6Ed0IyNmpMV5RbgdFh6wYQc2WzJZ8mPyCD7xM6g3qwYXq1CMMZYO7Y0hxMgkUjZU4AmxVwIKJaq3LBY3 Received: from x1.fosdem.net ([2001:67c:1810:f051:d51b:7b6:cc25:3002]) by smtp.gmail.com with ESMTPSA id i11-20020a170906250b00b00a36c58ba621sm1942015ejb.119.2024.02.03.04.45.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Feb 2024 04:45:58 -0800 (PST) From: Mathias Krause To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] KVM: x86: Fix broken debugregs ABI for 32 bit kernels Date: Sat, 3 Feb 2024 13:45:22 +0100 Message-Id: <20240203124522.592778-4-minipli@grsecurity.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240203124522.592778-1-minipli@grsecurity.net> References: <20240203124522.592778-1-minipli@grsecurity.net> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The ioctl()s to get and set KVM's debug registers are broken for 32 bit kernels as they'd only copy half of the user register state because of a UAPI and in-kernel type mismatch (__u64 vs. unsigned long; 8 vs. 4 bytes). This makes it impossible for userland to set anything but DR0 without resorting to bit folding tricks. Switch to a loop for copying debug registers that'll implicitly do the type conversion for us, if needed. There are likely no users (left) for 32bit KVM, fix the bug nonetheless. Fixes: a1efbe77c1fd ("KVM: x86: Add support for saving&restoring debug registers") Signed-off-by: Mathias Krause --- arch/x86/kvm/x86.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 0f958dcf8458..34ea934b499b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5504,8 +5504,14 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu, struct kvm_debugregs *dbgregs) { + unsigned int i; + memset(dbgregs, 0, sizeof(*dbgregs)); - memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db)); + + BUILD_BUG_ON(ARRAY_SIZE(vcpu->arch.db) != ARRAY_SIZE(dbgregs->db)); + for (i = 0; i < ARRAY_SIZE(vcpu->arch.db); i++) + dbgregs->db[i] = vcpu->arch.db[i]; + dbgregs->dr6 = vcpu->arch.dr6; dbgregs->dr7 = vcpu->arch.dr7; } @@ -5513,6 +5519,8 @@ static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, struct kvm_debugregs *dbgregs) { + unsigned int i; + if (dbgregs->flags) return -EINVAL; @@ -5521,7 +5529,9 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, if (!kvm_dr7_valid(dbgregs->dr7)) return -EINVAL; - memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db)); + for (i = 0; i < ARRAY_SIZE(vcpu->arch.db); i++) + vcpu->arch.db[i] = dbgregs->db[i]; + kvm_update_dr0123(vcpu); vcpu->arch.dr6 = dbgregs->dr6; vcpu->arch.dr7 = dbgregs->dr7;