projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ca37ab9) | patch
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
authorMaxim Levitsky <mlevitsk@redhat.com>
Mon, 16 Aug 2021 14:02:32 +0000 (16:02 +0200)
committerSasha Levin <sashal@kernel.org>
Thu, 26 Aug 2021 12:37:25 +0000 (08:37 -0400)
commit29c4f674715ba8fe7a391473313e8c71f98799c4
tree4a642f0a5c9f06ecd122a437e0db68f003a5c094tree | snapshot (tar.gz zip)
parentca37ab969cce230dce0d478d46c4dc7db8d3a267commit | diff
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)

[ upstream commit 0f923e07124df069ba68d8bb12324398f4b6b709 ]

* Invert the mask of bits that we pick from L2 in
  nested_vmcb02_prepare_control

* Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr

This fixes a security issue that allowed a malicious L1 to run L2 with
AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled
AVIC to read/write the host physical memory at some offsets.

Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
arch/x86/include/asm/svm.h diff | blob | blame | history
arch/x86/kvm/svm.c diff | blob | blame | history