Commit fee060cd authored by Sean Christopherson's avatar Sean Christopherson Committed by Paolo Bonzini
Browse files

KVM: x86: avoid calling x86 emulator without a decoded instruction 



Whenever x86_decode_emulated_instruction() detects a breakpoint, it
returns the value that kvm_vcpu_check_breakpoint() writes into its
pass-by-reference second argument.  Unfortunately this is completely
bogus because the expected outcome of x86_decode_emulated_instruction
is an EMULATION_* value.

Then, if kvm_vcpu_check_breakpoint() does "*r = 0" (corresponding to
a KVM_EXIT_DEBUG userspace exit), it is misunderstood as EMULATION_OK
and x86_emulate_instruction() is called without having decoded the
instruction.  This causes various havoc from running with a stale
emulation context.

The fix is to move the call to kvm_vcpu_check_breakpoint() where it was
before commit 4aa2691d ("KVM: x86: Factor out x86 instruction
emulation with decoding") introduced x86_decode_emulated_instruction().
The other caller of the function does not need breakpoint checks,
because it is invoked as part of a vmexit and the processor has already
checked those before executing the instruction that #GP'd.

This fixes CVE-2022-1852.

Reported-by: default avatarQiuhao Li <qiuhao@sysec.org>
Reported-by: default avatarGaoning Pan <pgn@zju.edu.cn>
Reported-by: default avatarYongkang Jia <kangel@zju.edu.cn>
Fixes: 4aa2691d ("KVM: x86: Factor out x86 instruction emulation with decoding")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
Message-Id: <20220311032801.3467418-2-seanjc@google.com>
[Rewrote commit message according to Qiuhao's report, since a patch
 already existed to fix the bug. - Paolo]
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent d22d2474

arch/x86/kvm/x86.c

+19 −12
Original line number Diff line number Diff line
@@ -8296,7 +8296,7 @@ int kvm_skip_emulated_instruction(struct kvm_vcpu *vcpu) 
}

EXPORT_SYMBOL_GPL(kvm_skip_emulated_instruction);



static bool kvm_vcpu_check_breakpoint(struct kvm_vcpu *vcpu, int *r)

static bool kvm_vcpu_check_code_breakpoint(struct kvm_vcpu *vcpu, int *r)

{

	if (unlikely(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP) &&

	    (vcpu->arch.guest_debug_dr7 & DR7_BP_EN_MASK)) {
@@ -8365,25 +8365,23 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt) 
}



/*

 * Decode to be emulated instruction. Return EMULATION_OK if success.

 * Decode an instruction for emulation.  The caller is responsible for handling

 * code breakpoints.  Note, manually detecting code breakpoints is unnecessary

 * (and wrong) when emulating on an intercepted fault-like exception[*], as

 * code breakpoints have higher priority and thus have already been done by

 * hardware.

 *

 * [*] Except #MC, which is higher priority, but KVM should never emulate in

 *     response to a machine check.

 */

int x86_decode_emulated_instruction(struct kvm_vcpu *vcpu, int emulation_type,

				    void *insn, int insn_len)

{

	int r = EMULATION_OK;

	struct x86_emulate_ctxt *ctxt = vcpu->arch.emulate_ctxt;

	int r;



	init_emulate_ctxt(vcpu);



	/*

	 * We will reenter on the same instruction since we do not set

	 * complete_userspace_io. This does not handle watchpoints yet,

	 * those would be handled in the emulate_ops.

	 */

	if (!(emulation_type & EMULTYPE_SKIP) &&

	    kvm_vcpu_check_breakpoint(vcpu, &r))

		return r;



	r = x86_decode_insn(ctxt, insn, insn_len, emulation_type);



	trace_kvm_emulate_insn_start(vcpu);
@@ -8416,6 +8414,15 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, 
	if (!(emulation_type & EMULTYPE_NO_DECODE)) {

		kvm_clear_exception_queue(vcpu);



		/*

		 * Return immediately if RIP hits a code breakpoint, such #DBs

		 * are fault-like and are higher priority than any faults on

		 * the code fetch itself.

		 */

		if (!(emulation_type & EMULTYPE_SKIP) &&

		    kvm_vcpu_check_code_breakpoint(vcpu, &r))

			return r;



		r = x86_decode_emulated_instruction(vcpu, emulation_type,

						    insn, insn_len);

		if (r != EMULATION_OK)  {