• Liran Alon's avatar
    KVM: nVMX: Fix kernel info-leak when enabling KVM_CAP_HYPERV_ENLIGHTENED_VMCS more than once · 7f9ad1df
    Liran Alon authored
    Consider the case that userspace enables KVM_CAP_HYPERV_ENLIGHTENED_VMCS twice:
    1) kvm_vcpu_ioctl_enable_cap() is called to enable
    KVM_CAP_HYPERV_ENLIGHTENED_VMCS which calls nested_enable_evmcs().
    2) nested_enable_evmcs() sets enlightened_vmcs_enabled to true and fills
    vmcs_version which is then copied to userspace.
    3) kvm_vcpu_ioctl_enable_cap() is called again to enable
    KVM_CAP_HYPERV_ENLIGHTENED_VMCS which calls nested_enable_evmcs().
    4) This time nested_enable_evmcs() just returns 0 as
    enlightened_vmcs_enabled is already true. *Without filling
    vmcs_version*.
    5) kvm_vcpu_ioctl_enable_cap() continues as usual and copies
    *uninitialized* vmcs_version to userspace which leads to kernel info-leak.
    
    Fix this issue by simply changing nested_enable_evmcs() to always fill
    vmcs_version output argument. Even when enlightened_vmcs_enabled is
    already set to true.
    
    Note that SVM's nested_enable_evmcs() should not be modified because it
    always returns a non-zero value (-ENODEV) which results in
    kvm_vcpu_ioctl_enable_cap() skipping the copy of vmcs_version to
    userspace (as it should).
    
    Fixes: 57b119da ("KVM: nVMX: add KVM_CAP_HYPERV_ENLIGHTENED_VMCS capability")
    Reported-by: syzbot+cfbc368e283d381f8cef@syzkaller.appspotmail.com
    Reviewed-by: default avatarKrish Sadhukhan <krish.sadhukhan@oracle.com>
    Reviewed-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: default avatarLiran Alon <liran.alon@oracle.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    7f9ad1df
vmx.c 434 KB