KVM: nVMX: additional checks on vmxon region

Currently, the vmxon region isn't used in the nested case.
However, according to the spec, the vmxon instruction performs
additional sanity checks on this region and the associated
pointer. Modify emulated vmxon to better adhere to the spec
requirements

Signed-off-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 333b88db22fe4e7053cf1546e7e9c7415bda6241..17b42fabc8422aeb4c998374ddaa88786d14a413 100644 (file)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -732,6 +732,7 @@ int cpuid_maxphyaddr(struct kvm_vcpu *vcpu)
 not_found:
        return 36;
 }
+EXPORT_SYMBOL_GPL(cpuid_maxphyaddr);
 
 /*
  * If no match is found, check whether we exceed the vCPU's limit

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 917a15efc45bbe4a1174bd81f5a1bf28ed1a883b..0f7934767a2f66a7d338a30f7d87d31782f52769 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -354,6 +354,7 @@ struct vmcs02_list {
 struct nested_vmx {
        /* Has the level1 guest done vmxon? */
        bool vmxon;
+       gpa_t vmxon_ptr;
 
        /* The guest-physical address of the current VMCS L1 keeps for L2 */
        gpa_t current_vmptr;
@@ -5844,6 +5845,68 @@ static int get_vmx_mem_address(struct kvm_vcpu *vcpu,
        return 0;
 }
 
+/*
+ * This function performs the various checks including
+ * - if it's 4KB aligned
+ * - No bits beyond the physical address width are set
+ * - Returns 0 on success or else 1
+ */
+static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason)
+{
+       gva_t gva;
+       gpa_t vmptr;
+       struct x86_exception e;
+       struct page *page;
+       struct vcpu_vmx *vmx = to_vmx(vcpu);
+       int maxphyaddr = cpuid_maxphyaddr(vcpu);
+
+       if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
+                       vmcs_read32(VMX_INSTRUCTION_INFO), &gva))
+               return 1;
+
+       if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr,
+                               sizeof(vmptr), &e)) {
+               kvm_inject_page_fault(vcpu, &e);
+               return 1;
+       }
+
+       switch (exit_reason) {
+       case EXIT_REASON_VMON:
+               /*
+                * SDM 3: 24.11.5
+                * The first 4 bytes of VMXON region contain the supported
+                * VMCS revision identifier
+                *
+                * Note - IA32_VMX_BASIC[48] will never be 1
+                * for the nested case;
+                * which replaces physical address width with 32
+                *
+                */
+               if (!IS_ALIGNED(vmptr, PAGE_SIZE) || (vmptr >> maxphyaddr)) {
+                       nested_vmx_failInvalid(vcpu);
+                       skip_emulated_instruction(vcpu);
+                       return 1;
+               }
+
+               page = nested_get_page(vcpu, vmptr);
+               if (page == NULL ||
+                   *(u32 *)kmap(page) != VMCS12_REVISION) {
+                       nested_vmx_failInvalid(vcpu);
+                       kunmap(page);
+                       skip_emulated_instruction(vcpu);
+                       return 1;
+               }
+               kunmap(page);
+               vmx->nested.vmxon_ptr = vmptr;
+               break;
+
+       default:
+               return 1; /* shouldn't happen */
+       }
+
+       return 0;
+}
+
 /*
  * Emulate the VMXON instruction.
  * Currently, we just remember that VMX is active, and do not save or even
@@ -5882,6 +5945,10 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
                kvm_inject_gp(vcpu, 0);
                return 1;
        }
+
+       if (nested_vmx_check_vmptr(vcpu, EXIT_REASON_VMON))
+               return 1;
+
        if (vmx->nested.vmxon) {
                nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
                skip_emulated_instruction(vcpu);