diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-06-05 11:32:55 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-06-05 11:34:11 +0200 |
commit | d66f807e151c514f70135ad287b5e2150c12bcee (patch) | |
tree | e7d0db64dc131e1c7f5d22b93a6c5b9e9e118d2c /debian/patches | |
parent | 706eaf54344824999cafdcd774db1b75349d11a4 (diff) | |
download | linux-debian-d66f807e151c514f70135ad287b5e2150c12bcee.tar.gz |
[x86] fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)
Closes: #1011168
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch | 115 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 116 insertions, 0 deletions
diff --git a/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch b/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch new file mode 100644 index 000000000..156cf7434 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch @@ -0,0 +1,115 @@ +From: Sean Christopherson <seanjc@google.com> +Date: Wed, 4 May 2022 00:12:19 +0000 +Subject: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct + kvm_xsave) +Origin: https://git.kernel.org/linus/d187ba5312307d51818beafaad87d28a7d939adf +Bug-Debian: https://bugs.debian.org/1011168 + +Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave', +i.e. to KVM's historical uABI size. When saving FPU state for usersapce, +KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if +the host doesn't support XSAVE. Setting the XSAVE header allows the VM +to be migrated to a host that does support XSAVE without the new host +having to handle FPU state that may or may not be compatible with XSAVE. + +Setting the uABI size to the host's default size results in out-of-bounds +writes (setting the FP+SSE bits) and data corruption (that is thankfully +caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs. + +WARN if the default size is larger than KVM's historical uABI size; all +features that can push the FPU size beyond the historical size must be +opt-in. + + ================================================================== + BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130 + Read of size 8 at addr ffff888011e33a00 by task qemu-build/681 + CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1 + Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010 + Call Trace: + <TASK> + dump_stack_lvl+0x34/0x45 + print_report.cold+0x45/0x575 + kasan_report+0x9b/0xd0 + fpu_copy_uabi_to_guest_fpstate+0x86/0x130 + kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm] + kvm_vcpu_ioctl+0x47f/0x7b0 [kvm] + __x64_sys_ioctl+0x5de/0xc90 + do_syscall_64+0x31/0x50 + entry_SYSCALL_64_after_hwframe+0x44/0xae + </TASK> + Allocated by task 0: + (stack is not available) + The buggy address belongs to the object at ffff888011e33800 + which belongs to the cache kmalloc-512 of size 512 + The buggy address is located 0 bytes to the right of + 512-byte region [ffff888011e33800, ffff888011e33a00) + The buggy address belongs to the physical page: + page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30 + head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0 + flags: 0x4000000000010200(slab|head|zone=1) + raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80 + raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + Memory state around the buggy address: + ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ================================================================== + Disabling lock debugging due to kernel taint + +Fixes: be50b2065dfa ("kvm: x86: Add support for getting/setting expanded xstate buffer") +Fixes: c60427dd50ba ("x86/fpu: Add uabi_size to guest_fpu") +Reported-by: Zdenek Kaspar <zkaspar82@gmail.com> +Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: kvm@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <seanjc@google.com> +Tested-by: Zdenek Kaspar <zkaspar82@gmail.com> +Message-Id: <20220504001219.983513-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + arch/x86/kernel/fpu/core.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index e28ab0ecc537..0fdc807ae13f 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -14,6 +14,8 @@ + #include <asm/traps.h> + #include <asm/irq_regs.h> + ++#include <uapi/asm/kvm.h> ++ + #include <linux/hardirq.h> + #include <linux/pkeys.h> + #include <linux/vmalloc.h> +@@ -232,7 +234,20 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu) + gfpu->fpstate = fpstate; + gfpu->xfeatures = fpu_user_cfg.default_features; + gfpu->perm = fpu_user_cfg.default_features; +- gfpu->uabi_size = fpu_user_cfg.default_size; ++ ++ /* ++ * KVM sets the FP+SSE bits in the XSAVE header when copying FPU state ++ * to userspace, even when XSAVE is unsupported, so that restoring FPU ++ * state on a different CPU that does support XSAVE can cleanly load ++ * the incoming state using its natural XSAVE. In other words, KVM's ++ * uABI size may be larger than this host's default size. Conversely, ++ * the default size should never be larger than KVM's base uABI size; ++ * all features that can expand the uABI size must be opt-in. ++ */ ++ gfpu->uabi_size = sizeof(struct kvm_xsave); ++ if (WARN_ON_ONCE(fpu_user_cfg.default_size > gfpu->uabi_size)) ++ gfpu->uabi_size = fpu_user_cfg.default_size; ++ + fpu_init_guest_permissions(gfpu); + + return true; +-- +2.36.1 + diff --git a/debian/patches/series b/debian/patches/series index c7c49f960..5b446fb2f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -71,6 +71,7 @@ bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch +bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch # Arch features features/x86/x86-memtest-WARN-if-bad-RAM-found.patch |