[x86] fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)

Closes: #1011168

2 files changed, 116 insertions, 0 deletions

diff --git a/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch b/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch
new file mode 100644
index 000000000..156cf7434
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch
@@ -0,0 +1,115 @@
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 4 May 2022 00:12:19 +0000
+Subject: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct
+ kvm_xsave)
+Origin: https://git.kernel.org/linus/d187ba5312307d51818beafaad87d28a7d939adf
+Bug-Debian: https://bugs.debian.org/1011168
+
+Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',
+i.e. to KVM's historical uABI size.  When saving FPU state for usersapce,
+KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if
+the host doesn't support XSAVE.  Setting the XSAVE header allows the VM
+to be migrated to a host that does support XSAVE without the new host
+having to handle FPU state that may or may not be compatible with XSAVE.
+
+Setting the uABI size to the host's default size results in out-of-bounds
+writes (setting the FP+SSE bits) and data corruption (that is thankfully
+caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.
+
+WARN if the default size is larger than KVM's historical uABI size; all
+features that can push the FPU size beyond the historical size must be
+opt-in.
+
+  ==================================================================
+  BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130
+  Read of size 8 at addr ffff888011e33a00 by task qemu-build/681
+  CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1
+  Hardware name:  /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x34/0x45
+   print_report.cold+0x45/0x575
+   kasan_report+0x9b/0xd0
+   fpu_copy_uabi_to_guest_fpstate+0x86/0x130
+   kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]
+   kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]
+   __x64_sys_ioctl+0x5de/0xc90
+   do_syscall_64+0x31/0x50
+   entry_SYSCALL_64_after_hwframe+0x44/0xae
+   </TASK>
+  Allocated by task 0:
+  (stack is not available)
+  The buggy address belongs to the object at ffff888011e33800
+   which belongs to the cache kmalloc-512 of size 512
+  The buggy address is located 0 bytes to the right of
+   512-byte region [ffff888011e33800, ffff888011e33a00)
+  The buggy address belongs to the physical page:
+  page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30
+  head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0
+  flags: 0x4000000000010200(slab|head|zone=1)
+  raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80
+  raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+  page dumped because: kasan: bad access detected
+  Memory state around the buggy address:
+   ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+   ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                     ^
+   ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+   ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ==================================================================
+  Disabling lock debugging due to kernel taint
+
+Fixes: be50b2065dfa ("kvm: x86: Add support for getting/setting expanded xstate buffer")
+Fixes: c60427dd50ba ("x86/fpu: Add uabi_size to guest_fpu")
+Reported-by: Zdenek Kaspar <zkaspar82@gmail.com>
+Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Zdenek Kaspar <zkaspar82@gmail.com>
+Message-Id: <20220504001219.983513-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kernel/fpu/core.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
+index e28ab0ecc537..0fdc807ae13f 100644
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -14,6 +14,8 @@
+ #include <asm/traps.h>
+ #include <asm/irq_regs.h>
+ 
++#include <uapi/asm/kvm.h>
++
+ #include <linux/hardirq.h>
+ #include <linux/pkeys.h>
+ #include <linux/vmalloc.h>
+@@ -232,7 +234,20 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu)
+ 	gfpu->fpstate		= fpstate;
+ 	gfpu->xfeatures		= fpu_user_cfg.default_features;
+ 	gfpu->perm		= fpu_user_cfg.default_features;
+-	gfpu->uabi_size		= fpu_user_cfg.default_size;
++
++	/*
++	 * KVM sets the FP+SSE bits in the XSAVE header when copying FPU state
++	 * to userspace, even when XSAVE is unsupported, so that restoring FPU
++	 * state on a different CPU that does support XSAVE can cleanly load
++	 * the incoming state using its natural XSAVE.  In other words, KVM's
++	 * uABI size may be larger than this host's default size.  Conversely,
++	 * the default size should never be larger than KVM's base uABI size;
++	 * all features that can expand the uABI size must be opt-in.
++	 */
++	gfpu->uabi_size		= sizeof(struct kvm_xsave);
++	if (WARN_ON_ONCE(fpu_user_cfg.default_size > gfpu->uabi_size))
++		gfpu->uabi_size = fpu_user_cfg.default_size;
++
+ 	fpu_init_guest_permissions(gfpu);
+ 
+ 	return true;
+-- 
+2.36.1
+
diff --git a/debian/patches/series b/debian/patches/series
index c7c49f960..5b446fb2f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,6 +71,7 @@ bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
 bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
 bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
 bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
+bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch
 
 # Arch features
 features/x86/x86-memtest-WARN-if-bad-RAM-found.patch