• Jim Mattson's avatar
    KVM: nVMX: Don't leak L1 MMIO regions to L2 · 671ddc70
    Jim Mattson authored
    If the "virtualize APIC accesses" VM-execution control is set in the
    VMCS, the APIC virtualization hardware is triggered when a page walk
    in VMX non-root mode terminates at a PTE wherein the address of the 4k
    page frame matches the APIC-access address specified in the VMCS. On
    hardware, the APIC-access address may be any valid 4k-aligned physical
    address.
    
    KVM's nVMX implementation enforces the additional constraint that the
    APIC-access address specified in the vmcs12 must be backed by
    a "struct page" in L1. If not, L0 will simply clear the "virtualize
    APIC accesses" VM-execution control in the vmcs02.
    
    The problem with this approach is that the L1 guest has arranged the
    vmcs12 EPT tables--or shadow page tables, if the "enable EPT"
    VM-execution control is clear in the vmcs12--so that the L2 guest
    physical address(es)--or L2 guest linear address(es)--that reference
    the L2 APIC map to the APIC-access address specified in the
    vmcs12. Without the "virtualize APIC accesses" VM-execution control in
    the vmcs02, the APIC accesses in the L2 guest will directly access the
    APIC-access page in L1.
    
    When there is no mapping whatsoever for the APIC-access address in L1,
    the L2 VM just loses the intended APIC virtualization. However, when
    the APIC-access address is mapped to an MMIO region in L1, the L2
    guest gets direct access to the L1 MMIO device. For example, if the
    APIC-access address specified in the vmcs12 is 0xfee00000, then L2
    gets direct access to L1's APIC.
    
    Since this vmcs12 configuration is something that KVM cannot
    faithfully emulate, the appropriate response is to exit to userspace
    with KVM_INTERNAL_ERROR_EMULATION.
    
    Fixes: fe3ef05c ("KVM: nVMX: Prepare vmcs02 from vmcs01 and vmcs12")
    Reported-by: default avatarDan Cross <dcross@google.com>
    Signed-off-by: default avatarJim Mattson <jmattson@google.com>
    Reviewed-by: default avatarPeter Shier <pshier@google.com>
    Reviewed-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    671ddc70
nested.c 186 KB