• Wanpeng Li's avatar
    KVM: x86: Fix load damaged SSEx MXCSR register · e9c9e758
    Wanpeng Li authored
    commit a575813b upstream.
    
    Reported by syzkaller:
    
       BUG: unable to handle kernel paging request at ffffffffc07f6a2e
       IP: report_bug+0x94/0x120
       PGD 348e12067
       P4D 348e12067
       PUD 348e14067
       PMD 3cbd84067
       PTE 80000003f7e87161
    
       Oops: 0003 [#1] SMP
       CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G           OE   4.11.0+ #8
       task: ffff92fdfb525400 task.stack: ffffbda6c3d04000
       RIP: 0010:report_bug+0x94/0x120
       RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202
        do_trap+0x156/0x170
        do_error_trap+0xa3/0x170
        ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
        ? mark_held_locks+0x79/0xa0
        ? retint_kernel+0x10/0x10
        ? trace_hardirqs_off_thunk+0x1a/0x1c
        do_invalid_op+0x20/0x30
        invalid_op+0x1e/0x30
       RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
        ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm]
        kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm]
        kvm_vcpu_ioctl+0x384/0x780 [kvm]
        ? kvm_vcpu_ioctl+0x384/0x780 [kvm]
        ? sched_clock+0x13/0x20
        ? __do_page_fault+0x2a0/0x550
        do_vfs_ioctl+0xa4/0x700
        ? up_read+0x1f/0x40
        ? __do_page_fault+0x2a0/0x550
        SyS_ioctl+0x79/0x90
        entry_SYSCALL_64_fastpath+0x23/0xc2
    
    SDM mentioned that "The MXCSR has several reserved bits, and attempting to write
    a 1 to any of these bits will cause a general-protection exception(#GP) to be
    generated". The syzkaller forks' testcase overrides xsave area w/ random values
    and steps on the reserved bits of MXCSR register. The damaged MXCSR register
    values of guest will be restored to SSEx MXCSR register before vmentry. This
    patch fixes it by catching userspace override MXCSR register reserved bits w/
    random values and bails out immediately.
    Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
    Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e9c9e758
x86.c 213 KB