diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2022-05-20 13:48:11 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2022-05-20 13:49:52 -0400 |
| commit | 9f46c187e2e680ecd9de7983e4d081c3391acc76 (patch) | |
| tree | e3802ce121cb1e7ec221015f989715145074df4c /tools/testing/selftests/bpf/progs/test_autoload.c | |
| parent | ea8c66fe8d8f4f93df941e52120a3512d7bf5128 (diff) | |
KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
With shadow paging enabled, the INVPCID instruction results in a call
to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the
invlpg callback is not set and the result is a NULL pointer dereference.
Fix it trivially by checking for mmu->invlpg before every call.
There are other possibilities:
- check for CR0.PG, because KVM (like all Intel processors after P5)
flushes guest TLB on CR0.PG changes so that INVPCID/INVLPG are a
nop with paging disabled
- check for EFER.LMA, because KVM syncs and flushes when switching
MMU contexts outside of 64-bit mode
All of these are tricky, go for the simple solution. This is CVE-2022-1789.
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'tools/testing/selftests/bpf/progs/test_autoload.c')
0 files changed, 0 insertions, 0 deletions