From: "Borislav Petkov (AMD)" bp@alien8.de
stable inclusion from stable-v5.10.199 commit d78c5d8c23c3f0e24168ea98760016665bf92a79 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8BCTB CVE: CVE-2023-46813
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba
A virt scenario can be constructed where MMIO memory can be user memory. When that happens, a race condition opens between when the hardware raises the #VC and when the #VC handler gets to emulate the instruction.
If the MOVS is replaced with a MOVS accessing kernel memory in that small race window, then write to kernel memory happens as the access checks are not done at emulation time.
Disable MMIO emulation in user mode temporarily until a sensible use case appears and justifies properly handling the race window.
Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions") Reported-by: Tom Dohrmann erbse.13@gmx.de Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Tested-by: Tom Dohrmann erbse.13@gmx.de Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yu Liao liaoyu15@huawei.com --- arch/x86/kernel/sev-es.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c index 59bebdf12aed..23126bbd85c4 100644 --- a/arch/x86/kernel/sev-es.c +++ b/arch/x86/kernel/sev-es.c @@ -970,6 +970,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb, enum es_result ret; long *reg_data;
+ if (user_mode(ctxt->regs)) + return ES_UNSUPPORTED; + switch (insn->opcode.bytes[0]) { /* MMIO Write */ case 0x88: