Commit 07708c4a authored Aug 03, 2009 by Jan Kiszka Committed by Avi Kivity Sep 10, 2009

KVM: x86: Disallow hypercalls for guest callers in rings > 0



So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
hypercalls. Normally, such callers cannot provide any hand-crafted MMU
command structure as it has to be passed by its physical address, but
they can still crash the guest kernel by passing random addresses.

To close the hole, this patch considers hypercalls valid only if issued
from guest ring 0. This may still be relaxed on a per-hypercall base in
the future once required.

Cc: stable@kernel.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

parent b90c062c

arch/x86/kvm/x86.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -3213,6 +3213,11 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
		a3 &= 0xFFFFFFFF;
		}

		if (kvm_x86_ops->get_cpl(vcpu) != 0) {
		ret = -KVM_EPERM;
		goto out;
		}

		switch (nr) {
		case KVM_HC_VAPIC_POLL_IRQ:
		ret = 0;
		@@ -3224,6 +3229,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
		ret = -KVM_ENOSYS;
		break;
		}
		out:
		kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
		++vcpu->stat.hypercalls;
		return r;

include/linux/kvm_para.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -13,6 +13,7 @@
		#define KVM_ENOSYS 1000
		#define KVM_EFAULT EFAULT
		#define KVM_E2BIG E2BIG
		#define KVM_EPERM EPERM

		#define KVM_HC_VAPIC_POLL_IRQ 1
		#define KVM_HC_MMU_OP 2

Admin message