204177 – PT: Missing filtering on the MSRs

Bug 204177 - PT: Missing filtering on the MSRs

Summary: PT: Missing filtering on the MSRs

Status:	NEW

Alias:	None

Product:	Virtualization
Classification:	Unclassified
Component:	kvm (show other bugs)
Hardware:	Intel Linux

Importance:	P1 normal
Assignee:	virtualization_kvm

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-14 16:08 UTC by Maxime Villard
Modified:	2021-01-15 16:15 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.*
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Maxime Villard 2019-07-14 16:08:46 UTC

In vmx.c::vmx_get_msr(), there is some missing filtering on the PT (RTIT) MSRs. For example RTIT_CR3_MATCH:

	case MSR_IA32_RTIT_CR3_MATCH:
		if ((pt_mode != PT_MODE_HOST_GUEST) ||
			(vmx->pt_desc.guest.ctl & RTIT_CTL_TRACEEN) ||
			!intel_pt_validate_cap(vmx->pt_desc.caps,
						PT_CAP_cr3_filtering))
			return 1;
		vmx->pt_desc.guest.cr3_match = data;
		break;

Here, 'cr3_match' is set to the value given by the guest. Later, in pt_load_msr(), there is a blunt WRMSR:

	wrmsrl(MSR_IA32_RTIT_CR3_MATCH, ctx->cr3_match);

The Intel SDM indicates that

	"IA32_RTIT_CR3_MATCH[4:0] are reserved and must be 0; an attempt to
	 set those bits using WRMSR causes a #GP."

Given that KVM does not ensure that the aforementioned bits are zero, it seems that the guest could #GP the host.

Note You need to log in before you can comment on or make changes to this bug.