[tip: x86/urgent] x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

From: tip-bot2 for Thadeu Lima de Souza Cascardo
Date: Thu Jul 14 2022 - 07:08:43 EST

Next message: tip-bot2 for Jiapeng Chong: "[tip: x86/urgent] x86/bugs: Mark retbleed_strings static"
Previous message: tip-bot2 for Alexandre Chartre: "[tip: x86/urgent] x86/entry: Remove UNTRAIN_RET from native_irq_return_ldt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID: 3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Gitweb: https://git.kernel.org/tip/3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Author: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
AuthorDate: Wed, 13 Jul 2022 14:12:41 -03:00
Committer: Borislav Petkov <bp@xxxxxxx>
CommitterDate: Thu, 14 Jul 2022 09:59:10 +02:00

x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

The return thunk call makes the fastop functions larger, just like IBT
does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled.

Otherwise, functions will be incorrectly aligned and when computing
their position for differently sized operators, they will execute in the
middle or end of a function, which may as well be an int3, leading to a
crash like:

int3: 0000 [#1] SMP NOPTI
CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
Call Trace:
<TASK>
? fastop
x86_emulate_insn
x86_emulate_instruction
? kvm_arch_vcpu_load
? vmx_prepare_switch_to_host
complete_emulated_mmio
kvm_arch_vcpu_ioctl_run
kvm_vcpu_ioctl
? kvm_vcpu_ioctl
? __fget_files
? __fget_files
__x64_sys_ioctl
do_syscall_64
? syscall_exit_to_user_mode
? do_syscall_64
? syscall_exit_to_user_mode
? __x64_sys_writev
? do_syscall_64
? exit_to_user_mode_prepare
? syscall_exit_to_user_mode
? do_syscall_64
? do_syscall_64
? do_syscall_64
? do_syscall_64
entry_SYSCALL_64_after_hwframe
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Signed-off-by: Borislav Petkov <bp@xxxxxxx>
Link: https://lore.kernel.org/r/CA%2BG9fYtntg7=zWSs-dm%2Bn_AUr_u0eBOU0zrwWqMeXZ%2BSF6_bLw@xxxxxxxxxxxxxx
---
arch/x86/kvm/emulate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index db96bf7..d779eea 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -190,7 +190,7 @@
#define X16(x...) X8(x), X8(x)

#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
-#define FASTOP_SIZE (8 * (1 + HAS_KERNEL_IBT))
+#define FASTOP_SIZE (8 * (1 + (HAS_KERNEL_IBT | IS_ENABLED(CONFIG_RETHUNK))))

struct opcode {
u64 flags;

Next message: tip-bot2 for Jiapeng Chong: "[tip: x86/urgent] x86/bugs: Mark retbleed_strings static"
Previous message: tip-bot2 for Alexandre Chartre: "[tip: x86/urgent] x86/entry: Remove UNTRAIN_RET from native_irq_return_ldt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]