On Thu, Sep 28, 2023, Maxim Levitsky wrote:Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>
The following problem exists since x2avic was enabled in the KVM:
svm_set_x2apic_msr_interception is called to enable the interception of
Nit, svm_set_x2apic_msr_interception().
Definitely not worth another version though.
the x2apic msrs.
In particular it is called at the moment the guest resets its apic.
Assuming that the guest's apic was in x2apic mode, the reset will bring
it back to the xapic mode.
The svm_set_x2apic_msr_interception however has an erroneous check for
'!apic_x2apic_mode()' which prevents it from doing anything in this case.
As a result of this, all x2apic msrs are left unintercepted, and that
exposes the bare metal x2apic (if enabled) to the guest.
Oops.
Remove the erroneous '!apic_x2apic_mode()' check to fix that.
This fixes CVE-2023-5090
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
---
Reviewed-by: Sean Christopherson <seanjc@xxxxxxxxxx>