From patchwork Tue Jun  5 20:04:16 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: kvm: x86: Check CPL in segmented_write_std
From: Bandan Das <bsd@redhat.com>
X-Patchwork-Id: 10449159
Message-Id: <jpgtvqhuhj3.fsf@linux.bootlegged.copy>
To: kvm@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
 Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
 Andy Lutomirski <luto@kernel.org>
Date: Tue, 05 Jun 2018 16:04:16 -0400

Certain instructions such as sgdt/sidt call segmented_write_std that
doesn't propagate access correctly. As such, during userspace induced
exception, the guest can incorrectly assume that the exception
happened in the kernel and panic. The emulated write function
segmented_write does seem to check access correctly.

Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Bandan Das <bsd@redhat.com>
---
 arch/x86/kvm/x86.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 71e7cda6d014..871265f6a35f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
 	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
 	void *data = val;
 	int r = X86EMUL_CONTINUE;
+	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
 
 	while (bytes) {
 		gpa_t gpa =  vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
-							     PFERR_WRITE_MASK,
+							     access | PFERR_WRITE_MASK,
 							     exception);
 		unsigned offset = addr & (PAGE_SIZE-1);
 		unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);