Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O[EOL][EOL]When completing emulation of instruction that generated a userspace exit[EOL]for I/O, don't recheck L1 intercepts as KVM has already finished that[EOL]phase of instruction execution, i.e. has already committed to allowing L2[EOL]to perform I/O.  If L1 (or host userspace) modifies the I/O permission[EOL]bitmaps during the exit to userspace,  KVM will treat the access as being[EOL]intercepted despite already having emulated the I/O access.[EOL][EOL]Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.[EOL]Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the[EOL]intended "recipient") can reach the code in question.  gp_interception()'s[EOL]use is mutually exclusive with is_guest_mode(), and[EOL]complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with[EOL]EMULTYPE_SKIP.[EOL][EOL]The bad behavior was detected by a syzkaller program that toggles port I/O[EOL]interception during the userspace I/O exit, ultimately resulting in a WARN[EOL]on vcpu->arch.pio.count being non-zero due to KVM no completing emulation[EOL]of the I/O instruction.[EOL][EOL]  WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm][EOL]  Modules linked in: kvm_intel kvm irqbypass[EOL]  CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE[EOL]  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015[EOL]  RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm][EOL]  PKRU: 55555554[EOL]  Call Trace:[EOL]   <TASK>[EOL]   kvm_fast_pio+0xd6/0x1d0 [kvm][EOL]   vmx_handle_exit+0x149/0x610 [kvm_intel][EOL]   kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm][EOL]   kvm_vcpu_ioctl+0x244/0x8c0 [kvm][EOL]   __x64_sys_ioctl+0x8a/0xd0[EOL]   do_syscall_64+0x5d/0xc60[EOL]   entry_SYSCALL_64_after_hwframe+0x4b/0x53[EOL]   </TASK>