diff options
| author |  Joerg Roedel <jroedel@suse.de>
| 2023-06-21 17:42:42 +0200 |
|---|---|---|
| committer |  Borislav Petkov (AMD) <bp@alien8.de>
| 2023-10-09 15:47:57 +0200 |
| commit | b9cb9c45583b911e0db71d09caa6b56469eb2bdf (patch) | |
| tree | b8046c802a8613737f7603624dbfb6d7dbe48db4 /arch/x86/kernel/sev.c | |
| parent | x86/sev: Disable MMIO emulation from user mode (diff) | |
| download | linux-b9cb9c45583b911e0db71d09caa6b56469eb2bdf.tar.gz linux-b9cb9c45583b911e0db71d09caa6b56469eb2bdf.tar.bz2 linux-b9cb9c45583b911e0db71d09caa6b56469eb2bdf.zip | |
x86/sev: Check IOBM for IOIO exceptions from user-space
Check the IO permission bitmap (if present) before emulating IOIO #VC
exceptions for user-space. These permissions are checked by hardware
already before the #VC is raised, but due to the VC-handler decoding
race it needs to be checked again in software.
Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
Diffstat (limited to 'arch/x86/kernel/sev.c')
| -rw-r--r-- | arch/x86/kernel/sev.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c index 4ee14e647ae6..0f218932e844 100644 --- a/arch/x86/kernel/sev.c +++ b/arch/x86/kernel/sev.c @@ -524,6 +524,33 @@ static enum es_result vc_slow_virt_to_phys(struct ghcb *ghcb, struct es_em_ctxt return ES_OK; } +static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size) +{ + BUG_ON(size > 4); + + if (user_mode(ctxt->regs)) { + struct thread_struct *t = ¤t->thread; + struct io_bitmap *iobm = t->io_bitmap; + size_t idx; + + if (!iobm) + goto fault; + + for (idx = port; idx < port + size; ++idx) { + if (test_bit(idx, iobm->bitmap)) + goto fault; + } + } + + return ES_OK; + +fault: + ctxt->fi.vector = X86_TRAP_GP; + ctxt->fi.error_code = 0; + + return ES_EXCEPTION; +} + /* Include code shared with pre-decompression boot stage */ #include "sev-shared.c" |