Skip to content

[LTS 8.6] x86/sev: Harden #VC instruction emulation somewhat #505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 19, 2025
Merged

[LTS 8.6] x86/sev: Harden #VC instruction emulation somewhat #505

merged 2 commits into from
Aug 19, 2025

Conversation

PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented Aug 15, 2025
edited
Loading

jira LE-3834
cve CVE-2024-25742

commit a526e407c66fabfbfc91db4f51fc96fba8aee48e (HEAD -> {sultan}_VULN-751_ciqlts8_6, origin/{sultan}_VULN-751_ciqlts8_6)
Author: Jonathan Maple <[email protected]>
Date:   Fri Aug 15 17:15:34 2025 -0400

    x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler

    jira VULN-751
    cve-bf CVE-2024-25742
    commit-author Tom Lendacky <[email protected]>
    commit e70316d17f6ab49a6038ffd115397fd68f8c7be8

    The MWAITX and MONITORX instructions generate the same #VC error code as
    the MWAIT and MONITOR instructions, respectively. Update the #VC handler
    opcode checking to also support the MWAITX and MONITORX opcodes.

    Fixes: e3ef461af35a ("x86/sev: Harden #VC instruction emulation somewhat")
            Signed-off-by: Tom Lendacky <[email protected]>
            Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Link: https://lore.kernel.org/r/453d5a7cfb4b9fe818b6fb67f93ae25468bc9e23.1713793161.git.thomas.lendacky@amd.com
    (cherry picked from commit e70316d17f6ab49a6038ffd115397fd68f8c7be8)
            Signed-off-by: Jonathan Maple <[email protected]>


commit 424478a6fe24260703638de60098ddf245297b22
Author: Sultan Alsawaf <[email protected]>
Date:   Tue Aug 5 19:45:15 2025 -0700

    x86/sev: Harden #VC instruction emulation somewhat

    jira VULN-751
    cve CVE-2024-25742
    commit-author Borislav Petkov (AMD) <[email protected]>
    commit e3ef461af35a8c74f2f4ce6616491ddb355a208f
    upstream-diff Conflicts are just a matter of placing the code correctly in
                  this older version of the driver, no compatibility issues.

    Compare the opcode bytes at rIP for each #VC exit reason to verify the
    instruction which raised the #VC exception is actually the right one.

            Signed-off-by: Borislav Petkov (AMD) <[email protected]>
            Acked-by: Tom Lendacky <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    (cherry picked from commit e3ef461af35a8c74f2f4ce6616491ddb355a208f)
            Signed-off-by: Sultan Alsawaf <[email protected]>

    # Conflicts:
    #       arch/x86/kernel/sev-shared.c

BUILD LOG

]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config usr/include include/generated arch/x86/include/generated
  CLEAN   .config .config.old .version Module.symvers
[TIMER]{MRPROPER}: 7s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-sultan_VULN-751_ciqlts8_6-a526e407c66f"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1751s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-sultan_VULN-751_ciqlts8_6-a526e407c66f+
[TIMER]{MODULES}: 11s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-sultan_VULN-751_ciqlts8_6-a526e407c66f+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 18s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-sultan_VULN-751_ciqlts8_6-a526e407c66f+ and Index to 1
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 7s
[TIMER]{BUILD}: 1751s
[TIMER]{MODULES}: 11s
[TIMER]{INSTALL}: 18s
[TIMER]{TOTAL} 1791s
Rebooting in 10 seconds

Kself Test

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n2 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done
kselftest.4.18.0-372.32.1.el8_6.86ciq_lts.12.1.x86_64.log
194
kselftest.4.18.0-sultan_VULN-751_ciqlts8_6-424478a6fe24+.log
194
kselftest.4.18.0-sultan_VULN-751_ciqlts8_6-a526e407c66f+.log
194

@kerneltoast @PlaidCat
x86/sev: Harden #VC instruction emulation somewhat
424478a 
jira VULN-751
cve CVE-2024-25742
commit-author Borislav Petkov (AMD) <[email protected]>
commit e3ef461
upstream-diff Conflicts are just a matter of placing the code correctly in
              this older version of the driver, no compatibility issues.

Compare the opcode bytes at rIP for each #VC exit reason to verify the
instruction which raised the #VC exception is actually the right one.

	Signed-off-by: Borislav Petkov (AMD) <[email protected]>
	Acked-by: Tom Lendacky <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
(cherry picked from commit e3ef461)
	Signed-off-by: Sultan Alsawaf <[email protected]>

# Conflicts:
#	arch/x86/kernel/sev-shared.c
@PlaidCat PlaidCat self-assigned this Aug 15, 2025
@github-actions GitHub Actions
Copy link

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 424478a6fe24 (x86/sev: Harden #VC instruction emulation somewhat) references upstream commit
    e3ef461af35a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    e70316d17f6a x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler (Tom Lendacky)

This is an automated message from the kernel commit checker workflow.

@PlaidCat
x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler
a526e40 
jira VULN-751
cve-bf CVE-2024-25742
commit-author Tom Lendacky <[email protected]>
commit e70316d

The MWAITX and MONITORX instructions generate the same #VC error code as
the MWAIT and MONITOR instructions, respectively. Update the #VC handler
opcode checking to also support the MWAITX and MONITORX opcodes.

Fixes: e3ef461 ("x86/sev: Harden #VC instruction emulation somewhat")
	Signed-off-by: Tom Lendacky <[email protected]>
	Signed-off-by: Borislav Petkov (AMD) <[email protected]>
Link: https://lore.kernel.org/r/453d5a7cfb4b9fe818b6fb67f93ae25468bc9e23.1713793161.git.thomas.lendacky@amd.com
(cherry picked from commit e70316d)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat
Copy link
Collaborator Author

🔍 Upstream Linux Kernel Commit Check

* ⚠️ PR commit `424478a6fe24 (x86/sev: Harden #VC instruction emulation somewhat)` references upstream commit
  `e3ef461af35a` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:

    e70316d17f6a x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler (Tom Lendacky)

This is an automated message from the kernel commit checker workflow.

This is a clean pick and not associated to another CVE from searching here https://git.kernel.org/pub/scm/linux/security/vulns.git/

Rebuilding and running tests again.

@github-actions GitHub Actions
Copy link

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 424478a6fe24 (x86/sev: Harden #VC instruction emulation somewhat) references upstream commit
    e3ef461af35a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    e70316d17f6a x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler (Tom Lendacky)

This is an automated message from the kernel commit checker workflow.

@bmastbergen
Copy link
Collaborator

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 424478a6fe24 (x86/sev: Harden #VC instruction emulation somewhat) references upstream commit
    e3ef461af35a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    e70316d17f6a x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler (Tom Lendacky)

This is an automated message from the kernel commit checker workflow.

We'll have to make this smarter so that it doesn't report the upstream fix if we already have it.

bmastbergen
bmastbergen approved these changes Aug 18, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

thefossguy-ciq
thefossguy-ciq approved these changes Aug 18, 2025
View reviewed changes
Copy link

@thefossguy-ciq thefossguy-ciq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚤

@PlaidCat PlaidCat merged commit 6345037 into ciqlts8_6 Aug 19, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmastbergen bmastbergen bmastbergen approved these changes

@thefossguy-ciq thefossguy-ciq thefossguy-ciq approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees

@PlaidCat PlaidCat

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PlaidCat @bmastbergen @thefossguy-ciq @kerneltoast