mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-29 22:14:41 +08:00
5c49d1850d
When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry,
clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i].
Modifying guest_uret_msrs directly is completely broken as 'i' does not
point at the MSR_IA32_TSX_CTRL entry. In fact, it's guaranteed to be an
out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior
loop. By sheer dumb luck, the fallout is limited to "only" failing to
preserve the host's TSX_CTRL_CPUID_CLEAR. The out-of-bounds access is
benign as it's guaranteed to clear a bit in a guest MSR value, which are
always zero at vCPU creation on both x86-64 and i386.
Cc: stable@vger.kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| capabilities.h | ||
| evmcs.c | ||
| evmcs.h | ||
| nested.c | ||
| nested.h | ||
| pmu_intel.c | ||
| posted_intr.c | ||
| posted_intr.h | ||
| sgx.c | ||
| sgx.h | ||
| vmcs12.c | ||
| vmcs12.h | ||
| vmcs_shadow_fields.h | ||
| vmcs.h | ||
| vmenter.S | ||
| vmx_ops.h | ||
| vmx.c | ||
| vmx.h | ||