x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit

kvm_steal_time_set_preempted() may accidentally clear KVM_VCPU_FLUSH_TLB bit if it is called more than once while VCPU is preempted. This is part of CVE-2019-3016. (This bug was also independently discovered by Jim Mattson <[email protected]>) Signed-off-by: Boris Ostrovsky <[email protected]> Reviewed-by: Joao Martins <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]>
mrcsosa · Jan 30, 2020 · 8c6de56 · 8c6de56
1 parent ae60882
commit 8c6de56
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
@@ -3504,6 +3504,9 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
 	if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
 		return;
 
+	if (vcpu->arch.st.steal.preempted)
+		return;
+
 	vcpu->arch.st.steal.preempted = KVM_VCPU_PREEMPTED;
 
 	kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime,