x86/sev: Disable MMIO emulation from user mode

pvts-mat · PlaidCat · commit 1ba2ed457282 · 2025-10-16T12:38:57.000-04:00
jira VULN-6719 cve CVE-2023-46813 commit-author Borislav Petkov (AMD) <bp@alien8.de> commit a37cd2a A virt scenario can be constructed where MMIO memory can be user memory. When that happens, a race condition opens between when the hardware raises the #VC and when the #VC handler gets to emulate the instruction. If the MOVS is replaced with a MOVS accessing kernel memory in that small race window, then write to kernel memory happens as the access checks are not done at emulation time. Disable MMIO emulation in user mode temporarily until a sensible use case appears and justifies properly handling the race window. Fixes: 0118b60 ("x86/sev-es: Handle MMIO String Instructions") Reported-by: Tom Dohrmann <erbse.13@gmx.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Tested-by: Tom Dohrmann <erbse.13@gmx.de> Cc: <stable@kernel.org> (cherry picked from commit a37cd2a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
@@ -1533,6 +1533,9 @@ static enum es_result vc_handle_mmio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
 			return ES_DECODE_FAILED;
 	}
 
+	if (user_mode(ctxt->regs))
+		return ES_UNSUPPORTED;
+
 	switch (mmio) {
 	case MMIO_WRITE:
 		memcpy(ghcb->shared_buffer, reg_data, bytes);

Original file line number	Diff line number	Diff line change
`@@ -1533,6 +1533,9 @@ static enum es_result vc_handle_mmio(struct ghcb ghcb, struct es_em_ctxt ctxt)`
`1533`	`1533`	`return ES_DECODE_FAILED;`
`1534`	`1534`	`}`
`1535`	`1535`
	`1536`	`+ if (user_mode(ctxt->regs))`
	`1537`	`+ return ES_UNSUPPORTED;`
	`1538`	`+`
`1536`	`1539`	`switch (mmio) {`
`1537`	`1540`	`case MMIO_WRITE:`
`1538`	`1541`	`memcpy(ghcb->shared_buffer, reg_data, bytes);`