[PATCH] KVM: nVMX: Prevent vmlaunch with EPTP pointing outside assigned memory area

[Reima Ishii]

In nested virtualization, if L1 sets an EPTP in VMCS12 that points
beyond the assigned memory area and initiates a vmlaunch to L2, the
existing KVM code handles the vmlaunch, and passes the VMCS
consistency check. However, due to EPTP pointing outside accessible
memory from the vCPU in mmu_check_root(), it attempts to trigger a
triple fault.

As a result, the nested_vmx_triple_fault() and nested_vmx_vmexit() are
called before the actual vmlaunch to L2 occurs. Despite the vmlaunch
not actually being executed in L2, KVM attempts a vmexit to L1,
resulting in a warning in nested_vmx_vmexit() due to the
nested_run_pending flag.

This commit resolves the issue by modifying the nested_vmx_check_eptp()
to return false when EPTP points outside the assigned memory area.
This effectively prevents a vmlaunch with such an EPTP, thus avoiding
the unnecessary warning.

Signed-off-by: Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx>
---
 arch/x86/kvm/vmx/nested.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index e35cf0bd0df9..721f98a5dc24 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -2727,6 +2727,10 @@ static bool nested_vmx_check_eptp(struct kvm_vcpu *vcpu, u64 new_eptp)
 			return false;
 	}
 
+	/* Check if EPTP points to an assigned memory area */
+	if (!kvm_vcpu_is_visible_gfn(vcpu, new_eptp >> PAGE_SHIFT))
+		return false;
+
 	return true;
 }
 
-- 
2.34.1