From dec24a9f9f0d71d73f07e6ac6dcc1bbe54627863 Mon Sep 17 00:00:00 2001
From: Yin Fengwei <fengwei.yin@intel.com>
Date: Fri, 27 Jul 2018 16:49:12 +0800
Subject: [PATCH] hv: add check to invalid CR8 writting from guest

According to SDM, inject #GP(0) if guest tries to write reserved
bit of CR8.

Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
---
 hypervisor/arch/x86/vmexit.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hypervisor/arch/x86/vmexit.c b/hypervisor/arch/x86/vmexit.c
index b14ef5ed3..c70965bf4 100644
--- a/hypervisor/arch/x86/vmexit.c
+++ b/hypervisor/arch/x86/vmexit.c
@@ -281,6 +281,15 @@ int cr_access_vmexit_handler(struct vcpu *vcpu)
 		break;
 	case 0x08U:
 		/* mov to cr8 */
+		/* According to SDM 6.15 "Exception and interrupt Reference":
+		 *
+		 * set reserved bit in CR8 causes GP to guest
+		 */
+		if (*regptr & ~0xFUL) {
+			pr_dbg("Invalid cr8 write operation from guest");
+			vcpu_inject_gp(vcpu, 0U);
+			break;
+		}
 		vlapic_set_cr8(vcpu->arch_vcpu.vlapic, *regptr);
 		break;
 	case 0x18U: