From 02033a7a17f302964e5103979bbfddaf8034c4e8 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 13 Oct 2017 18:06:46 +0200
Subject: [PATCH] [x86] KVM: nVMX: update last_nonleaf_level when initializing
 nested EPT (CVE-2017-12188)

---
 debian/changelog                              |  2 ++
 ...last_nonleaf_level-when-initializing.patch | 34 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 37 insertions(+)
 create mode 100644 debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch

diff --git a/debian/changelog b/debian/changelog
index e1615d5ef..aef371ea7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
   * KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
   * waitid(): Add missing access_ok() checks (CVE-2017-5123)
   * ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265)
+  * [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT
+    (CVE-2017-12188)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Wed, 04 Oct 2017 23:14:54 +0100
 
diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
new file mode 100644
index 000000000..eefff5b4e
--- /dev/null
+++ b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
@@ -0,0 +1,34 @@
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 5 Oct 2017 11:10:22 +0200
+Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
+Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
+
+The function updates context->root_level but didn't call
+update_last_nonleaf_level so the previous and potentially wrong value
+was used for page walks.  For example, a zero value of last_nonleaf_level
+would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
+walk_addr_generic function (CVE-2017-12188).
+
+Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index 106d4a029a8a..3c25f20115bc 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
+ 
+ 	update_permission_bitmask(vcpu, context, true);
+ 	update_pkru_bitmask(vcpu, context, true);
++	update_last_nonleaf_level(vcpu, context);
+ 	reset_rsvds_bits_mask_ept(vcpu, context, execonly);
+ 	reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
+ }
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 0131f69c4..09ca22143 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,6 +126,7 @@ bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
 bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
 bugfix/all/waitid-Add-missing-access_ok-checks.patch
 bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch