[x86] KVM security fixes
svn path=/dists/sid/linux/; revision=22288
This commit is contained in:
parent
afd12d78e4
commit
424adbaf17
|
@ -17,6 +17,8 @@ linux (3.16.7-ckt4-2) UNRELEASED; urgency=medium
|
|||
- prefix module autoloading with "crypto-"
|
||||
- include crypto- module prefix in template
|
||||
- add missing crypto module aliases
|
||||
* [x86] KVM: Fix of previously incomplete fix for CVE-2014-8480
|
||||
* [x86] KVM: SYSENTER emulation is broken (CVE-2015-0239)
|
||||
|
||||
-- Ian Campbell <ijc@debian.org> Fri, 16 Jan 2015 15:14:32 +0000
|
||||
|
||||
|
|
28
debian/patches/bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
vendored
Normal file
28
debian/patches/bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
From: Nadav Amit <nadav.amit@gmail.com>
|
||||
Date: Thu, 8 Jan 2015 11:59:03 +0100
|
||||
Subject: KVM: x86: Fix of previously incomplete fix for CVE-2014-8480
|
||||
Origin: https://git.kernel.org/linus/63ea0a49ae0b145b91ff2b070c01b66fc75854b9
|
||||
|
||||
STR and SLDT with rip-relative operand can cause a host kernel oops.
|
||||
Mark them as DstMem as well.
|
||||
|
||||
Cc: stable@vger.linux.org
|
||||
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -3737,8 +3737,8 @@ static const struct opcode group5[] = {
|
||||
};
|
||||
|
||||
static const struct opcode group6[] = {
|
||||
- DI(Prot, sldt),
|
||||
- DI(Prot, str),
|
||||
+ DI(Prot | DstMem, sldt),
|
||||
+ DI(Prot | DstMem, str),
|
||||
II(Prot | Priv | SrcMem16, em_lldt, lldt),
|
||||
II(Prot | Priv | SrcMem16, em_ltr, ltr),
|
||||
N, N, N, N,
|
|
@ -0,0 +1,78 @@
|
|||
From: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Date: Thu, 1 Jan 2015 23:11:11 +0200
|
||||
Subject: KVM: x86: SYSENTER emulation is broken
|
||||
Origin: https://git.kernel.org/linus/f3747379accba8e95d70cec0eae0582c8c182050
|
||||
|
||||
SYSENTER emulation is broken in several ways:
|
||||
1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
|
||||
2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
|
||||
still be set without causing #GP).
|
||||
3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
|
||||
legacy-mode.
|
||||
4. There is some unneeded code.
|
||||
|
||||
Fix it.
|
||||
|
||||
Cc: stable@vger.linux.org
|
||||
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
[bwh: Backported to 3.16: adjust context]
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 27 ++++++++-------------------
|
||||
1 file changed, 8 insertions(+), 19 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -2302,7 +2302,7 @@ static int em_sysenter(struct x86_emulat
|
||||
* Not recognized on AMD in compat mode (but is recognized in legacy
|
||||
* mode).
|
||||
*/
|
||||
- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
|
||||
+ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
|
||||
&& !vendor_intel(ctxt))
|
||||
return emulate_ud(ctxt);
|
||||
|
||||
@@ -2315,25 +2315,13 @@ static int em_sysenter(struct x86_emulat
|
||||
setup_syscalls_segments(ctxt, &cs, &ss);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
|
||||
- switch (ctxt->mode) {
|
||||
- case X86EMUL_MODE_PROT32:
|
||||
- if ((msr_data & 0xfffc) == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- case X86EMUL_MODE_PROT64:
|
||||
- if (msr_data == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
+ if ((msr_data & 0xfffc) == 0x0)
|
||||
+ return emulate_gp(ctxt, 0);
|
||||
|
||||
ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
|
||||
- cs_sel = (u16)msr_data;
|
||||
- cs_sel &= ~SELECTOR_RPL_MASK;
|
||||
+ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
|
||||
ss_sel = cs_sel + 8;
|
||||
- ss_sel &= ~SELECTOR_RPL_MASK;
|
||||
- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
|
||||
+ if (efer & EFER_LMA) {
|
||||
cs.d = 0;
|
||||
cs.l = 1;
|
||||
}
|
||||
@@ -2342,10 +2330,11 @@ static int em_sysenter(struct x86_emulat
|
||||
ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
|
||||
- ctxt->_eip = msr_data;
|
||||
+ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
|
||||
- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
|
||||
+ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
|
||||
+ (u32)msr_data;
|
||||
|
||||
return X86EMUL_CONTINUE;
|
||||
}
|
|
@ -492,3 +492,5 @@ bugfix/x86/x86_64-vdso-fix-the-vdso-address-randomization-algor.patch
|
|||
bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch
|
||||
bugfix/all/crypto-include-crypto-module-prefix-in-template.patch
|
||||
bugfix/all/crypto-add-missing-crypto-module-aliases.patch
|
||||
bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
|
||||
bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
|
||||
|
|
Loading…
Reference in New Issue