[x86] KVM: work around leak of uninitialized stack contents (CVE-2019-7222)

2019-02-08 10:17:22 +01:00 · 2019-02-08 10:17:22 +01:00 · fb1b32a316
parent 71aa687bf8
commit fb1b32a316
3 changed files with 51 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -393,6 +393,8 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
  [ Salvatore Bonaccorso ]
  * [x86] kvmclock: set offset for kvm unstable clock (Closes: #918036)
  * kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
+  * [x86] KVM: work around leak of uninitialized stack contents
+    (CVE-2019-7222)

  [ Hideki Yamane ]
  * [x86] Enable Touchpad support on Gemini Lake via CONFIG_PINCTRL_GEMINILAKE
--- a/debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
+++ b/debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
@ -0,0 +1,48 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 29 Jan 2019 18:41:16 +0100
+Subject: KVM: x86: work around leak of uninitialized stack contents
+ (CVE-2019-7222)
+Origin: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7222
+
+Bugzilla: 1671930
+
+Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
+memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
+when passed an operand that points to an MMIO address.  The page fault
+will use uninitialized kernel stack memory as the CR2 and error code.
+
+The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
+exit to userspace; however, it is not an easy fix, so for now just
+ensure that the error code and CR2 are zero.
+
+Embargoed until Feb 7th 2019.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+Cc: stable@kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/x86.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 3d27206f6c01..e67ecf25e690 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
+ {
+ 	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
+ 
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
+ 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
+ 					  exception);
+ }
+-- 
+2.11.0
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -140,6 +140,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
+bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch