[x86] KVM: work around leak of uninitialized stack contents (CVE-2019-7222)
This commit is contained in:
parent
71aa687bf8
commit
fb1b32a316
|
@ -393,6 +393,8 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* [x86] kvmclock: set offset for kvm unstable clock (Closes: #918036)
|
* [x86] kvmclock: set offset for kvm unstable clock (Closes: #918036)
|
||||||
* kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
|
* kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
|
||||||
|
* [x86] KVM: work around leak of uninitialized stack contents
|
||||||
|
(CVE-2019-7222)
|
||||||
|
|
||||||
[ Hideki Yamane ]
|
[ Hideki Yamane ]
|
||||||
* [x86] Enable Touchpad support on Gemini Lake via CONFIG_PINCTRL_GEMINILAKE
|
* [x86] Enable Touchpad support on Gemini Lake via CONFIG_PINCTRL_GEMINILAKE
|
||||||
|
|
48
debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
vendored
Normal file
48
debian/patches/bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
vendored
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Date: Tue, 29 Jan 2019 18:41:16 +0100
|
||||||
|
Subject: KVM: x86: work around leak of uninitialized stack contents
|
||||||
|
(CVE-2019-7222)
|
||||||
|
Origin: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7222
|
||||||
|
|
||||||
|
Bugzilla: 1671930
|
||||||
|
|
||||||
|
Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
|
||||||
|
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
|
||||||
|
when passed an operand that points to an MMIO address. The page fault
|
||||||
|
will use uninitialized kernel stack memory as the CR2 and error code.
|
||||||
|
|
||||||
|
The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
|
||||||
|
exit to userspace; however, it is not an easy fix, so for now just
|
||||||
|
ensure that the error code and CR2 are zero.
|
||||||
|
|
||||||
|
Embargoed until Feb 7th 2019.
|
||||||
|
|
||||||
|
Reported-by: Felix Wilhelm <fwilhelm@google.com>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/x86.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||||
|
index 3d27206f6c01..e67ecf25e690 100644
|
||||||
|
--- a/arch/x86/kvm/x86.c
|
||||||
|
+++ b/arch/x86/kvm/x86.c
|
||||||
|
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
|
||||||
|
{
|
||||||
|
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
|
||||||
|
+ * is returned, but our callers are not ready for that and they blindly
|
||||||
|
+ * call kvm_inject_page_fault. Ensure that they at least do not leak
|
||||||
|
+ * uninitialized kernel stack memory into cr2 and error code.
|
||||||
|
+ */
|
||||||
|
+ memset(exception, 0, sizeof(*exception));
|
||||||
|
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
|
||||||
|
exception);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -140,6 +140,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
|
bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
|
||||||
|
bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue