Created attachment 386716 [details, diff] 0001-KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch From Vendorsec, I got the patches from Petr Matousek (pmatouse@redhat.com). The embargo lift date is is 2014-10-28. CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid causes vm exit, which is currently not handled and causes unknown exit error to be propagated to userspace. A local unprivileged guest user could use this flaw to crash the guest. Reported by Advanced Threat Research team at Intel Security. CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled On systems with invept instruction support (corresponding bit in IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invept causes vm exit, which is currently not handled and causes unknown exit error to be propagated to userspace. A local unprivileged guest user could use this flaw to crash the guest. Reported by Advanced Threat Research team at Intel Security. Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e CVE-2014-3611 kernel: kvm: PIT timer race condition There's a race condition in the PIT emulation code in KVM. In __kvm_migrate_pit_timer the pit_timer object is accessed without synchronization. A local guest user with access to the PIT i/o ports could use this flaw to crash the host. Reported by Lars Bull of Google. CVE-2014-3610 kernel: kvm: noncanonical MSR writes If the guest writes a noncanonical value to certain MSR registers, KVM will write that value to the MSR in the host context and a #GP will be raised leading to kernel panic. A privileged guest user can use this flaw to crash the host. Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue because wrmsrl() ends up invoking safe msr write variant. Independently reported by Lars Bull of Google and Nadav Amit. CVE-2014-3647 kernel: kvm: noncanonical rip after emulation kvm currently mishandles noncanonical addresses when emulating instructions that change rip (eg branches, calls), potentially causing a failed VM-entry. A guest user with access to I/O or MMIO region can use this flaw to crash the guest. Reported by Nadav Amit.
Created attachment 386718 [details, diff] 0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch
Created attachment 386720 [details, diff] CVE-2014-3611.patch
Created attachment 386722 [details, diff] CVE-2014-3646.patch
Created attachment 386724 [details] CVE-2014-3647.mbox
Created attachment 386726 [details] Contains 0001-KVM*
Let's just bump after the new kernel is out.
Unrestricting this bug since we are WAY past the embargo and the issues are now public.
*** Bug 526676 has been marked as a duplicate of this bug. ***
CVE-2014-3647 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3647): arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. CVE-2014-3646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3646): arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. CVE-2014-3645 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3645): arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. CVE-2014-3611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3611): Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation. CVE-2014-3610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3610): The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.
Fixes all in by 4.6