Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 386718 Details for
Bug 525490
Kernel: KVM multiple DOS vulnerabilites (CVE-2014-{3610,3611,3645,3646,3647})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch
0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch (text/plain), 3.14 KB, created by
Stefan Behte (RETIRED)
on 2014-10-15 10:59:43 UTC
(
hide
)
Description:
0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch
Filename:
MIME Type:
Creator:
Stefan Behte (RETIRED)
Created:
2014-10-15 10:59:43 UTC
Size:
3.14 KB
patch
obsolete
>From 650f791eab0035e525fe386516de27ed882e6929 Mon Sep 17 00:00:00 2001 >From: Andy Honig <ahonig@google.com> >Date: Wed, 27 Aug 2014 11:16:44 -0700 >Subject: [PATCH 1/3] KVM/x86: Prevent guest from writing non-canonical MSR > addresses. > >If the guest in long mode writes a non-canonical address to a shared >MSR, KVM will write that value to the MSR in the host context and a >GP will be raised leading to kernel panic. This change converts to >use safe wrmsr that will gracefully handle GPs caused by non-canonical >address writes. > >Signed-off-by: Andrew Honig <ahonig@google.com> >--- > arch/x86/include/asm/kvm_host.h | 2 +- > arch/x86/kvm/vmx.c | 19 ++++++++++++++++--- > arch/x86/kvm/x86.c | 11 ++++++++--- > 3 files changed, 25 insertions(+), 7 deletions(-) > >diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h >index 7c492ed..3effbb2 100644 >--- a/arch/x86/include/asm/kvm_host.h >+++ b/arch/x86/include/asm/kvm_host.h >@@ -1048,7 +1048,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcpu *v); > void kvm_vcpu_reset(struct kvm_vcpu *vcpu); > > void kvm_define_shared_msr(unsigned index, u32 msr); >-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); >+int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); > > bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); > >diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >index bfe11cf..a7d2bb9 100644 >--- a/arch/x86/kvm/vmx.c >+++ b/arch/x86/kvm/vmx.c >@@ -2563,6 +2563,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > int ret = 0; > u32 msr_index = msr_info->index; > u64 data = msr_info->data; >+ u64 old_msr_data; > > switch (msr_index) { > case MSR_EFER: >@@ -2631,12 +2641,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > default: > msr = find_msr_entry(vmx, msr_index); > if (msr) { >+ old_msr_data = msr->data; > msr->data = data; > if (msr - vmx->guest_msrs < vmx->save_nmsrs) { > preempt_disable(); >- kvm_set_shared_msr(msr->index, msr->data, >- msr->mask); >+ ret = kvm_set_shared_msr(msr->index, msr->data, >+ msr->mask); > preempt_enable(); >+ if (ret) >+ msr->data = old_msr_data; > } > break; > } >diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c >index 8f1e22d..1da454f 100644 >--- a/arch/x86/kvm/x86.c >+++ b/arch/x86/kvm/x86.c >@@ -229,20 +229,25 @@ static void kvm_shared_msr_cpu_online(void) > shared_msr_update(i, shared_msrs_global.msrs[i]); > } > >-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) >+int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) > { > unsigned int cpu = smp_processor_id(); > struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); >+ int err; > > if (((value ^ smsr->values[slot].curr) & mask) == 0) >- return; >+ return 0; > smsr->values[slot].curr = value; >- wrmsrl(shared_msrs_global.msrs[slot], value); >+ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); >+ if (err) >+ return 1; >+ > if (!smsr->registered) { > smsr->urn.on_user_return = kvm_on_user_return; > user_return_notifier_register(&smsr->urn); > smsr->registered = true; > } >+ return 0; > } > EXPORT_SYMBOL_GPL(kvm_set_shared_msr); > >-- >2.1.0.rc2.206.gedb03e5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=386718">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 525490
:
386716
| 386718 |
386720
|
386722
|
386724
|
386726
