Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-02-12 22:18:26 +0100
committerJiri Slaby <jslaby@suse.cz>2019-02-12 22:21:27 +0100
commit0b0755b662cfd98c8b2bf63f48ecd647f221876c (patch)
treeea7dc15713c14757c8402e7292c9e6692addb176
parentb626825e0bdedf4a01d590f307c6ed9eb3fc8e4e (diff)
KVM: x86: work around leak of uninitialized stack contents
(CVE-2019-7222) (bnc#1012628).
-rw-r--r--patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch53
-rw-r--r--series.conf1
2 files changed, 54 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch b/patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch
new file mode 100644
index 0000000000..f3f7cec95d
--- /dev/null
+++ b/patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch
@@ -0,0 +1,53 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 29 Jan 2019 18:41:16 +0100
+Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents
+ (CVE-2019-7222)
+References: bnc#1012628
+Patch-mainline: 4.20.8
+Git-commit: 353c0956a618a07ba4bbe7ad00ff29fe70e8412a
+
+commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream.
+
+Bugzilla: 1671930
+
+Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
+memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
+when passed an operand that points to an MMIO address. The page fault
+will use uninitialized kernel stack memory as the CR2 and error code.
+
+The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
+exit to userspace; however, it is not an easy fix, so for now just
+ensure that the error code and CR2 are zero.
+
+Embargoed until Feb 7th 2019.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+Cc: stable@kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/x86.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 4247cb230bd3..6d69503ca43e 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5041,6 +5041,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
+ {
+ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
+
++ /*
++ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
++ * is returned, but our callers are not ready for that and they blindly
++ * call kvm_inject_page_fault. Ensure that they at least do not leak
++ * uninitialized kernel stack memory into cr2 and error code.
++ */
++ memset(exception, 0, sizeof(*exception));
+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
+ exception);
+ }
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 217462514a..715b2fbd1a 100644
--- a/series.conf
+++ b/series.conf
@@ -1066,6 +1066,7 @@
patches.kernel.org/4.20.8-327-scsi-sd_zbc-Fix-zone-information-messages.patch
patches.kernel.org/4.20.8-328-scsi-cxlflash-Prevent-deadlock-when-adapter-pr.patch
patches.kernel.org/4.20.8-329-scsi-aic94xx-fix-module-loading.patch
+ patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch
########################################################
# Build fixes that apply to the vanilla kernel too.