Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoerg Roedel <jroedel@suse.de>2015-11-11 13:06:18 +0100
committerJoerg Roedel <jroedel@suse.de>2015-11-11 13:06:20 +0100
commit1cd6391406f8e81ba9904e8c61edf434450b7293 (patch)
tree2b0f8f018ef7cc28988770410bead7d0e2a562c9
parent9c8b97624574987e498df6dd9c34cbbd8add4e4e (diff)
KVM: svm: unconditionally intercept #DB (CVE-2015-8104
bsc#954404).
-rw-r--r--patches.fixes/kvm-svm-unconditionally-intercept-db78
-rw-r--r--series.conf1
2 files changed, 79 insertions, 0 deletions
diff --git a/patches.fixes/kvm-svm-unconditionally-intercept-db b/patches.fixes/kvm-svm-unconditionally-intercept-db
new file mode 100644
index 0000000000..ccedefbdc1
--- /dev/null
+++ b/patches.fixes/kvm-svm-unconditionally-intercept-db
@@ -0,0 +1,78 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 10 Nov 2015 09:14:39 +0100
+Subject: KVM: svm: unconditionally intercept #DB
+Git-commit: cbdb967af3d54993f5814f1cee0ed311a055377d
+Patch-mainline: 4.4-rc1
+References: CVE-2015-8104 bsc#954404
+
+This is needed to avoid the possibility that the guest triggers
+an infinite stream of #DB exceptions (CVE-2015-8104).
+
+VMX is not affected: because it does not save DR6 in the VMCS,
+it already intercepts #DB unconditionally.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/svm.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1010,6 +1010,7 @@
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
++ set_exception_intercept(svm, DB_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1542,20 +1543,13 @@
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
+
+-static void update_db_intercept(struct kvm_vcpu *vcpu)
++static void update_bp_intercept(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- clr_exception_intercept(svm, DB_VECTOR);
+ clr_exception_intercept(svm, BP_VECTOR);
+
+- if (svm->nmi_singlestep)
+- set_exception_intercept(svm, DB_VECTOR);
+-
+ if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
+- if (vcpu->guest_debug &
+- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
+- set_exception_intercept(svm, DB_VECTOR);
+ if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
+ set_exception_intercept(svm, BP_VECTOR);
+ } else
+@@ -1573,7 +1567,7 @@
+
+ mark_dirty(svm->vmcb, VMCB_DR);
+
+- update_db_intercept(vcpu);
++ update_bp_intercept(vcpu);
+ }
+
+ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
+@@ -1647,7 +1641,6 @@
+ if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
+ svm->vmcb->save.rflags &=
+ ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_intercept(&svm->vcpu);
+ }
+
+ if (svm->vcpu.guest_debug &
+@@ -3545,7 +3538,6 @@
+ */
+ svm->nmi_singlestep = true;
+ svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_intercept(vcpu);
+ }
+
+ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
diff --git a/series.conf b/series.conf
index bf101859f0..4f4998741d 100644
--- a/series.conf
+++ b/series.conf
@@ -5122,6 +5122,7 @@
patches.fixes/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered
# bsc#954404 - VUL-0: CVE-2015-8104: virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception
+ patches.fixes/kvm-svm-unconditionally-intercept-db
########################################################
# You'd better have a good reason for adding a patch