diff --git a/debian/changelog b/debian/changelog index 7db79bcda..2af0bb6af 100644 --- a/debian/changelog +++ b/debian/changelog @@ -29,6 +29,9 @@ linux (4.19.6-1~exp1) UNRELEASED; urgency=medium * debian/rules: Mark more targets as phony * libcpupower: Hide private function and drop it from .symbols file + [ Salvatore Bonaccorso ] + * [x86] KVM: LAPIC: Fix pv ipis use-before-initialization (CVE-2018-19406) + -- Uwe Kleine-König Wed, 28 Nov 2018 12:20:46 +0100 linux (4.19.5-1~exp1) experimental; urgency=medium diff --git a/debian/patches/bugfix/x86/KVM-LAPIC-Fix-pv-ipis-use-before-initialization.patch b/debian/patches/bugfix/x86/KVM-LAPIC-Fix-pv-ipis-use-before-initialization.patch new file mode 100644 index 000000000..a461a1537 --- /dev/null +++ b/debian/patches/bugfix/x86/KVM-LAPIC-Fix-pv-ipis-use-before-initialization.patch @@ -0,0 +1,65 @@ +From: Wanpeng Li +Date: Tue, 20 Nov 2018 09:39:30 +0800 +Subject: KVM: LAPIC: Fix pv ipis use-before-initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/38ab012f109caf10f471db1adf284e620dd8d701 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19406 + +Reported by syzkaller: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000014 + PGD 800000040410c067 P4D 800000040410c067 PUD 40410d067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 3 PID: 2567 Comm: poc Tainted: G OE 4.19.0-rc5 #16 + RIP: 0010:kvm_pv_send_ipi+0x94/0x350 [kvm] + Call Trace: + kvm_emulate_hypercall+0x3cc/0x700 [kvm] + handle_vmcall+0xe/0x10 [kvm_intel] + vmx_handle_exit+0xc1/0x11b0 [kvm_intel] + vcpu_enter_guest+0x9fb/0x1910 [kvm] + kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm] + kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm] + do_vfs_ioctl+0xa5/0x690 + ksys_ioctl+0x6d/0x80 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x83/0x6e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The reason is that the apic map has not yet been initialized, the testcase +triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map +is dereferenced. This patch fixes it by checking whether or not apic map is +NULL and bailing out immediately if that is the case. + +Fixes: 4180bf1b65 (KVM: X86: Implement "send IPI" hypercall) +Reported-by: Wei Wu +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Wei Wu +Signed-off-by: Wanpeng Li +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 89db20f8cb70..02f2291dcf7e 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -576,6 +576,11 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low, + rcu_read_lock(); + map = rcu_dereference(kvm->arch.apic_map); + ++ if (unlikely(!map)) { ++ count = -EOPNOTSUPP; ++ goto out; ++ } ++ + if (min > map->max_apic_id) + goto out; + /* Bits above cluster_size are masked in the caller. */ +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index b5191ac9b..e7437c770 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -130,6 +130,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/x86/KVM-LAPIC-Fix-pv-ipis-use-before-initialization.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch