diff --git a/debian/changelog b/debian/changelog index 44ffe2bd6..e4562c4b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.2.6-2) UNRELEASED; urgency=medium + + * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) + + -- Salvatore Bonaccorso Tue, 10 Nov 2015 22:05:58 +0100 + linux (4.2.6-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch new file mode 100644 index 000000000..3fd39214e --- /dev/null +++ b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch @@ -0,0 +1,75 @@ +From: Paolo Bonzini +Date: Tue, 10 Nov 2015 05:25:00 -0700 +Subject: KVM: svm: unconditionally intercept #DB +Origin: https://bugzilla.novell.com/attachment.cgi?id=655404 + +This is needed to avoid the possibility that the guest triggers +an infinite stream of #DB exceptions (CVE-2015-8104). + +VMX is not affected: because it does not save DR6 in the VMCS, +it already intercepts #DB unconditionally. + +Reported-by: Jan Beulich +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/svm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, diff --git a/debian/patches/series b/debian/patches/series index 14939bfef..059206c4b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -108,3 +108,4 @@ bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch +bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch