debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

[x86] KVM: Introduce segmented_write_std (CVE-2017-2584)

This commit is contained in:
Salvatore Bonaccorso 2017-01-19 12:55:51 +01:00
parent c6b1f1b2b1
commit 5745d97d88
3 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -244,6 +244,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
* sysctl: Drop reference added by grab_header in proc_sys_readdir
(CVE-2016-9191)
* tmpfs: clear S_ISGID when setting posix ACLs
* [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 16 Jan 2017 09:26:13 +0100

61
debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch vendored Normal file
View File

@ -0,0 +1,61 @@
From: Steve Rutherford <srutherford@google.com>
Date: Wed, 11 Jan 2017 18:28:29 -0800
Subject: KVM: x86: Introduce segmented_write_std
Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
Introduces segemented_write_std.
Switches from emulated reads/writes to standard read/writes in fxsave,
fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
kernel memory leak.
Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
2016-11-09), which is luckily not yet in any final release, this would
also be an exploitable kernel memory *write*!
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: 96051572c819194c37a8367624b285be10297eca
Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Steve Rutherford <srutherford@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1]
---
arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86
return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
}
+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
+ struct segmented_address addr,
+ void *data,
+ unsigned int size)
+{
+ int rc;
+ ulong linear;
+
+ rc = linearize(ctxt, addr, size, true, &linear);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
+}
+
/*
* Prefetch the remaining bytes of the instruction without crossing page
* boundary if they are not in fetch_cache yet.
@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct
}
/* Disable writeback. */
ctxt->dst.type = OP_NONE;
- return segmented_write(ctxt, ctxt->dst.addr.mem,
- &desc_ptr, 2 + ctxt->op_bytes);
+ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
+ &desc_ptr, 2 + ctxt->op_bytes);
}
static int em_sgdt(struct x86_emulate_ctxt *ctxt)

1
debian/patches/series vendored
View File

@ -97,6 +97,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch