[x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
This commit is contained in:
parent
c6b1f1b2b1
commit
5745d97d88
|
@ -244,6 +244,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
|
|||
* sysctl: Drop reference added by grab_header in proc_sys_readdir
|
||||
(CVE-2016-9191)
|
||||
* tmpfs: clear S_ISGID when setting posix ACLs
|
||||
* [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 16 Jan 2017 09:26:13 +0100
|
||||
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
From: Steve Rutherford <srutherford@google.com>
|
||||
Date: Wed, 11 Jan 2017 18:28:29 -0800
|
||||
Subject: KVM: x86: Introduce segmented_write_std
|
||||
Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
|
||||
|
||||
Introduces segemented_write_std.
|
||||
|
||||
Switches from emulated reads/writes to standard read/writes in fxsave,
|
||||
fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
|
||||
kernel memory leak.
|
||||
|
||||
Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
|
||||
2016-11-09), which is luckily not yet in any final release, this would
|
||||
also be an exploitable kernel memory *write*!
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 96051572c819194c37a8367624b285be10297eca
|
||||
Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Steve Rutherford <srutherford@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1]
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
|
||||
1 file changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86
|
||||
return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
|
||||
}
|
||||
|
||||
+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
|
||||
+ struct segmented_address addr,
|
||||
+ void *data,
|
||||
+ unsigned int size)
|
||||
+{
|
||||
+ int rc;
|
||||
+ ulong linear;
|
||||
+
|
||||
+ rc = linearize(ctxt, addr, size, true, &linear);
|
||||
+ if (rc != X86EMUL_CONTINUE)
|
||||
+ return rc;
|
||||
+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Prefetch the remaining bytes of the instruction without crossing page
|
||||
* boundary if they are not in fetch_cache yet.
|
||||
@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct
|
||||
}
|
||||
/* Disable writeback. */
|
||||
ctxt->dst.type = OP_NONE;
|
||||
- return segmented_write(ctxt, ctxt->dst.addr.mem,
|
||||
- &desc_ptr, 2 + ctxt->op_bytes);
|
||||
+ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
|
||||
+ &desc_ptr, 2 + ctxt->op_bytes);
|
||||
}
|
||||
|
||||
static int em_sgdt(struct x86_emulate_ctxt *ctxt)
|
|
@ -97,6 +97,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch
|
||||
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
||||
bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue