| Message ID | 1296753594-5457-1-git-send-email-stefan.bader@canonical.com |
|---|---|
| State | Accepted |
| Commit | d8ad1753e66892f0f622b647c6886f7e4cb7703f |
| Headers | show |
On 02/03/2011 10:19 AM, Stefan Bader wrote: > Same patch applies to both. Dapper does not have KVM and Lucid was > fixed by an upstream stable update already. Maverick and Natty should > be fixed according to comment. > > -Stefan > > From 370c6b5200b04645ab1b00bad931ae899cd55471 Mon Sep 17 00:00:00 2001 > From: Gleb Natapov<gleb@redhat.com> > Date: Wed, 10 Nov 2010 12:08:12 +0200 > Subject: [PATCH] KVM: VMX: fix vmx null pointer dereference on debug register access > > CVE-2010-0435 > BugLink: http://bugs.launchpad.net/bugs/712615 > > There is a bug in KVM that can be used to crash a host on Intel > machines. If emulator is tricked into emulating mov to/from DR instruction > it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr > are not initialized. Recently this is not exploitable from guest > userspace, but malicious guest kernel can trigger it easily. > > On upstream bug was fixed differently around 2.6.34. > > Signed-off-by: Gleb Natapov<gleb@redhat.com> > Signed-off-by: Avi Kivity<avi@redhat.com> > Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de> > (cherry-picked from commit 370c6b5200b04645ab1b00bad931ae899cd55471 2.6.32.y) > Signed-off-by: Stefan Bader<stefan.bader@canonical.com> > --- > arch/x86/kvm/x86.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 724a6ad..0990f0a 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest) > { > struct kvm_vcpu *vcpu = ctxt->vcpu; > > + if (!kvm_x86_ops->get_dr) > + return X86EMUL_UNHANDLEABLE; > + > switch (dr) { > case 0 ... 3: > *dest = kvm_x86_ops->get_dr(vcpu, dr); > @@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value) > unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U; > int exception; > > + if (!kvm_x86_ops->set_dr) > + return X86EMUL_UNHANDLEABLE; > + > kvm_x86_ops->set_dr(ctxt->vcpu, dr, value& mask,&exception); > if (exception) { > /* FIXME: better handling */ Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 02/03/2011 09:19 AM, Stefan Bader wrote: > Same patch applies to both. Dapper does not have KVM and Lucid was > fixed by an upstream stable update already. Maverick and Natty should > be fixed according to comment. > > -Stefan > > From 370c6b5200b04645ab1b00bad931ae899cd55471 Mon Sep 17 00:00:00 2001 > From: Gleb Natapov<gleb@redhat.com> > Date: Wed, 10 Nov 2010 12:08:12 +0200 > Subject: [PATCH] KVM: VMX: fix vmx null pointer dereference on debug register access > > CVE-2010-0435 > BugLink: http://bugs.launchpad.net/bugs/712615 > > There is a bug in KVM that can be used to crash a host on Intel > machines. If emulator is tricked into emulating mov to/from DR instruction > it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr > are not initialized. Recently this is not exploitable from guest > userspace, but malicious guest kernel can trigger it easily. > > On upstream bug was fixed differently around 2.6.34. > > Signed-off-by: Gleb Natapov<gleb@redhat.com> > Signed-off-by: Avi Kivity<avi@redhat.com> > Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de> > (cherry-picked from commit 370c6b5200b04645ab1b00bad931ae899cd55471 2.6.32.y) > Signed-off-by: Stefan Bader<stefan.bader@canonical.com> > --- > arch/x86/kvm/x86.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 724a6ad..0990f0a 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest) > { > struct kvm_vcpu *vcpu = ctxt->vcpu; > > + if (!kvm_x86_ops->get_dr) > + return X86EMUL_UNHANDLEABLE; > + > switch (dr) { > case 0 ... 3: > *dest = kvm_x86_ops->get_dr(vcpu, dr); > @@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value) > unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U; > int exception; > > + if (!kvm_x86_ops->set_dr) > + return X86EMUL_UNHANDLEABLE; > + > kvm_x86_ops->set_dr(ctxt->vcpu, dr, value& mask,&exception); > if (exception) { > /* FIXME: better handling */ Acked-by: Brad Figg <brad.figg@canonical.com>
applied and pushed
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 724a6ad..0990f0a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest) { struct kvm_vcpu *vcpu = ctxt->vcpu; + if (!kvm_x86_ops->get_dr) + return X86EMUL_UNHANDLEABLE; + switch (dr) { case 0 ... 3: *dest = kvm_x86_ops->get_dr(vcpu, dr); @@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value) unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U; int exception; + if (!kvm_x86_ops->set_dr) + return X86EMUL_UNHANDLEABLE; + kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception); if (exception) { /* FIXME: better handling */