From patchwork Fri Jan 26 16:57:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 866495 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zSlTc0jGjz9s7s; Sat, 27 Jan 2018 03:58:12 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ef7KJ-0005nI-68; Fri, 26 Jan 2018 16:58:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1ef7KG-0005mC-CK for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:58:04 +0000 Received: from mail-wm0-f70.google.com ([74.125.82.70]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1ef7KG-0003Tk-4x for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:58:04 +0000 Received: by mail-wm0-f70.google.com with SMTP id z83so626078wmc.5 for ; Fri, 26 Jan 2018 08:58:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sdToeSsm6ubQniCZVJnHvJfvPJhWK2/l9itZmM0e/fQ=; b=qm8EPnfK9c3YuS571GwMhtsChXV51yI0WAd+WtjAGLd6+8qapYAsS60wPsinqRDbQU T5uPfqd2t9un++6tpG8MNcdLRpkxGEVoKRUHguR25FtLcpInfJpsSIL1zj8VBq7avoVd 3pPlf5zEgndjv1e0zg321ZSiUDUliin7CGCiwzJ3NCQA0fq9p4LdwzouA5rJ48hrRo1g gzSxjY19jeGw5Pbefu1nVFXpMfFbxKLt+axQw8C1vK6EKnv2KsX2XdC4+iaSZ6H7iyhl qqVP1ZBfxaQH2+FBokiE1n3+dZJVj/iCg5yNGG+mrL8DvGWn5RPeQZaQEY8r6QV5X4zK aJMw== X-Gm-Message-State: AKwxytfgKWzVaxrCO/5ElE54Z2UJtCex1JlVXTsLwMsX8vuW5gKwxzfD 9Ox1qzypV09jLyZDiVQ/Jxo+wRaGj0ki83FdeQqWTrae0hOFhvgh1vTAuQoW2RT59wLsOwuGEkq 05OF54yPxt9RlR862lM24jOLWKjSPFto7QDbJDSD5gw== X-Received: by 10.28.28.198 with SMTP id c189mr11898225wmc.104.1516985883532; Fri, 26 Jan 2018 08:58:03 -0800 (PST) X-Google-Smtp-Source: AH8x224ClD86u6aws8zD9qyeQ8MMISd7Sb0WwtAoi+pFoiaOv/8XnTNa3nbbEMp5mmFstR8tNEE7IQ== X-Received: by 10.28.28.198 with SMTP id c189mr11898214wmc.104.1516985883328; Fri, 26 Jan 2018 08:58:03 -0800 (PST) Received: from localhost ([212.121.131.210]) by smtp.gmail.com with ESMTPSA id a2sm7006714wrc.53.2018.01.26.08.58.02 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Jan 2018 08:58:02 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH 1/1] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts Date: Fri, 26 Jan 2018 17:57:57 +0100 Message-Id: <20180126165758.5977-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180126165758.5977-1-kleber.souza@canonical.com> References: <20180126165758.5977-1-kleber.souza@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Andrew Honig This fixes CVE-2017-1000407. KVM allows guests to directly access I/O port 0x80 on Intel hosts. If the guest floods this port with writes it generates exceptions and instability in the host kernel, leading to a crash. With this change guest writes to port 0x80 on Intel will behave the same as they currently behave on AMD systems. Prevent the flooding by removing the code that sets port 0x80 as a passthrough port. This is essentially the same as upstream patch 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was for AMD chipsets and this patch is for Intel. Signed-off-by: Andrew Honig Signed-off-by: Jim Mattson Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs") Cc: Signed-off-by: Radim Krčmář CVE-2017-1000407 (backported from commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream) Signed-off-by: Kleber Sacilotto de Souza --- arch/x86/kvm/vmx.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 36af261a7dee..8454a201bd64 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -8719,12 +8719,7 @@ static int __init vmx_init(void) for (i = 0; i < max_shadow_read_only_fields; i++) clear_bit(shadow_read_only_fields[i], vmx_vmread_bitmap); - /* - * Allow direct access to the PC debug port (it is often used for I/O - * delays, but the vmexits simply slow things down). - */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); - clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);