diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-27 12:16:46 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-27 12:16:46 -0500 |
commit | aaa68966b75727e056e7bccdafc0f4e803b9a290 (patch) | |
tree | aa4e5b993424d7abf19c71e21d420db89db5b418 | |
parent | aa7180f4aa2d1b3b1ad705be84cb39b9ee8da744 (diff) | |
download | kernel-aaa68966b75727e056e7bccdafc0f4e803b9a290.tar.gz kernel-aaa68966b75727e056e7bccdafc0f4e803b9a290.tar.xz kernel-aaa68966b75727e056e7bccdafc0f4e803b9a290.zip |
CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453)
-rw-r--r-- | KVM-x86-SYSENTER-emulation-is-broken.patch | 81 | ||||
-rw-r--r-- | kernel.spec | 10 |
2 files changed, 91 insertions, 0 deletions
diff --git a/KVM-x86-SYSENTER-emulation-is-broken.patch b/KVM-x86-SYSENTER-emulation-is-broken.patch new file mode 100644 index 00000000..bda8f9e8 --- /dev/null +++ b/KVM-x86-SYSENTER-emulation-is-broken.patch @@ -0,0 +1,81 @@ +From: Nadav Amit <namit@cs.technion.ac.il> +Date: Thu, 1 Jan 2015 23:11:11 +0200 +Subject: [PATCH] KVM: x86: SYSENTER emulation is broken + +SYSENTER emulation is broken in several ways: +1. It misses the case of 16-bit code segments completely (CVE-2015-0239). +2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can + still be set without causing #GP). +3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in + legacy-mode. +4. There is some unneeded code. + +Fix it. + +Cc: stable@vger.linux.org +Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + arch/x86/kvm/emulate.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 22e7ed9e6d8e..ac640d47c28d 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + * Not recognized on AMD in compat mode (but is recognized in legacy + * mode). + */ +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) + && !vendor_intel(ctxt)) + return emulate_ud(ctxt); + +@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + setup_syscalls_segments(ctxt, &cs, &ss); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +- switch (ctxt->mode) { +- case X86EMUL_MODE_PROT32: +- if ((msr_data & 0xfffc) == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- case X86EMUL_MODE_PROT64: +- if (msr_data == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- default: +- break; +- } ++ if ((msr_data & 0xfffc) == 0x0) ++ return emulate_gp(ctxt, 0); + + ctxt->eflags &= ~(EFLG_VM | EFLG_IF); +- cs_sel = (u16)msr_data; +- cs_sel &= ~SELECTOR_RPL_MASK; ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; + ss_sel = cs_sel + 8; +- ss_sel &= ~SELECTOR_RPL_MASK; +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { ++ if (efer & EFER_LMA) { + cs.d = 0; + cs.l = 1; + } +@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); +- ctxt->_eip = msr_data; ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : ++ (u32)msr_data; + + return X86EMUL_CONTINUE; + } +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index c5364459..3d4234a9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -653,6 +653,10 @@ Patch30001: mpssd-x86-only.patch Patch30002: stable-3.18.4-queue.patch Patch30003: xhci-check-if-slot-is-already-in-default-state.patch +#CVE-2015-0239 rhbz 1186448 1186453 +Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch + + # END OF PATCH DEFINITIONS %endif @@ -1411,6 +1415,9 @@ ApplyPatch mpssd-x86-only.patch ApplyPatch stable-3.18.4-queue.patch ApplyPatch xhci-check-if-slot-is-already-in-default-state.patch +#CVE-2015-0239 rhbz 1186448 1186453 +ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2281,6 +2288,9 @@ fi # ||----w | # || || %changelog +* Tue Jan 27 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453) + * Mon Jan 19 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.3-201 - Add fixes from 3.18.4 queue to fix i915 issues (rhbz 1183232) - xhci: Check if slot is already in default state before moving it there (rhbz 1183289) |