[kernel] r13377 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Thu Apr 9 04:48:01 UTC 2009

Author: dannf
Date: Thu Apr  9 04:47:59 2009
New Revision: 13377

Log:
KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Wed Apr  8 21:28:01 2009	(r13376)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Apr  9 04:47:59 2009	(r13377)
@@ -9,6 +9,7 @@
   * Fix an off-by-two memory error in console selection (CVE-2009-1046)
   * nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
   * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
+  * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-inhibit-EFER-access.patch	Thu Apr  9 04:47:59 2009	(r13377)
@@ -0,0 +1,35 @@
+commit 16175a796d061833aacfbd9672235f2d2725df65
+Author: Avi Kivity <avi at redhat.com>
+Date:   Mon Mar 23 22:13:44 2009 +0200
+
+    KVM: VMX: Don't allow uninhibited access to EFER on i386
+    
+    vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
+    do so through the default: label in the switch.  If they set EFER_LME, they
+    can oops the host.
+    
+    Fix by having EFER access through the normal channel (which will check for
+    EFER_LME) even on i386.
+    
+    Reported-and-tested-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+    Cc: stable at kernel.org
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/vmx.c linux-source-2.6.26/arch/x86/kvm/vmx.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/vmx.c	2009-03-25 17:20:38.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kvm/vmx.c	2009-04-08 22:28:20.000000000 -0600
+@@ -890,11 +890,11 @@ static int vmx_set_msr(struct kvm_vcpu *
+ 	int ret = 0;
+ 
+ 	switch (msr_index) {
+-#ifdef CONFIG_X86_64
+ 	case MSR_EFER:
+ 		vmx_load_host_state(vmx);
+ 		ret = kvm_set_msr_common(vcpu, msr_index, data);
+ 		break;
++#ifdef CONFIG_X86_64
+ 	case MSR_FS_BASE:
+ 		vmcs_writel(GUEST_FS_BASE, data);
+ 		break;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Wed Apr  8 21:28:01 2009	(r13376)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Thu Apr  9 04:47:59 2009	(r13377)
@@ -5,3 +5,4 @@
 + bugfix/all/fix-off-by-2-error-in-console-selection.patch
 + bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
 + bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/x86/kvm-vmx-inhibit-EFER-access.patch

