[kernel] r13378 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Thu Apr 9 04:49:26 UTC 2009

Author: dannf
Date: Thu Apr  9 04:49:24 2009
New Revision: 13378

Log:
KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Thu Apr  9 04:47:59 2009	(r13377)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Thu Apr  9 04:49:24 2009	(r13378)
@@ -25,6 +25,7 @@
     This issue does not effect pre-build Debian kernels.
   * Fix an off-by-two memory error in console selection (CVE-2009-1046)
   * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
+  * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
 
  -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:25:36 -0700
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/kvm-vmx-inhibit-EFER-access.patch	Thu Apr  9 04:49:24 2009	(r13378)
@@ -0,0 +1,36 @@
+commit 16175a796d061833aacfbd9672235f2d2725df65
+Author: Avi Kivity <avi at redhat.com>
+Date:   Mon Mar 23 22:13:44 2009 +0200
+
+    KVM: VMX: Don't allow uninhibited access to EFER on i386
+    
+    vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
+    do so through the default: label in the switch.  If they set EFER_LME, they
+    can oops the host.
+    
+    Fix by having EFER access through the normal channel (which will check for
+    EFER_LME) even on i386.
+    
+    Reported-and-tested-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+    Cc: stable at kernel.org
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN a/drivers/kvm/vmx.c b/drivers/kvm/vmx.c
+--- a/drivers/kvm/vmx.c	2008-01-24 15:58:37.000000000 -0700
++++ b/drivers/kvm/vmx.c	2009-04-08 22:46:00.000000000 -0600
+@@ -709,12 +709,12 @@ static int vmx_set_msr(struct kvm_vcpu *
+ 	int ret = 0;
+ 
+ 	switch (msr_index) {
+-#ifdef CONFIG_X86_64
+ 	case MSR_EFER:
+ 		ret = kvm_set_msr_common(vcpu, msr_index, data);
+ 		if (vmx->host_state.loaded)
+ 			load_transition_efer(vmx);
+ 		break;
++#ifdef CONFIG_X86_64
+ 	case MSR_FS_BASE:
+ 		vmcs_writel(GUEST_FS_BASE, data);
+ 		break;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Thu Apr  9 04:47:59 2009	(r13377)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Thu Apr  9 04:49:24 2009	(r13378)
@@ -78,3 +78,4 @@
 + bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
 + bugfix/all/fix-off-by-2-error-in-console-selection.patch
 + bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/kvm-vmx-inhibit-EFER-access.patch

