[kernel] r14809 - in dists/lenny/linux-2.6/debian: . patches/bugfix/x86 patches/series

[Dann Frazier]

Author: dannf
Date: Thu Dec 24 07:14:00 2009
New Revision: 14809

Log:
KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/21

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Thu Dec 24 06:42:09 2009	(r14808)
+++ dists/lenny/linux-2.6/debian/changelog	Thu Dec 24 07:14:00 2009	(r14809)
@@ -33,6 +33,7 @@
   * Avoid /proc/$pid/maps visibility during initial setuid ELF loading
     (CVE-2009-2691)
   * hfs: fix a potential buffer overflow (CVE-2009-4020)
+  * KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 24 Oct 2009 23:45:45 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch	Thu Dec 24 07:14:00 2009	(r14809)
@@ -0,0 +1,49 @@
+commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb
+Author: Avi Kivity <avi at redhat.com>
+Date:   Tue Nov 24 15:20:15 2009 +0200
+
+    KVM: x86 emulator: limit instructions to 15 bytes
+    
+    While we are never normally passed an instruction that exceeds 15 bytes,
+    smp games can cause us to attempt to interpret one, which will cause
+    large latencies in non-preempt hosts.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c	2009-10-17 11:09:10.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c	2009-12-24 00:03:23.000000000 -0700
+@@ -544,6 +544,9 @@ static int do_insn_fetch(struct x86_emul
+ {
+ 	int rc = 0;
+ 
++	/* x86 instructions are limited to 15 bytes. */
++	if (eip + size - ctxt->decode.eip_orig > 15)
++		return X86EMUL_UNHANDLEABLE;
+ 	eip += ctxt->cs_base;
+ 	while (size--) {
+ 		rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
+@@ -837,7 +840,7 @@ x86_decode_insn(struct x86_emulate_ctxt 
+ 	/* Shadow copy of register state. Committed on successful emulation. */
+ 
+ 	memset(c, 0, sizeof(struct decode_cache));
+-	c->eip = ctxt->vcpu->arch.rip;
++	c->eip = c->eip_orig = ctxt->vcpu->arch.rip;
+ 	memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+ 
+ 	switch (mode) {
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h
+--- linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h	2009-12-24 00:02:04.000000000 -0700
+@@ -127,7 +127,7 @@ struct decode_cache {
+ 	unsigned long *override_base;
+ 	unsigned int d;
+ 	unsigned long regs[NR_VCPU_REGS];
+-	unsigned long eip;
++	unsigned long eip, eip_orig;
+ 	/* modrm */
+ 	u8 modrm;
+ 	u8 modrm_mod;

Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec 24 06:42:09 2009	(r14808)
+++ dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec 24 07:14:00 2009	(r14809)
@@ -38,3 +38,4 @@
 + features/all/atl1e-allow-offload-disable.patch
 + bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
 + bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
++ bugfix/x86/kvm-limit-instructions-to-15-bytes.patch