[kernel] r13980 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jul 20 04:53:47 UTC 2009
Author: dannf
Date: Mon Jul 20 04:53:45 2009
New Revision: 13980
Log:
[KVM] x86: check for cr3 validity in ioctl_set_sregs
(CVE-2009-2287)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
dists/lenny-security/linux-2.6/debian/patches/series/17lenny1
Modified:
dists/lenny-security/linux-2.6/debian/changelog
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jul 20 04:51:12 2009 (r13979)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jul 20 04:53:45 2009 (r13980)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.26-17lenny1) UNRELEASED; urgency=high
+
+ * [KVM] x86: check for cr3 validity in ioctl_set_sregs
+ (CVE-2009-2287)
+
+ -- dann frazier <dannf at debian.org> Sun, 05 Jul 2009 22:57:23 -0600
+
linux-2.6 (2.6.26-17) stable; urgency=high
* Revert "sata_nv: avoid link reset on controllers where it's broken"
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch Mon Jul 20 04:53:45 2009 (r13980)
@@ -0,0 +1,48 @@
+commit 59839dfff5eabca01cc4e20b45797a60a80af8cb
+Author: Marcelo Tosatti <mtosatti at redhat.com>
+Date: Thu Apr 16 08:30:44 2009 -0300
+
+ KVM: x86: check for cr3 validity in ioctl_set_sregs
+
+ Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity
+ checking for the new cr3 value:
+
+ "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to
+ the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
+ when userspace next tries to call KVM_RUN on the affected VCPU and kvm
+ attempts to activate the new non-existent page table root.
+
+ This happens since kvm only validates that cr3 points to a valid guest
+ physical memory page when code *inside* the guest sets cr3. However, kvm
+ currently trusts the userspace caller (e.g. QEMU) on the host machine to
+ always supply a valid page table root, rather than properly validating
+ it along with the rest of the reloaded guest state."
+
+ http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599
+
+ Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple
+ fault in case of failure.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index ffbb2c8..2bad49b 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3993,7 +3993,13 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
+
+ vcpu->arch.cr2 = sregs->cr2;
+ mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
+- vcpu->arch.cr3 = sregs->cr3;
++
++ down_read(&vcpu->kvm->slots_lock);
++ if (gfn_to_memslot(vcpu->kvm, sregs->cr3 >> PAGE_SHIFT))
++ vcpu->arch.cr3 = sregs->cr3;
++ else
++ set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
++ up_read(&vcpu->kvm->slots_lock);
+
+ kvm_set_cr8(vcpu, sregs->cr8);
+
Added: dists/lenny-security/linux-2.6/debian/patches/series/17lenny1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/17lenny1 Mon Jul 20 04:53:45 2009 (r13980)
@@ -0,0 +1 @@
++ bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
More information about the Kernel-svn-changes
mailing list