[kernel] r14298 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Dann Frazier dannf at alioth.debian.org
Fri Sep 25 19:18:33 UTC 2009 

Author: dannf
Date: Fri Sep 25 19:18:31 2009
New Revision: 14298

Log:
* KVM: x86: Disallow hypercalls for guest callers in rings > 0
  (CVE-2009-3290)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/19lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Sep 25 19:11:34 2009	(r14297)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Sep 25 19:18:31 2009	(r14298)
@@ -2,6 +2,8 @@
 
   * appletalk: Fix skb leak when ipddp interface is not loaded
     (CVE-2009-2903)
+  * KVM: x86: Disallow hypercalls for guest callers in rings > 0
+    (CVE-2009-3290)
 
  -- dann frazier <dannf at debian.org>  Tue, 15 Sep 2009 22:54:06 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch	Fri Sep 25 19:18:31 2009	(r14298)
@@ -0,0 +1,55 @@
+commit 07708c4af1346ab1521b26a202f438366b7bcffd
+Author: Jan Kiszka <jan.kiszka at siemens.com>
+Date:   Mon Aug 3 18:43:28 2009 +0200
+
+    KVM: x86: Disallow hypercalls for guest callers in rings > 0
+    
+    So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
+    hypercalls. Normally, such callers cannot provide any hand-crafted MMU
+    command structure as it has to be passed by its physical address, but
+    they can still crash the guest kernel by passing random addresses.
+    
+    To close the hole, this patch considers hypercalls valid only if issued
+    from guest ring 0. This may still be relaxed on a per-hypercall base in
+    the future once required.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86.c linux-source-2.6.26/arch/x86/kvm/x86.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86.c	2009-08-18 23:15:14.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kvm/x86.c	2009-09-24 11:40:09.000000000 -0600
+@@ -2532,6 +2532,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ 		a3 &= 0xFFFFFFFF;
+ 	}
+ 
++	if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++		ret = -KVM_EPERM;
++		goto out;
++	}
++
+ 	switch (nr) {
+ 	case KVM_HC_VAPIC_POLL_IRQ:
+ 		ret = 0;
+@@ -2543,6 +2548,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ 		ret = -KVM_ENOSYS;
+ 		break;
+ 	}
++out:
+ 	vcpu->arch.regs[VCPU_REGS_RAX] = ret;
+ 	kvm_x86_ops->decache_regs(vcpu);
+ 	++vcpu->stat.hypercalls;
+diff -urpN linux-source-2.6.26.orig/include/linux/kvm_para.h linux-source-2.6.26/include/linux/kvm_para.h
+--- linux-source-2.6.26.orig/include/linux/kvm_para.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/kvm_para.h	2009-09-24 11:37:19.000000000 -0600
+@@ -13,6 +13,7 @@
+ #define KVM_ENOSYS		1000
+ #define KVM_EFAULT		EFAULT
+ #define KVM_E2BIG		E2BIG
++#define KVM_EPERM		EPERM
+ 
+ #define KVM_HC_VAPIC_POLL_IRQ		1
+ #define KVM_HC_MMU_OP			2

Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny1	Fri Sep 25 19:11:34 2009	(r14297)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1	Fri Sep 25 19:18:31 2009	(r14298)
@@ -1,2 +1,3 @@
 + bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
 + bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
++ bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch

More information about the Kernel-svn-changes mailing list