[kernel] r22288 - in dists/sid/linux/debian: . patches patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Tue Jan 27 03:28:25 UTC 2015
Author: benh
Date: Tue Jan 27 03:28:25 2015
New Revision: 22288
Log:
[x86] KVM security fixes
Added:
dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Tue Jan 27 02:35:59 2015 (r22287)
+++ dists/sid/linux/debian/changelog Tue Jan 27 03:28:25 2015 (r22288)
@@ -17,6 +17,8 @@
- prefix module autoloading with "crypto-"
- include crypto- module prefix in template
- add missing crypto module aliases
+ * [x86] KVM: Fix of previously incomplete fix for CVE-2014-8480
+ * [x86] KVM: SYSENTER emulation is broken (CVE-2015-0239)
-- Ian Campbell <ijc at debian.org> Fri, 16 Jan 2015 15:14:32 +0000
Added: dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch Tue Jan 27 03:28:25 2015 (r22288)
@@ -0,0 +1,28 @@
+From: Nadav Amit <nadav.amit at gmail.com>
+Date: Thu, 8 Jan 2015 11:59:03 +0100
+Subject: KVM: x86: Fix of previously incomplete fix for CVE-2014-8480
+Origin: https://git.kernel.org/linus/63ea0a49ae0b145b91ff2b070c01b66fc75854b9
+
+STR and SLDT with rip-relative operand can cause a host kernel oops.
+Mark them as DstMem as well.
+
+Cc: stable at vger.linux.org
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/emulate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -3737,8 +3737,8 @@ static const struct opcode group5[] = {
+ };
+
+ static const struct opcode group6[] = {
+- DI(Prot, sldt),
+- DI(Prot, str),
++ DI(Prot | DstMem, sldt),
++ DI(Prot | DstMem, str),
+ II(Prot | Priv | SrcMem16, em_lldt, lldt),
+ II(Prot | Priv | SrcMem16, em_ltr, ltr),
+ N, N, N, N,
Added: dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch Tue Jan 27 03:28:25 2015 (r22288)
@@ -0,0 +1,78 @@
+From: Nadav Amit <namit at cs.technion.ac.il>
+Date: Thu, 1 Jan 2015 23:11:11 +0200
+Subject: KVM: x86: SYSENTER emulation is broken
+Origin: https://git.kernel.org/linus/f3747379accba8e95d70cec0eae0582c8c182050
+
+SYSENTER emulation is broken in several ways:
+1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
+2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
+ still be set without causing #GP).
+3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
+ legacy-mode.
+4. There is some unneeded code.
+
+Fix it.
+
+Cc: stable at vger.linux.org
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.16: adjust context]
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2302,7 +2302,7 @@ static int em_sysenter(struct x86_emulat
+ * Not recognized on AMD in compat mode (but is recognized in legacy
+ * mode).
+ */
+- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
+ && !vendor_intel(ctxt))
+ return emulate_ud(ctxt);
+
+@@ -2315,25 +2315,13 @@ static int em_sysenter(struct x86_emulat
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+- switch (ctxt->mode) {
+- case X86EMUL_MODE_PROT32:
+- if ((msr_data & 0xfffc) == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- case X86EMUL_MODE_PROT64:
+- if (msr_data == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- default:
+- break;
+- }
++ if ((msr_data & 0xfffc) == 0x0)
++ return emulate_gp(ctxt, 0);
+
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+- cs_sel = (u16)msr_data;
+- cs_sel &= ~SELECTOR_RPL_MASK;
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ ss_sel = cs_sel + 8;
+- ss_sel &= ~SELECTOR_RPL_MASK;
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++ if (efer & EFER_LMA) {
+ cs.d = 0;
+ cs.l = 1;
+ }
+@@ -2342,10 +2330,11 @@ static int em_sysenter(struct x86_emulat
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+- ctxt->_eip = msr_data;
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
++ (u32)msr_data;
+
+ return X86EMUL_CONTINUE;
+ }
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Tue Jan 27 02:35:59 2015 (r22287)
+++ dists/sid/linux/debian/patches/series Tue Jan 27 03:28:25 2015 (r22288)
@@ -492,3 +492,5 @@
bugfix/all/crypto-prefix-module-autoloading-with-crypto.patch
bugfix/all/crypto-include-crypto-module-prefix-in-template.patch
bugfix/all/crypto-add-missing-crypto-module-aliases.patch
+bugfix/x86/kvm-x86-fix-of-previously-incomplete-fix-for-cve-201.patch
+bugfix/x86/kvm-x86-sysenter-emulation-is-broken.patch
More information about the Kernel-svn-changes
mailing list