[linux] 01/01: KVM: MTRR: remove MSR 0x2f8 (CVE-2016-3713)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon May 16 12:03:36 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit be1c8b16ab1fab714cc14973a280cb97e9f6f273
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Mon May 16 07:33:42 2016 +0200
KVM: MTRR: remove MSR 0x2f8 (CVE-2016-3713)
---
debian/changelog | 1 +
.../bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch | 43 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ec92e8f..fd4a3c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -104,6 +104,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758)
* net: fix infoleak in llc (CVE-2016-4485)
+ * KVM: MTRR: remove MSR 0x2f8 (CVE-2016-3713)
[ Ben Hutchings ]
* gencontrol.py: Fix implementation of [packages]tools config option,
diff --git a/debian/patches/bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch b/debian/patches/bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
new file mode 100644
index 0000000..d46c782
--- /dev/null
+++ b/debian/patches/bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
@@ -0,0 +1,43 @@
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar at redhat.com>
+Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
+
+MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
+was introduced by 9ba075a664df ("KVM: MTRR support").
+
+0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
+size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
+which made access to index 124 out of bounds. The surrounding code only
+WARNs in this situation, thus the guest gained a limited read/write
+access to struct kvm_arch_vcpu.
+
+0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
+MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8
+was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
+not implemented in KVM, therefore 0x2f8 could never do anything useful
+and getting rid of it is safe.
+
+This fixes CVE-2016-3713.
+
+Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
+Cc: stable at vger.kernel.org
+Reported-by: David Matlack <dmatlack at google.com>
+Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
+---
+ arch/x86/kvm/mtrr.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
+index 3f8c732117ec..c146f3c262c3 100644
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
+ case MSR_MTRRdefType:
+ case MSR_IA32_CR_PAT:
+ return true;
+- case 0x2f8:
+- return true;
+ }
+ return false;
+ }
+--
+2.8.1
diff --git a/debian/patches/series b/debian/patches/series
index bf28b48..a89d5d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -144,6 +144,7 @@ bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
+bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
# ABI maintenance
debian/ib-fix-abi-change-in-4.5.3.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list