[linux] 01/01: [x86] kvm: Check memopp before dereference (CVE-2016-8630)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Nov 6 16:57:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit d99e060fe3f171d2993ef9ea9287b03a41a71422
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sun Nov 6 17:52:10 2016 +0100

    [x86] kvm: Check memopp before dereference (CVE-2016-8630)
---
 debian/changelog                                   |  3 ++
 ...ck-memopp-before-dereference-CVE-2016-863.patch | 34 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 38 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b3f02ea..5d74b4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -122,6 +122,9 @@ linux (4.8.6-1) UNRELEASED; urgency=medium
   * cpupower: Fix checks for CPU existence (Closes: #843071)
   * perf: Disable use of libcrypto (Closes: #843199)
 
+  [ Salvatore Bonaccorso ]
+  * [x86] kvm: Check memopp before dereference (CVE-2016-8630)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 02 Nov 2016 12:01:42 -0600
 
 linux (4.8.5-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch b/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
new file mode 100644
index 0000000..5a3297e
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
@@ -0,0 +1,34 @@
+From: Owen Hofmann <osh at google.com>
+Date: Thu, 27 Oct 2016 11:25:52 -0700
+Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630)
+Origin: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e
+
+Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a
+check for non-NULL under incorrect assumptions. An undefined instruction
+with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt
+to dereference a null pointer here.
+
+Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
+Message-Id: <1477592752-126650-2-git-send-email-osh at google.com>
+Signed-off-by: Owen Hofmann <osh at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 4e95d3e..cbd7b92 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5045,7 +5045,7 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
+ 	/* Decode and fetch the destination operand: register or memory. */
+ 	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
+ 
+-	if (ctxt->rip_relative)
++	if (ctxt->rip_relative && likely(ctxt->memopp))
+ 		ctxt->memopp->addr.mem.ea = address_mask(ctxt,
+ 					ctxt->memopp->addr.mem.ea + ctxt->_eip);
+ 
+-- 
+2.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
index f947dfd..7a9ebf2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -96,6 +96,7 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/net-add-recursion-limit-to-gro.patch
 bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
+bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
 
 # ABI maintenance
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list