[linux] 03/08: [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Feb 21 03:08:33 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit c448fa9063ec10aaa3f2f5b2855a07f4f52c80a1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Feb 21 01:23:04 2017 +0000
[x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
---
debian/changelog | 1 +
...x86-fix-emulation-of-mov-ss-null-selector.patch | 104 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 106 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1c80ae3..b264b29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
* fbdev: color map copying bounds checking (CVE-2016-8405)
* sysctl: Drop reference added by grab_header in proc_sys_readdir
(CVE-2016-919)
+ * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
-- Salvatore Bonaccorso <carnil at debian.org> Sat, 18 Feb 2017 18:26:58 +0100
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch b/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
new file mode 100644
index 0000000..694088a
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
@@ -0,0 +1,104 @@
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Thu, 12 Jan 2017 15:02:32 +0100
+Subject: KVM: x86: fix emulation of "MOV SS, null selector"
+Origin: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2583
+
+This is CVE-2017-2583. On Intel this causes a failed vmentry because
+SS's type is neither 3 nor 7 (even though the manual says this check is
+only done for usable SS, and the dmesg splat says that SS is unusable!).
+On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
+
+The fix fabricates a data segment descriptor when SS is set to a null
+selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
+Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
+this in turn ensures CPL < 3 because RPL must be equal to CPL.
+
+Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
+the bug and deciphering the manuals.
+
+Reported-by: Xiaohan Zhang <zhangxiaohan1 at huawei.com>
+Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
+Cc: stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.16: adjust context]
+---
+ arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 38 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1441,7 +1441,6 @@ static int write_segment_descriptor(stru
+ &ctxt->exception);
+ }
+
+-/* Does not support long mode */
+ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+ u16 selector, int seg, u8 cpl,
+ bool in_task_switch,
+@@ -1477,20 +1476,34 @@ static int __load_segment_descriptor(str
+
+ rpl = selector & 3;
+
+- /* NULL selector is not valid for TR, CS and SS (except for long mode) */
+- if ((seg == VCPU_SREG_CS
+- || (seg == VCPU_SREG_SS
+- && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
+- || seg == VCPU_SREG_TR)
+- && null_selector)
+- goto exception;
+-
+ /* TR should be in GDT only */
+ if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
+ goto exception;
+
+- if (null_selector) /* for NULL selector skip all following checks */
++ /* NULL selector is not valid for TR, CS and (except for long mode) SS */
++ if (null_selector) {
++ if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
++ goto exception;
++
++ if (seg == VCPU_SREG_SS) {
++ if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
++ goto exception;
++
++ /*
++ * ctxt->ops->set_segment expects the CPL to be in
++ * SS.DPL, so fake an expand-up 32-bit data segment.
++ */
++ seg_desc.type = 3;
++ seg_desc.p = 1;
++ seg_desc.s = 1;
++ seg_desc.dpl = cpl;
++ seg_desc.d = 1;
++ seg_desc.g = 1;
++ }
++
++ /* Skip all following checks */
+ goto load;
++ }
+
+ ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
+ if (ret != X86EMUL_CONTINUE)
+@@ -1586,6 +1599,21 @@ static int load_segment_descriptor(struc
+ u16 selector, int seg)
+ {
+ u8 cpl = ctxt->ops->cpl(ctxt);
++
++ /*
++ * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
++ * they can load it at CPL<3 (Intel's manual says only LSS can,
++ * but it's wrong).
++ *
++ * However, the Intel manual says that putting IST=1/DPL=3 in
++ * an interrupt gate will result in SS=3 (the AMD manual instead
++ * says it doesn't), so allow SS=3 in __load_segment_descriptor
++ * and only forbid it here.
++ */
++ if (seg == VCPU_SREG_SS && selector == 3 &&
++ ctxt->mode == X86EMUL_MODE_PROT64)
++ return emulate_exception(ctxt, GP_VECTOR, 0, true);
++
+ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index fe9ea99..e0d17ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -686,6 +686,7 @@ bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
bugfix/all/fbdev-color-map-copying-bounds-checking.patch
bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
+bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list