[linux] 04/08: [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Feb 21 03:08:33 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit e8540d095eb89717ef2725da452a82a3966721da
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Feb 21 01:28:01 2017 +0000

    [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
---
 debian/changelog                                   |  1 +
 .../kvm-x86-introduce-segmented_write_std.patch    | 59 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 61 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b264b29..14ea463 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
   * sysctl: Drop reference added by grab_header in proc_sys_readdir
     (CVE-2016-919)
   * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
+  * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 18 Feb 2017 18:26:58 +0100
 
diff --git a/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch b/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
new file mode 100644
index 0000000..cdc93ef
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
@@ -0,0 +1,59 @@
+From: Steve Rutherford <srutherford at google.com>
+Date: Wed, 11 Jan 2017 18:28:29 -0800
+Subject: KVM: x86: Introduce segmented_write_std
+Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2584
+
+Introduces segemented_write_std.
+
+Switches from emulated reads/writes to standard read/writes in fxsave,
+fxrstor, sgdt, and sidt.  This fixes CVE-2017-2584, a longstanding
+kernel memory leak.
+
+Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
+2016-11-09), which is luckily not yet in any final release, this would
+also be an exploitable kernel memory *write*!
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: stable at vger.kernel.org
+Fixes: 96051572c819194c37a8367624b285be10297eca
+Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
+Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Steve Rutherford <srutherford at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.16: drop changes to em_fxsave(), em_fxrstor()]
+---
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -744,6 +744,20 @@ static int segmented_read_std(struct x86
+ 	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
+ }
+ 
++static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
++			       struct segmented_address addr,
++			       void *data,
++			       unsigned int size)
++{
++	int rc;
++	ulong linear;
++
++	rc = linearize(ctxt, addr, size, true, &linear);
++	if (rc != X86EMUL_CONTINUE)
++		return rc;
++	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
++}
++
+ /*
+  * Fetch the next byte of the instruction being emulated which is pointed to
+  * by ctxt->_eip, then increment ctxt->_eip.
+@@ -3270,8 +3284,8 @@ static int emulate_store_desc_ptr(struct
+ 	}
+ 	/* Disable writeback. */
+ 	ctxt->dst.type = OP_NONE;
+-	return segmented_write(ctxt, ctxt->dst.addr.mem,
+-			       &desc_ptr, 2 + ctxt->op_bytes);
++	return segmented_write_std(ctxt, ctxt->dst.addr.mem,
++				   &desc_ptr, 2 + ctxt->op_bytes);
+ }
+ 
+ static int em_sgdt(struct x86_emulate_ctxt *ctxt)
diff --git a/debian/patches/series b/debian/patches/series
index e0d17ad..2a51457 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -687,6 +687,7 @@ bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
 bugfix/all/fbdev-color-map-copying-bounds-checking.patch
 bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
 bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
+bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list