[linux] 01/02: [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Jan 19 12:41:12 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 5745d97d88e46e21da5139cf49e50f88a6457d7f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Jan 19 12:55:51 2017 +0100
[x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
---
debian/changelog | 1 +
.../KVM-x86-Introduce-segmented_write_std.patch | 61 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 63 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 54c7cf3..4245875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -244,6 +244,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
* sysctl: Drop reference added by grab_header in proc_sys_readdir
(CVE-2016-9191)
* tmpfs: clear S_ISGID when setting posix ACLs
+ * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
-- Salvatore Bonaccorso <carnil at debian.org> Mon, 16 Jan 2017 09:26:13 +0100
diff --git a/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch b/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
new file mode 100644
index 0000000..b5ef81a
--- /dev/null
+++ b/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
@@ -0,0 +1,61 @@
+From: Steve Rutherford <srutherford at google.com>
+Date: Wed, 11 Jan 2017 18:28:29 -0800
+Subject: KVM: x86: Introduce segmented_write_std
+Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
+
+Introduces segemented_write_std.
+
+Switches from emulated reads/writes to standard read/writes in fxsave,
+fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
+kernel memory leak.
+
+Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
+2016-11-09), which is luckily not yet in any final release, this would
+also be an exploitable kernel memory *write*!
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: stable at vger.kernel.org
+Fixes: 96051572c819194c37a8367624b285be10297eca
+Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
+Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Steve Rutherford <srutherford at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1]
+---
+ arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86
+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
+ }
+
++static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
++ struct segmented_address addr,
++ void *data,
++ unsigned int size)
++{
++ int rc;
++ ulong linear;
++
++ rc = linearize(ctxt, addr, size, true, &linear);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
++}
++
+ /*
+ * Prefetch the remaining bytes of the instruction without crossing page
+ * boundary if they are not in fetch_cache yet.
+@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct
+ }
+ /* Disable writeback. */
+ ctxt->dst.type = OP_NONE;
+- return segmented_write(ctxt, ctxt->dst.addr.mem,
+- &desc_ptr, 2 + ctxt->op_bytes);
++ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
++ &desc_ptr, 2 + ctxt->op_bytes);
+ }
+
+ static int em_sgdt(struct x86_emulate_ctxt *ctxt)
diff --git a/debian/patches/series b/debian/patches/series
index 63dc380..140cf35 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -97,6 +97,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
+bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list