[linux] 01/02: [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jan 19 12:41:12 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 5745d97d88e46e21da5139cf49e50f88a6457d7f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jan 19 12:55:51 2017 +0100

    [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
---
 debian/changelog                                   |  1 +
 .../KVM-x86-Introduce-segmented_write_std.patch    | 61 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 63 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 54c7cf3..4245875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -244,6 +244,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
   * sysctl: Drop reference added by grab_header in proc_sys_readdir
     (CVE-2016-9191)
   * tmpfs: clear S_ISGID when setting posix ACLs
+  * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 16 Jan 2017 09:26:13 +0100
 
diff --git a/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch b/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
new file mode 100644
index 0000000..b5ef81a
--- /dev/null
+++ b/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
@@ -0,0 +1,61 @@
+From: Steve Rutherford <srutherford at google.com>
+Date: Wed, 11 Jan 2017 18:28:29 -0800
+Subject: KVM: x86: Introduce segmented_write_std
+Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
+
+Introduces segemented_write_std.
+
+Switches from emulated reads/writes to standard read/writes in fxsave,
+fxrstor, sgdt, and sidt.  This fixes CVE-2017-2584, a longstanding
+kernel memory leak.
+
+Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
+2016-11-09), which is luckily not yet in any final release, this would
+also be an exploitable kernel memory *write*!
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: stable at vger.kernel.org
+Fixes: 96051572c819194c37a8367624b285be10297eca
+Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
+Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Steve Rutherford <srutherford at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1]
+---
+ arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86
+ 	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
+ }
+ 
++static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
++			       struct segmented_address addr,
++			       void *data,
++			       unsigned int size)
++{
++	int rc;
++	ulong linear;
++
++	rc = linearize(ctxt, addr, size, true, &linear);
++	if (rc != X86EMUL_CONTINUE)
++		return rc;
++	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
++}
++
+ /*
+  * Prefetch the remaining bytes of the instruction without crossing page
+  * boundary if they are not in fetch_cache yet.
+@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct
+ 	}
+ 	/* Disable writeback. */
+ 	ctxt->dst.type = OP_NONE;
+-	return segmented_write(ctxt, ctxt->dst.addr.mem,
+-			       &desc_ptr, 2 + ctxt->op_bytes);
++	return segmented_write_std(ctxt, ctxt->dst.addr.mem,
++				   &desc_ptr, 2 + ctxt->op_bytes);
+ }
+ 
+ static int em_sgdt(struct x86_emulate_ctxt *ctxt)
diff --git a/debian/patches/series b/debian/patches/series
index 63dc380..140cf35 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -97,6 +97,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch
 bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
+bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list