[linux] 01/02: [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT (CVE-2017-12188)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Oct 13 16:39:53 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 02033a7a17f302964e5103979bbfddaf8034c4e8
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Oct 13 18:06:46 2017 +0200
[x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT (CVE-2017-12188)
---
debian/changelog | 2 ++
...date-last_nonleaf_level-when-initializing.patch | 34 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 37 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e1615d5..aef371e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
* KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
* waitid(): Add missing access_ok() checks (CVE-2017-5123)
* ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265)
+ * [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT
+ (CVE-2017-12188)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
new file mode 100644
index 0000000..eefff5b
--- /dev/null
+++ b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
@@ -0,0 +1,34 @@
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 5 Oct 2017 11:10:22 +0200
+Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
+Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
+
+The function updates context->root_level but didn't call
+update_last_nonleaf_level so the previous and potentially wrong value
+was used for page walks. For example, a zero value of last_nonleaf_level
+would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
+walk_addr_generic function (CVE-2017-12188).
+
+Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index 106d4a029a8a..3c25f20115bc 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
+
+ update_permission_bitmask(vcpu, context, true);
+ update_pkru_bitmask(vcpu, context, true);
++ update_last_nonleaf_level(vcpu, context);
+ reset_rsvds_bits_mask_ept(vcpu, context, execonly);
+ reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
+ }
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 0131f69..09ca221 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,6 +126,7 @@ bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
bugfix/all/waitid-Add-missing-access_ok-checks.patch
bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list