[Secure-testing-team] Bug#548975: kvm-source: allows MMU hypercalls from ring > 0

Tue Sep 29 23:09:00 UTC 2009

Package: kvm-source
Version: 85+dfsg-4
Severity: critical
Tags: patch security
Justification: potential privilege escalation

Upstream patch:
  http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=07708c4af1346ab1521b26a202f438366b7bcffd

Please mention CVE-2009-3290 in your changelog.

diff -urpN kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch kvm-85+dfsg/debian/patches/CVE-2009-3290.patch

--- kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch	1969-12-31 17:00:00.000000000 -0700
+++ kvm-85+dfsg/debian/patches/CVE-2009-3290.patch	2009-09-29 17:05:38.000000000 -0600
@@ -0,0 +1,34 @@
+diff -urpN kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h kvm-85+dfsg/kernel/include/linux/kvm_para.h
+--- kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h	2009-04-21 04:04:03.000000000 -0600
++++ kvm-85+dfsg/kernel/include/linux/kvm_para.h	2009-09-29 17:04:54.000000000 -0600
+@@ -53,6 +53,7 @@
+ #define KVM_ENOSYS		1000
+ #define KVM_EFAULT		EFAULT
+ #define KVM_E2BIG		E2BIG
++#define KVM_EPERM		EPERM
+ 
+ #define KVM_HC_VAPIC_POLL_IRQ		1
+ #define KVM_HC_MMU_OP			2
+diff -urpN kvm-85+dfsg.orig/kernel/x86/x86.c kvm-85+dfsg/kernel/x86/x86.c
+--- kvm-85+dfsg.orig/kernel/x86/x86.c	2009-04-21 04:04:13.000000000 -0600
++++ kvm-85+dfsg/kernel/x86/x86.c	2009-09-29 17:05:01.000000000 -0600
+@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ 		a3 &= 0xFFFFFFFF;
+ 	}
+ 
++	if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++		ret = -KVM_EPERM;
++		goto out;
++	}
++
+ 	switch (nr) {
+ 	case KVM_HC_VAPIC_POLL_IRQ:
+ 		ret = 0;
+@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ 		ret = -KVM_ENOSYS;
+ 		break;
+ 	}
++out:
+ 	kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+ 	++vcpu->stat.hypercalls;
+ 	return r;
diff -urpN kvm-85+dfsg.orig/debian/patches/series kvm-85+dfsg/debian/patches/series
--- kvm-85+dfsg.orig/debian/patches/series	2009-09-29 17:04:12.000000000 -0600
+++ kvm-85+dfsg/debian/patches/series	2009-09-29 17:05:53.000000000 -0600
@@ -8,3 +8,4 @@ from-debian-qemu/62_linux_boot_nasm.patc
 security/leftover.patch
 qemu-ifup_head.patch
 readd_drive_boot_parameter_help.patch
+CVE-2009-3290.patch



