diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-11 16:15:38 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-11 16:15:38 -0500 |
| commit | d54cf780b1e0c86386da5da5af7e26854bfad23c (patch) | |
| tree | 7cf4d9c3a58159dfdcdb8d9483aad96e17f1a235 | |
| parent | bfc64875b123f5d5fac0478cbb1ba5de6f6eadc2 (diff) | |
| download | kernel-d54cf780b1e0c86386da5da5af7e26854bfad23c.tar.gz kernel-d54cf780b1e0c86386da5da5af7e26854bfad23c.tar.xz kernel-d54cf780b1e0c86386da5da5af7e26854bfad23c.zip | |
Fix CVE-2018-10853 (rhbz 1589890 1589892)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | kvm-x86-Check-CPL-in-segmented_write_std.patch | 43 |
2 files changed, 49 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 856a6d931..f87ecde48 100644 --- a/kernel.spec +++ b/kernel.spec @@ -670,6 +670,9 @@ Patch513: ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch # https://www.spinics.net/lists/kernel/msg2818652.html applies cleanly to 4.17 Patch514: libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch +# CVE-2018-10853 rhbz 1589890 1589892 +Patch515: kvm-x86-Check-CPL-in-segmented_write_std.patch + # END OF PATCH DEFINITIONS %endif @@ -1923,6 +1926,9 @@ fi # # %changelog +* Mon Jun 11 2018 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2018-10853 (rhbz 1589890 1589892) + * Tue Jun 05 2018 Jeremy Cline <jcline@redhat.com> - 4.16.14-200 - Linux v4.16.14 diff --git a/kvm-x86-Check-CPL-in-segmented_write_std.patch b/kvm-x86-Check-CPL-in-segmented_write_std.patch new file mode 100644 index 000000000..a0447d31c --- /dev/null +++ b/kvm-x86-Check-CPL-in-segmented_write_std.patch @@ -0,0 +1,43 @@ +From patchwork Tue Jun 5 20:04:16 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: x86: Check CPL in segmented_write_std +From: Bandan Das <bsd@redhat.com> +X-Patchwork-Id: 10449159 +Message-Id: <jpgtvqhuhj3.fsf@linux.bootlegged.copy> +To: kvm@vger.kernel.org +Cc: Paolo Bonzini <pbonzini@redhat.com>, + Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>, + Andy Lutomirski <luto@kernel.org> +Date: Tue, 05 Jun 2018 16:04:16 -0400 + +Certain instructions such as sgdt/sidt call segmented_write_std that +doesn't propagate access correctly. As such, during userspace induced +exception, the guest can incorrectly assume that the exception +happened in the kernel and panic. The emulated write function +segmented_write does seem to check access correctly. + +Reported-by: Andy Lutomirski <luto@kernel.org> +Signed-off-by: Bandan Das <bsd@redhat.com> +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 71e7cda6d014..871265f6a35f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + void *data = val; + int r = X86EMUL_CONTINUE; ++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + + while (bytes) { + gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, +- PFERR_WRITE_MASK, ++ access | PFERR_WRITE_MASK, + exception); + unsigned offset = addr & (PAGE_SIZE-1); + unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); |