diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-11 16:15:37 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-11 16:15:37 -0500 |
commit | 088f35853be6303ddf60d321ef5f4ef44fd636cf (patch) | |
tree | 2af26bceece53619b42f47c00615f02a2df27237 | |
parent | 659cba17dc6ad120c1b4909de6ee2fc3469eccaf (diff) | |
download | kernel-088f35853be6303ddf60d321ef5f4ef44fd636cf.tar.gz kernel-088f35853be6303ddf60d321ef5f4ef44fd636cf.tar.xz kernel-088f35853be6303ddf60d321ef5f4ef44fd636cf.zip |
Fix CVE-2018-10853 (rhbz 1589890 1589892)
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | kvm-x86-Check-CPL-in-segmented_write_std.patch | 43 |
2 files changed, 49 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index a4e0f98c7..455b46d9d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -668,6 +668,9 @@ Patch513: ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch # https://www.spinics.net/lists/kernel/msg2818652.html applies cleanly to 4.17 Patch514: libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch +# CVE-2018-10853 rhbz 1589890 1589892 +Patch515: kvm-x86-Check-CPL-in-segmented_write_std.patch + # END OF PATCH DEFINITIONS %endif @@ -1918,6 +1921,9 @@ fi # # %changelog +* Mon Jun 11 2018 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2018-10853 (rhbz 1589890 1589892) + * Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - Enable CONFIG_SCSI_DH on s390x (rhbz 1586189) diff --git a/kvm-x86-Check-CPL-in-segmented_write_std.patch b/kvm-x86-Check-CPL-in-segmented_write_std.patch new file mode 100644 index 000000000..a0447d31c --- /dev/null +++ b/kvm-x86-Check-CPL-in-segmented_write_std.patch @@ -0,0 +1,43 @@ +From patchwork Tue Jun 5 20:04:16 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: x86: Check CPL in segmented_write_std +From: Bandan Das <bsd@redhat.com> +X-Patchwork-Id: 10449159 +Message-Id: <jpgtvqhuhj3.fsf@linux.bootlegged.copy> +To: kvm@vger.kernel.org +Cc: Paolo Bonzini <pbonzini@redhat.com>, + Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>, + Andy Lutomirski <luto@kernel.org> +Date: Tue, 05 Jun 2018 16:04:16 -0400 + +Certain instructions such as sgdt/sidt call segmented_write_std that +doesn't propagate access correctly. As such, during userspace induced +exception, the guest can incorrectly assume that the exception +happened in the kernel and panic. The emulated write function +segmented_write does seem to check access correctly. + +Reported-by: Andy Lutomirski <luto@kernel.org> +Signed-off-by: Bandan Das <bsd@redhat.com> +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 71e7cda6d014..871265f6a35f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + void *data = val; + int r = X86EMUL_CONTINUE; ++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + + while (bytes) { + gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, +- PFERR_WRITE_MASK, ++ access | PFERR_WRITE_MASK, + exception); + unsigned offset = addr & (PAGE_SIZE-1); + unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); |