diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-16 10:26:31 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-16 10:26:36 -0400 |
| commit | 6c1de60a560a0f0b51e027541afd5ef12e6d392d (patch) | |
| tree | 3b8886ef2b2a1a105cf453da1860c86374f252cc | |
| parent | c1394147772e5e57a53889b9a1e3a03c05fdbab7 (diff) | |
| download | kernel-6c1de60a560a0f0b51e027541afd5ef12e6d392d.tar.gz kernel-6c1de60a560a0f0b51e027541afd5ef12e6d392d.tar.xz kernel-6c1de60a560a0f0b51e027541afd5ef12e6d392d.zip | |
CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
| -rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
| -rw-r--r-- | kernel.spec | 4 |
2 files changed, 53 insertions, 0 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 000000000..8066b2e8f --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack <dmatlack@google.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 934753126..00e375fb9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -619,6 +619,9 @@ Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch +#CVE-2016-3713 rhbz 1332139 1336410 +Patch717: KVM-MTRR-remove-MSR-0x2f8.patch + # END OF PATCH DEFINITIONS %endif @@ -2146,6 +2149,7 @@ fi %changelog * Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-1 - Linux v4.6 +- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410) * Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1 - Linux v4.6-rc7-116-ga2ccb68b1e6a |