diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-11-10 07:48:23 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-11-10 07:48:26 -0500 |
commit | 5006f99211ad3223f65be6ff532dc24f4c9fd038 (patch) | |
tree | 4ba36929bcef408ea49bc7127410e104b71fccf2 | |
parent | 9965118852c672537a1f35006d2579a83dfc425f (diff) | |
download | kernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.tar.gz kernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.tar.xz kernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.zip |
CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691)
-rw-r--r-- | KVM-svm-unconditionally-intercept-DB.patch | 80 | ||||
-rw-r--r-- | kernel.spec | 4 |
2 files changed, 84 insertions, 0 deletions
diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch new file mode 100644 index 000000000..021af4ccb --- /dev/null +++ b/KVM-svm-unconditionally-intercept-DB.patch @@ -0,0 +1,80 @@ +From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 10 Nov 2015 13:22:53 +0100 +Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB + +This is needed to avoid the possibility that the guest triggers +an infinite stream of #DB exceptions (CVE-2015-8104). + +VMX is not affected: because it does not save DR6 in the VMCS, +it already intercepts #DB unconditionally. + +Reported-by: Jan Beulich <jbeulich@suse.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + arch/x86/kvm/svm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 7203b3cc71b5..184e50b3c35a 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm) + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm) + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = { + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 444cd964d..20fc7b364 100644 --- a/kernel.spec +++ b/kernel.spec @@ -596,6 +596,9 @@ Patch511: RDS-fix-race-condition-when-sending-a-message-on-unb.patch #CVE-2015-5307 rhbz 1277172 1279688 Patch550: KVM-x86-work-around-infinite-loop-in-microcode-when-.patch +#CVE-2015-8104 rhbz 1278496 1279691 +Patch551: KVM-svm-unconditionally-intercept-DB.patch + # END OF PATCH DEFINITIONS %endif @@ -2040,6 +2043,7 @@ fi # %changelog * Tue Nov 10 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) - CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) * Tue Nov 10 2015 Peter Robinson <pbrobinson@fedoraproject.org> |