summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2015-11-10 07:48:23 -0500
committerJosh Boyer <jwboyer@fedoraproject.org>2015-11-10 07:48:26 -0500
commit5006f99211ad3223f65be6ff532dc24f4c9fd038 (patch)
tree4ba36929bcef408ea49bc7127410e104b71fccf2
parent9965118852c672537a1f35006d2579a83dfc425f (diff)
downloadkernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.tar.gz
kernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.tar.xz
kernel-5006f99211ad3223f65be6ff532dc24f4c9fd038.zip
CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691)
-rw-r--r--KVM-svm-unconditionally-intercept-DB.patch80
-rw-r--r--kernel.spec4
2 files changed, 84 insertions, 0 deletions
diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch
new file mode 100644
index 000000000..021af4ccb
--- /dev/null
+++ b/KVM-svm-unconditionally-intercept-DB.patch
@@ -0,0 +1,80 @@
+From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 10 Nov 2015 13:22:53 +0100
+Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB
+
+This is needed to avoid the possibility that the guest triggers
+an infinite stream of #DB exceptions (CVE-2015-8104).
+
+VMX is not affected: because it does not save DR6 in the VMCS,
+it already intercepts #DB unconditionally.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/svm.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 7203b3cc71b5..184e50b3c35a 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm)
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
++ set_exception_intercept(svm, DB_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
+ mark_dirty(svm->vmcb, VMCB_SEG);
+ }
+
+-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
++static void update_bp_intercept(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+- clr_exception_intercept(svm, DB_VECTOR);
+ clr_exception_intercept(svm, BP_VECTOR);
+
+- if (svm->nmi_singlestep)
+- set_exception_intercept(svm, DB_VECTOR);
+-
+ if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
+- if (vcpu->guest_debug &
+- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
+- set_exception_intercept(svm, DB_VECTOR);
+ if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
+ set_exception_intercept(svm, BP_VECTOR);
+ } else
+@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm)
+ if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
+ svm->vmcb->save.rflags &=
+ ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(&svm->vcpu);
+ }
+
+ if (svm->vcpu.guest_debug &
+@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+ */
+ svm->nmi_singlestep = true;
+ svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
+- update_db_bp_intercept(vcpu);
+ }
+
+ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
+@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = {
+ .vcpu_load = svm_vcpu_load,
+ .vcpu_put = svm_vcpu_put,
+
+- .update_db_bp_intercept = update_db_bp_intercept,
++ .update_db_bp_intercept = update_bp_intercept,
+ .get_msr = svm_get_msr,
+ .set_msr = svm_set_msr,
+ .get_segment_base = svm_get_segment_base,
+--
+2.4.3
+
diff --git a/kernel.spec b/kernel.spec
index 444cd964d..20fc7b364 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -596,6 +596,9 @@ Patch511: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
#CVE-2015-5307 rhbz 1277172 1279688
Patch550: KVM-x86-work-around-infinite-loop-in-microcode-when-.patch
+#CVE-2015-8104 rhbz 1278496 1279691
+Patch551: KVM-svm-unconditionally-intercept-DB.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2040,6 +2043,7 @@ fi
#
%changelog
* Tue Nov 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691)
- CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688)
* Tue Nov 10 2015 Peter Robinson <pbrobinson@fedoraproject.org>