diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-24 07:52:43 +0200 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-24 07:52:43 +0200 |
| commit | 6e0ff2ec8c1e2b43c167b73d87348d926eeab873 (patch) | |
| tree | 769dc84a3849114b3d783c10d7176eb00022b4b0 /KVM-MTRR-remove-MSR-0x2f8.patch | |
| parent | 330729087d5d9b082d7b1d30ed57497ccb38ba0c (diff) | |
| parent | 8f427dedef4e5cbd18d5557deaa812bfafc6c9f7 (diff) | |
| download | kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.tar.gz kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.tar.xz kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.zip | |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.11-200.vanilla.knurd.1.fc22
Diffstat (limited to 'KVM-MTRR-remove-MSR-0x2f8.patch')
| -rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 000000000..8066b2e8f --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack <dmatlack@google.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + |