diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 09:03:07 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-05-17 11:14:02 -0400 |
commit | 6116861edf2be2615467c0f189153f95badf7e58 (patch) | |
tree | 4cde55ba426e107151683f8b4356c2a1d9d97b84 /KVM-MTRR-remove-MSR-0x2f8.patch | |
parent | 59915d41e79894c3ddd27a6a83e74b3991b23451 (diff) | |
download | kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.gz kernel-6116861edf2be2615467c0f189153f95badf7e58.tar.xz kernel-6116861edf2be2615467c0f189153f95badf7e58.zip |
Linux v4.6
- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)
- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
Diffstat (limited to 'KVM-MTRR-remove-MSR-0x2f8.patch')
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 000000000..8066b2e8f --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack <dmatlack@google.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + |