diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-09-13 14:16:59 -0700 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-09-13 14:16:59 -0700 |
commit | 1cea4bfbc911fc3948ae8256b55657576eb03f7d (patch) | |
tree | 4ae37935c124d5b5d0c4acc872b0a493cf744b7c /kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch | |
parent | 3d3fae962bbc6b7cf9da36dd3bf6c691ad1848f2 (diff) | |
download | kernel-1cea4bfbc911fc3948ae8256b55657576eb03f7d.tar.gz kernel-1cea4bfbc911fc3948ae8256b55657576eb03f7d.tar.xz kernel-1cea4bfbc911fc3948ae8256b55657576eb03f7d.zip |
Fix CVE-2017-12154 CVE-2017-12153 CVE-2017-1000251
Diffstat (limited to 'kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch')
-rw-r--r-- | kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch new file mode 100644 index 000000000..978401257 --- /dev/null +++ b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch @@ -0,0 +1,41 @@ +From patchwork Tue Sep 12 20:02:54 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8 +From: Jim Mattson <jmattson@google.com> +X-Patchwork-Id: 9950035 +Message-Id: <20170912200254.111560-1-jmattson@google.com> +To: kvm@vger.kernel.org, P J P <ppandit@redhat.com>, + Paolo Bonzini <pbonzini@redhat.com> +Cc: Jim Mattson <jmattson@google.com> +Date: Tue, 12 Sep 2017 13:02:54 -0700 + +If L1 does not specify the "use TPR shadow" VM-execution control in +vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store +exiting" VM-execution controls in vmcs02. Failure to do so will give +the L2 VM unrestricted read/write access to the hardware CR8. + +This fixes CVE-2017-12154. + +Signed-off-by: Jim Mattson <jmattson@google.com> +--- + arch/x86/kvm/vmx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index c6efc1f88b25..885b7eed4320 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10525,6 +10525,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, + if (exec_control & CPU_BASED_TPR_SHADOW) { + vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); + vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); ++ } else { ++#ifdef CONFIG_X86_64 ++ exec_control |= CPU_BASED_CR8_LOAD_EXITING | ++ CPU_BASED_CR8_STORE_EXITING; ++#endif + } + + /* |