1 files changed, 41 insertions, 0 deletions

diff --git a/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch
new file mode 100644
index 000000000..978401257
--- /dev/null
+++ b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch
@@ -0,0 +1,41 @@
+From patchwork Tue Sep 12 20:02:54 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
+From: Jim Mattson <jmattson@google.com>
+X-Patchwork-Id: 9950035
+Message-Id: <20170912200254.111560-1-jmattson@google.com>
+To: kvm@vger.kernel.org, P J P <ppandit@redhat.com>,
+ Paolo Bonzini <pbonzini@redhat.com>
+Cc: Jim Mattson <jmattson@google.com>
+Date: Tue, 12 Sep 2017 13:02:54 -0700
+
+If L1 does not specify the "use TPR shadow" VM-execution control in
+vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
+exiting" VM-execution controls in vmcs02. Failure to do so will give
+the L2 VM unrestricted read/write access to the hardware CR8.
+
+This fixes CVE-2017-12154.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+---
+ arch/x86/kvm/vmx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index c6efc1f88b25..885b7eed4320 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10525,6 +10525,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
+ 	if (exec_control & CPU_BASED_TPR_SHADOW) {
+ 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
+ 		vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
++	} else {
++#ifdef CONFIG_X86_64
++		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
++				CPU_BASED_CR8_STORE_EXITING;
++#endif
+ 	}
+ 
+ 	/*