diff options
Diffstat (limited to 'kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch')
-rw-r--r-- | kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch new file mode 100644 index 000000000..978401257 --- /dev/null +++ b/kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch @@ -0,0 +1,41 @@ +From patchwork Tue Sep 12 20:02:54 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8 +From: Jim Mattson <jmattson@google.com> +X-Patchwork-Id: 9950035 +Message-Id: <20170912200254.111560-1-jmattson@google.com> +To: kvm@vger.kernel.org, P J P <ppandit@redhat.com>, + Paolo Bonzini <pbonzini@redhat.com> +Cc: Jim Mattson <jmattson@google.com> +Date: Tue, 12 Sep 2017 13:02:54 -0700 + +If L1 does not specify the "use TPR shadow" VM-execution control in +vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store +exiting" VM-execution controls in vmcs02. Failure to do so will give +the L2 VM unrestricted read/write access to the hardware CR8. + +This fixes CVE-2017-12154. + +Signed-off-by: Jim Mattson <jmattson@google.com> +--- + arch/x86/kvm/vmx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index c6efc1f88b25..885b7eed4320 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10525,6 +10525,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, + if (exec_control & CPU_BASED_TPR_SHADOW) { + vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); + vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); ++ } else { ++#ifdef CONFIG_X86_64 ++ exec_control |= CPU_BASED_CR8_LOAD_EXITING | ++ CPU_BASED_CR8_STORE_EXITING; ++#endif + } + + /* |