diff options
Diffstat (limited to 'kvm-x86-Check-CPL-in-segmented_write_std.patch')
-rw-r--r-- | kvm-x86-Check-CPL-in-segmented_write_std.patch | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/kvm-x86-Check-CPL-in-segmented_write_std.patch b/kvm-x86-Check-CPL-in-segmented_write_std.patch deleted file mode 100644 index a0447d31c..000000000 --- a/kvm-x86-Check-CPL-in-segmented_write_std.patch +++ /dev/null @@ -1,43 +0,0 @@ -From patchwork Tue Jun 5 20:04:16 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: kvm: x86: Check CPL in segmented_write_std -From: Bandan Das <bsd@redhat.com> -X-Patchwork-Id: 10449159 -Message-Id: <jpgtvqhuhj3.fsf@linux.bootlegged.copy> -To: kvm@vger.kernel.org -Cc: Paolo Bonzini <pbonzini@redhat.com>, - Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>, - Andy Lutomirski <luto@kernel.org> -Date: Tue, 05 Jun 2018 16:04:16 -0400 - -Certain instructions such as sgdt/sidt call segmented_write_std that -doesn't propagate access correctly. As such, during userspace induced -exception, the guest can incorrectly assume that the exception -happened in the kernel and panic. The emulated write function -segmented_write does seem to check access correctly. - -Reported-by: Andy Lutomirski <luto@kernel.org> -Signed-off-by: Bandan Das <bsd@redhat.com> ---- - arch/x86/kvm/x86.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 71e7cda6d014..871265f6a35f 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, - struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); - void *data = val; - int r = X86EMUL_CONTINUE; -+ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; - - while (bytes) { - gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, -- PFERR_WRITE_MASK, -+ access | PFERR_WRITE_MASK, - exception); - unsigned offset = addr & (PAGE_SIZE-1); - unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); |