From 088f35853be6303ddf60d321ef5f4ef44fd636cf Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 11 Jun 2018 16:15:37 -0500 Subject: Fix CVE-2018-10853 (rhbz 1589890 1589892) --- kernel.spec | 6 ++++ kvm-x86-Check-CPL-in-segmented_write_std.patch | 43 ++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 kvm-x86-Check-CPL-in-segmented_write_std.patch diff --git a/kernel.spec b/kernel.spec index a4e0f98c7..455b46d9d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -668,6 +668,9 @@ Patch513: ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch # https://www.spinics.net/lists/kernel/msg2818652.html applies cleanly to 4.17 Patch514: libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch +# CVE-2018-10853 rhbz 1589890 1589892 +Patch515: kvm-x86-Check-CPL-in-segmented_write_std.patch + # END OF PATCH DEFINITIONS %endif @@ -1918,6 +1921,9 @@ fi # # %changelog +* Mon Jun 11 2018 Justin M. Forbes +- Fix CVE-2018-10853 (rhbz 1589890 1589892) + * Tue Jun 05 2018 Jeremy Cline - Enable CONFIG_SCSI_DH on s390x (rhbz 1586189) diff --git a/kvm-x86-Check-CPL-in-segmented_write_std.patch b/kvm-x86-Check-CPL-in-segmented_write_std.patch new file mode 100644 index 000000000..a0447d31c --- /dev/null +++ b/kvm-x86-Check-CPL-in-segmented_write_std.patch @@ -0,0 +1,43 @@ +From patchwork Tue Jun 5 20:04:16 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: x86: Check CPL in segmented_write_std +From: Bandan Das +X-Patchwork-Id: 10449159 +Message-Id: +To: kvm@vger.kernel.org +Cc: Paolo Bonzini , + Radim =?utf-8?B?S3LEjW3DocWZ?= , + Andy Lutomirski +Date: Tue, 05 Jun 2018 16:04:16 -0400 + +Certain instructions such as sgdt/sidt call segmented_write_std that +doesn't propagate access correctly. As such, during userspace induced +exception, the guest can incorrectly assume that the exception +happened in the kernel and panic. The emulated write function +segmented_write does seem to check access correctly. + +Reported-by: Andy Lutomirski +Signed-off-by: Bandan Das +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 71e7cda6d014..871265f6a35f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + void *data = val; + int r = X86EMUL_CONTINUE; ++ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + + while (bytes) { + gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, +- PFERR_WRITE_MASK, ++ access | PFERR_WRITE_MASK, + exception); + unsigned offset = addr & (PAGE_SIZE-1); + unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); -- cgit