Linux v4.4.12
This commit is contained in:
Laura Abbott
parent
8f427dedef
commit
4f4ecd1a03
|
|
@ -1,49 +0,0 @@
|
|||
From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
|
||||
Date: Mon, 16 May 2016 09:45:35 -0400
|
||||
Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
|
||||
was introduced by 9ba075a664df ("KVM: MTRR support").
|
||||
|
||||
0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
|
||||
size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
|
||||
which made access to index 124 out of bounds. The surrounding code only
|
||||
WARNs in this situation, thus the guest gained a limited read/write
|
||||
access to struct kvm_arch_vcpu.
|
||||
|
||||
0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
|
||||
MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8
|
||||
was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
|
||||
not implemented in KVM, therefore 0x2f8 could never do anything useful
|
||||
and getting rid of it is safe.
|
||||
|
||||
This fixes CVE-2016-TBD.
|
||||
|
||||
Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: David Matlack <dmatlack@google.com>
|
||||
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mtrr.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
|
||||
index 3f8c732117ec..c146f3c262c3 100644
|
||||
--- a/arch/x86/kvm/mtrr.c
|
||||
+++ b/arch/x86/kvm/mtrr.c
|
||||
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
|
||||
case MSR_MTRRdefType:
|
||||
case MSR_IA32_CR_PAT:
|
||||
return true;
|
||||
- case 0x2f8:
|
||||
- return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
--
|
||||
2.5.5
|
||||
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 11
|
||||
%define stable_update 12
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -647,9 +647,6 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
|||
#CVE-2016-0758 rhbz 1300257 1335386
|
||||
Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
||||
|
||||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4951 rhbz 1338625 1338626
|
||||
Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
||||
|
||||
|
|
@ -1361,9 +1358,6 @@ ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
|||
#CVE-2016-0758 rhbz 1300257 1335386
|
||||
ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
||||
|
||||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
ApplyPatch KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4951 rhbz 1338625 1338626
|
||||
ApplyPatch tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
||||
|
||||
|
|
@ -2216,6 +2210,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jun 01 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.12-200
|
||||
- Linux v4.4.12
|
||||
|
||||
* Mon May 23 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.11-200
|
||||
- Linux v4.4.11
|
||||
- Actually apply one patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue