Fix CVE-2018-10853 (rhbz 1589890 1589892)
This commit is contained in:
Justin M. Forbes
parent
15597c8e3d
commit
54cfed8dfd
|
|
@ -628,6 +628,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
|
|||
# https://www.spinics.net/lists/linux-acpi/msg82405.html
|
||||
Patch504: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch
|
||||
|
||||
# CVE-2018-10853 rhbz 1589890 1589892
|
||||
Patch505: kvm-x86-Check-CPL-in-segmented_write_std.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1863,7 +1866,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jun 06 2018 Justin M. Forbes <jforbes@fedoraproject.org>A
|
||||
* Mon Jun 11 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-10853 (rhbz 1589890 1589892)
|
||||
|
||||
* Wed Jun 06 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Secure Boot updates for 4.17 stable
|
||||
|
||||
* Wed Jun 06 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.0-1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,43 @@
|
|||
From patchwork Tue Jun 5 20:04:16 2018
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: kvm: x86: Check CPL in segmented_write_std
|
||||
From: Bandan Das <bsd@redhat.com>
|
||||
X-Patchwork-Id: 10449159
|
||||
Message-Id: <jpgtvqhuhj3.fsf@linux.bootlegged.copy>
|
||||
To: kvm@vger.kernel.org
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>,
|
||||
Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
|
||||
Andy Lutomirski <luto@kernel.org>
|
||||
Date: Tue, 05 Jun 2018 16:04:16 -0400
|
||||
|
||||
Certain instructions such as sgdt/sidt call segmented_write_std that
|
||||
doesn't propagate access correctly. As such, during userspace induced
|
||||
exception, the guest can incorrectly assume that the exception
|
||||
happened in the kernel and panic. The emulated write function
|
||||
segmented_write does seem to check access correctly.
|
||||
|
||||
Reported-by: Andy Lutomirski <luto@kernel.org>
|
||||
Signed-off-by: Bandan Das <bsd@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/x86.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 71e7cda6d014..871265f6a35f 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -4824,10 +4824,11 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
|
||||
struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
|
||||
void *data = val;
|
||||
int r = X86EMUL_CONTINUE;
|
||||
+ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
|
||||
|
||||
while (bytes) {
|
||||
gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
|
||||
- PFERR_WRITE_MASK,
|
||||
+ access | PFERR_WRITE_MASK,
|
||||
exception);
|
||||
unsigned offset = addr & (PAGE_SIZE-1);
|
||||
unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
|
||||
Loading…
Reference in New Issue