CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453)

KVM-x86-SYSENTER-emulation-is-broken.patch

@@ -0,0 +1,81 @@
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 1 Jan 2015 23:11:11 +0200
+Subject: [PATCH] KVM: x86: SYSENTER emulation is broken
+
+SYSENTER emulation is broken in several ways:
+1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
+2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
+   still be set without causing #GP).
+3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
+   legacy-mode.
+4. There is some unneeded code.
+
+Fix it.
+
+Cc: stable@vger.linux.org
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 22e7ed9e6d8e..ac640d47c28d 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	 * Not recognized on AMD in compat mode (but is recognized in legacy
+ 	 * mode).
+ 	 */
+-	if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++	if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
+ 	    && !vendor_intel(ctxt))
+ 		return emulate_ud(ctxt);
+ 
+@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	setup_syscalls_segments(ctxt, &cs, &ss);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+-	switch (ctxt->mode) {
+-	case X86EMUL_MODE_PROT32:
+-		if ((msr_data & 0xfffc) == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	case X86EMUL_MODE_PROT64:
+-		if (msr_data == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	default:
+-		break;
+-	}
++	if ((msr_data & 0xfffc) == 0x0)
++		return emulate_gp(ctxt, 0);
+ 
+ 	ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
+-	cs_sel = (u16)msr_data;
+-	cs_sel &= ~SELECTOR_RPL_MASK;
++	cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ 	ss_sel = cs_sel + 8;
+-	ss_sel &= ~SELECTOR_RPL_MASK;
+-	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++	if (efer & EFER_LMA) {
+ 		cs.d = 0;
+ 		cs.l = 1;
+ 	}
+@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
+ 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+-	ctxt->_eip = msr_data;
++	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+-	*reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
++	*reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
++							      (u32)msr_data;
+ 
+ 	return X86EMUL_CONTINUE;
+ }
+-- 
+2.1.0
+

kernel.spec

@@ -653,6 +653,10 @@ Patch30001: mpssd-x86-only.patch
 Patch30002: stable-3.18.4-queue.patch
 Patch30003: xhci-check-if-slot-is-already-in-default-state.patch
 
+#CVE-2015-0239 rhbz 1186448 1186453
+Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1411,6 +1415,9 @@ ApplyPatch mpssd-x86-only.patch
 ApplyPatch stable-3.18.4-queue.patch
 ApplyPatch xhci-check-if-slot-is-already-in-default-state.patch
 
+#CVE-2015-0239 rhbz 1186448 1186453
+ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2281,6 +2288,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Tue Jan 27 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453)
+
 * Mon Jan 19 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.3-201
 - Add fixes from 3.18.4 queue to fix i915 issues (rhbz 1183232)
 - xhci: Check if slot is already in default state before moving it there (rhbz 1183289)