CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453)
This commit is contained in:
parent
aa7180f4aa
commit
aaa68966b7
|
@ -0,0 +1,81 @@
|
|||
From: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Date: Thu, 1 Jan 2015 23:11:11 +0200
|
||||
Subject: [PATCH] KVM: x86: SYSENTER emulation is broken
|
||||
|
||||
SYSENTER emulation is broken in several ways:
|
||||
1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
|
||||
2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
|
||||
still be set without causing #GP).
|
||||
3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
|
||||
legacy-mode.
|
||||
4. There is some unneeded code.
|
||||
|
||||
Fix it.
|
||||
|
||||
Cc: stable@vger.linux.org
|
||||
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 27 ++++++++-------------------
|
||||
1 file changed, 8 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
||||
index 22e7ed9e6d8e..ac640d47c28d 100644
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
* Not recognized on AMD in compat mode (but is recognized in legacy
|
||||
* mode).
|
||||
*/
|
||||
- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
|
||||
+ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
|
||||
&& !vendor_intel(ctxt))
|
||||
return emulate_ud(ctxt);
|
||||
|
||||
@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
setup_syscalls_segments(ctxt, &cs, &ss);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
|
||||
- switch (ctxt->mode) {
|
||||
- case X86EMUL_MODE_PROT32:
|
||||
- if ((msr_data & 0xfffc) == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- case X86EMUL_MODE_PROT64:
|
||||
- if (msr_data == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
+ if ((msr_data & 0xfffc) == 0x0)
|
||||
+ return emulate_gp(ctxt, 0);
|
||||
|
||||
ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
|
||||
- cs_sel = (u16)msr_data;
|
||||
- cs_sel &= ~SELECTOR_RPL_MASK;
|
||||
+ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
|
||||
ss_sel = cs_sel + 8;
|
||||
- ss_sel &= ~SELECTOR_RPL_MASK;
|
||||
- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
|
||||
+ if (efer & EFER_LMA) {
|
||||
cs.d = 0;
|
||||
cs.l = 1;
|
||||
}
|
||||
@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
|
||||
- ctxt->_eip = msr_data;
|
||||
+ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
|
||||
- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
|
||||
+ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
|
||||
+ (u32)msr_data;
|
||||
|
||||
return X86EMUL_CONTINUE;
|
||||
}
|
||||
--
|
||||
2.1.0
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -653,6 +653,10 @@ Patch30001: mpssd-x86-only.patch
|
|||
Patch30002: stable-3.18.4-queue.patch
|
||||
Patch30003: xhci-check-if-slot-is-already-in-default-state.patch
|
||||
|
||||
#CVE-2015-0239 rhbz 1186448 1186453
|
||||
Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch
|
||||
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1411,6 +1415,9 @@ ApplyPatch mpssd-x86-only.patch
|
|||
ApplyPatch stable-3.18.4-queue.patch
|
||||
ApplyPatch xhci-check-if-slot-is-already-in-default-state.patch
|
||||
|
||||
#CVE-2015-0239 rhbz 1186448 1186453
|
||||
ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
@ -2281,6 +2288,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Jan 27 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-0239 kvm: insufficient sysenter emulation from 16-bit (rhbz 1186448 1186453)
|
||||
|
||||
* Mon Jan 19 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.3-201
|
||||
- Add fixes from 3.18.4 queue to fix i915 issues (rhbz 1183232)
|
||||
- xhci: Check if slot is already in default state before moving it there (rhbz 1183289)
|
||||
|
|
Loading…
Reference in New Issue