APPLIED[T]: [SRU][Trusty][PATCH 1/1] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

Stefan Bader stefan.bader at canonical.com
Fri Feb 2 09:41:39 UTC 2018


On 26.01.2018 17:57, Kleber Sacilotto de Souza wrote:
> From: Andrew Honig <ahonig at google.com>
> 
> This fixes CVE-2017-1000407.
> 
> KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
> the guest floods this port with writes it generates exceptions and
> instability in the host kernel, leading to a crash.  With this change
> guest writes to port 0x80 on Intel will behave the same as they
> currently behave on AMD systems.
> 
> Prevent the flooding by removing the code that sets port 0x80 as a
> passthrough port.  This is essentially the same as upstream patch
> 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
> for AMD chipsets and this patch is for Intel.
> 
> Signed-off-by: Andrew Honig <ahonig at google.com>
> Signed-off-by: Jim Mattson <jmattson at google.com>
> Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
> 
> CVE-2017-1000407
> (backported from commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
>  arch/x86/kvm/vmx.c | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 36af261a7dee..8454a201bd64 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -8719,12 +8719,7 @@ static int __init vmx_init(void)
>  	for (i = 0; i < max_shadow_read_only_fields; i++)
>  		clear_bit(shadow_read_only_fields[i], vmx_vmread_bitmap);
>  
> -	/*
> -	 * Allow direct access to the PC debug port (it is often used for I/O
> -	 * delays, but the vmexits simply slow things down).
> -	 */
>  	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
> -	clear_bit(0x80, vmx_io_bitmap_a);
>  
>  	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
>  
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180202/2a0c212a/attachment.sig>


More information about the kernel-team mailing list