[SRU][Artful][PATCH 1/1] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

Khaled Elmously khalid.elmously at canonical.com
Mon Feb 5 15:49:59 UTC 2018 

On 2018-02-05 11:17:52 , Kleber Souza wrote:
> Hi Khaled,
> 
> On 01/26/18 17:57, Kleber Sacilotto de Souza wrote:
> > From: Andrew Honig <ahonig at google.com>
> > 
> > This fixes CVE-2017-1000407.
> 
> I noticed that the above line has been removed on the commit pushed to
> artful tree. This line comes from the mainline commit and we tend not to
> remove anything from the original commit message when applying it to our
> trees, that's why I had the line with the CVE number below the original
> provenance block. If you used our maint-modify-patch tool to add the CVE
> number, it always add it to the first line of the commit message, so in
> that case it would be OK to keep both lines at the top.
> 
> Thanks,
> Kleber

I see.  I thought the line "This fixes CVE-..." was added by you so I was trying to keep the format consistent. I will fix it.

Thanks
-Khaled

> 
> > 
> > KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
> > the guest floods this port with writes it generates exceptions and
> > instability in the host kernel, leading to a crash.  With this change
> > guest writes to port 0x80 on Intel will behave the same as they
> > currently behave on AMD systems.
> > 
> > Prevent the flooding by removing the code that sets port 0x80 as a
> > passthrough port.  This is essentially the same as upstream patch
> > 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
> > for AMD chipsets and this patch is for Intel.
> > 
> > Signed-off-by: Andrew Honig <ahonig at google.com>
> > Signed-off-by: Jim Mattson <jmattson at google.com>
> > Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
> > Cc: <stable at vger.kernel.org>
> > Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
> > 
> > CVE-2017-1000407
> > (cherry picked from commit d59d51f088014f25c2562de59b9abff4f42a7468)
> > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> > ---
> >  arch/x86/kvm/vmx.c | 5 -----
> >  1 file changed, 5 deletions(-)
> > 
> > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > index cb044cd17790..2a4bf9e267d8 100644
> > --- a/arch/x86/kvm/vmx.c
> > +++ b/arch/x86/kvm/vmx.c
> > @@ -6599,12 +6599,7 @@ static __init int hardware_setup(void)
> >  	memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
> >  	memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
> >  
> > -	/*
> > -	 * Allow direct access to the PC debug port (it is often used for I/O
> > -	 * delays, but the vmexits simply slow things down).
> > -	 */
> >  	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
> > -	clear_bit(0x80, vmx_io_bitmap_a);
> >  
> >  	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
> >  
> >

More information about the kernel-team mailing list