KVM / Partial Mitigation for CVE-2017-5715
Peter Lieven
pl at kamp.de
Mon Jan 8 14:42:50 UTC 2018
Hi Kernel Team,
I found that there is a partial fix for CVE-2017-5715 upstream since yesterday:
kvm: vmx: Scrub hardware GPRs at VM-exit
Guest GPR values are live in the hardware GPRs at VM-exit. Do not
leave any guest values in hardware GPRs after the guest GPR values are
saved to the vcpu_vmx structure.
This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
Is it possible that you cherry-pick this patch for your first round of mitigation patches? It looks quite minimal and would
help to save hosts running different VMs. It seems that this is part of what Google came up with for their cloud platform.
Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180108/289316ef/attachment.html>
More information about the kernel-team
mailing list