ACK: [PATCH] KVM: x86: Introduce segmented_write_std

Stefan Bader stefan.bader at canonical.com
Thu Jul 19 12:15:19 UTC 2018 

On 19.07.2018 12:58, Colin King wrote:
> CVE-2017-2584
> 
> Introduces segemented_write_std.
> 
> Switches from emulated reads/writes to standard read/writes in fxsave,
> fxrstor, sgdt, and sidt.  This fixes CVE-2017-2584, a longstanding
> kernel memory leak.
> 
> Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
> 2016-11-09), which is luckily not yet in any final release, this would
> also be an exploitable kernel memory *write*!
> 
> Note: backport removes changes to functions em_sgdt and fxrstor_fixup
> as these don't exist in Trusty and were introduced in 2016 with commit
> 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR")
> 
> Reported-by: Dmitry Vyukov <dvyukov at google.com>
> Cc: stable at vger.kernel.org
> Fixes: 96051572c819194c37a8367624b285be10297eca
> Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
> Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
> Signed-off-by: Steve Rutherford <srutherford at google.com>
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> (backported from upstream fix 129a72a0d3c8e139a04512325384fe5ac119e74d)
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  arch/x86/kvm/emulate.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 2952452..d924843 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -809,6 +809,20 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
>  		goto done;						\
>  })
>  
> +static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
> +			       struct segmented_address addr,
> +			       void *data,
> +			       unsigned int size)
> +{
> +	int rc;
> +	ulong linear;
> +
> +	rc = linearize(ctxt, addr, size, true, &linear);
> +	if (rc != X86EMUL_CONTINUE)
> +		return rc;
> +	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
> +}
> +
>  /*
>   * Given the 'reg' portion of a ModRM byte, and a register block, return a
>   * pointer into the block that addresses the relevant register.
> @@ -3244,8 +3258,8 @@ static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
>  	}
>  	/* Disable writeback. */
>  	ctxt->dst.type = OP_NONE;
> -	return segmented_write(ctxt, ctxt->dst.addr.mem,
> -			       &desc_ptr, 2 + ctxt->op_bytes);
> +	return segmented_write_std(ctxt, ctxt->dst.addr.mem,
> +				   &desc_ptr, 2 + ctxt->op_bytes);
>  }
>  
>  static int em_sgdt(struct x86_emulate_ctxt *ctxt)
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180719/8e1fe9fa/attachment.sig>

More information about the kernel-team mailing list