[PATCH 0/3] [SRU][B/master] CVE-2018-18021 - arm64 KVM DoS/privesc
Paolo Pisati
paolo.pisati at canonical.com
Tue Feb 19 13:02:32 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18021.html
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the
arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by
attackers who can create virtual machines. An attacker can arbitrarily
redirect the hypervisor flow of control (with full register control). An
attacker can also cause a denial of service (hypervisor panic) via an
illegal exception return. This occurs because of insufficient restrictions
on userspace access to the core register file, and because PSTATE.M
validation does not prevent unintended execution modes.
Two patches are required to fix the issue:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d26c25a9d19b5976b319af528886f89cf455692d
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2a3f93459d689d990b3ecfbe782fec89b97d3279
Patch 0001 is a cherry-pick of the first break fix.
Patch 0002 contains only an helper function used by patch 0003.
Patch 0003 is a backport of the second break fix with some contextual
modification: in particular, commit 256c0960b7b6453dc90a4e879da52ab76b4037f9
renamed all s/COMPAT_PSR/PSR_AA32/g #defines treewide while leaving their value
unaltered, so in patch 0003 i reverted back to the COMPAT_PSR #defines used in
Bionic.
Tested on arm64 as a kvm host and as a kvm guest.
Christoffer Dall (1):
KVM: arm/arm64: Introduce vcpu_el1_is_32bit
Dave Martin (1):
arm64: KVM: Tighten guest core register access from userspace
Marc Zyngier (1):
arm64: KVM: Sanitize PSTATE.M when being set from userspace
arch/arm64/include/asm/kvm_emulate.h | 5 ++++
arch/arm64/kvm/guest.c | 55 +++++++++++++++++++++++++++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)
--
2.7.4
More information about the kernel-team
mailing list