APPLIED: [PATCH 0/3] [SRU][B/master] CVE-2018-18021 - arm64 KVM DoS/privesc
stefan.bader at canonical.com
Fri Mar 1 14:16:15 UTC 2019
On 19.02.19 14:02, Paolo Pisati wrote:
> arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the
> arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by
> attackers who can create virtual machines. An attacker can arbitrarily
> redirect the hypervisor flow of control (with full register control). An
> attacker can also cause a denial of service (hypervisor panic) via an
> illegal exception return. This occurs because of insufficient restrictions
> on userspace access to the core register file, and because PSTATE.M
> validation does not prevent unintended execution modes.
> Two patches are required to fix the issue:
> Patch 0001 is a cherry-pick of the first break fix.
> Patch 0002 contains only an helper function used by patch 0003.
> Patch 0003 is a backport of the second break fix with some contextual
> modification: in particular, commit 256c0960b7b6453dc90a4e879da52ab76b4037f9
> renamed all s/COMPAT_PSR/PSR_AA32/g #defines treewide while leaving their value
> unaltered, so in patch 0003 i reverted back to the COMPAT_PSR #defines used in
> Tested on arm64 as a kvm host and as a kvm guest.
> Christoffer Dall (1):
> KVM: arm/arm64: Introduce vcpu_el1_is_32bit
> Dave Martin (1):
> arm64: KVM: Tighten guest core register access from userspace
> Marc Zyngier (1):
> arm64: KVM: Sanitize PSTATE.M when being set from userspace
> arch/arm64/include/asm/kvm_emulate.h | 5 ++++
> arch/arm64/kvm/guest.c | 55 +++++++++++++++++++++++++++++++++++-
> 2 files changed, 59 insertions(+), 1 deletion(-)
Applied to bionic/master-next making the requested modifications. Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the kernel-team