APPLIED: [PATCH 0/3] [SRU][B/master] CVE-2018-18021 - arm64 KVM DoS/privesc

Stefan Bader stefan.bader at canonical.com
Fri Mar 1 14:16:15 UTC 2019 

On 19.02.19 14:02, Paolo Pisati wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18021.html
> 
> arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the
> arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by
> attackers who can create virtual machines. An attacker can arbitrarily
> redirect the hypervisor flow of control (with full register control). An
> attacker can also cause a denial of service (hypervisor panic) via an
> illegal exception return. This occurs because of insufficient restrictions
> on userspace access to the core register file, and because PSTATE.M
> validation does not prevent unintended execution modes.
> 
> Two patches are required to fix the issue:
> 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d26c25a9d19b5976b319af528886f89cf455692d
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2a3f93459d689d990b3ecfbe782fec89b97d3279
> 
> Patch 0001 is a cherry-pick of the first break fix.
> Patch 0002 contains only an helper function used by patch 0003.
> Patch 0003 is a backport of the second break fix with some contextual
> modification: in particular, commit 256c0960b7b6453dc90a4e879da52ab76b4037f9
> renamed all s/COMPAT_PSR/PSR_AA32/g #defines treewide while leaving their value
> unaltered, so in patch 0003 i reverted back to the COMPAT_PSR #defines used in
> Bionic.
> 
> Tested on arm64 as a kvm host and as a kvm guest.
> 
> Christoffer Dall (1):
>   KVM: arm/arm64: Introduce vcpu_el1_is_32bit
> 
> Dave Martin (1):
>   arm64: KVM: Tighten guest core register access from userspace
> 
> Marc Zyngier (1):
>   arm64: KVM: Sanitize PSTATE.M when being set from userspace
> 
>  arch/arm64/include/asm/kvm_emulate.h |  5 ++++
>  arch/arm64/kvm/guest.c               | 55 +++++++++++++++++++++++++++++++++++-
>  2 files changed, 59 insertions(+), 1 deletion(-)
> 
Applied to bionic/master-next making the requested modifications. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190301/8de2e76b/attachment-0001.sig>

More information about the kernel-team mailing list