From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Steve Rutherford <srutherford@google.com>
Subject: [PATCH 4.4 15/48] KVM: x86: Introduce segmented_write_std
Date: Wed, 18 Jan 2017 11:46:24 +0100 [thread overview]
Message-ID: <20170118104626.177322576@linuxfoundation.org> (raw)
In-Reply-To: <20170118104625.550018627@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve Rutherford <srutherford@google.com>
commit 129a72a0d3c8e139a04512325384fe5ac119e74d upstream.
Introduces segemented_write_std.
Switches from emulated reads/writes to standard read/writes in fxsave,
fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
kernel memory leak.
Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
2016-11-09), which is luckily not yet in any final release, this would
also be an exploitable kernel memory *write*!
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 96051572c819194c37a8367624b285be10297eca
Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Steve Rutherford <srutherford@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -803,6 +803,20 @@ static int segmented_read_std(struct x86
return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
}
+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
+ struct segmented_address addr,
+ void *data,
+ unsigned int size)
+{
+ int rc;
+ ulong linear;
+
+ rc = linearize(ctxt, addr, size, true, &linear);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
+}
+
/*
* Prefetch the remaining bytes of the instruction without crossing page
* boundary if they are not in fetch_cache yet.
@@ -3698,8 +3712,8 @@ static int emulate_store_desc_ptr(struct
}
/* Disable writeback. */
ctxt->dst.type = OP_NONE;
- return segmented_write(ctxt, ctxt->dst.addr.mem,
- &desc_ptr, 2 + ctxt->op_bytes);
+ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
+ &desc_ptr, 2 + ctxt->op_bytes);
}
static int em_sgdt(struct x86_emulate_ctxt *ctxt)
@@ -3945,7 +3959,7 @@ static int em_fxsave(struct x86_emulate_
else
size = offsetof(struct fxregs_state, xmm_space[0]);
- return segmented_write(ctxt, ctxt->memop.addr.mem, &fx_state, size);
+ return segmented_write_std(ctxt, ctxt->memop.addr.mem, &fx_state, size);
}
static int fxrstor_fixup(struct x86_emulate_ctxt *ctxt,
@@ -3987,7 +4001,7 @@ static int em_fxrstor(struct x86_emulate
if (rc != X86EMUL_CONTINUE)
return rc;
- rc = segmented_read(ctxt, ctxt->memop.addr.mem, &fx_state, 512);
+ rc = segmented_read_std(ctxt, ctxt->memop.addr.mem, &fx_state, 512);
if (rc != X86EMUL_CONTINUE)
return rc;
next prev parent reply other threads:[~2017-01-18 10:49 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170118104957epcas3p3c8bb456f6ed6bf7171f9b645196aafc7@epcas3p3.samsung.com>
2017-01-18 10:46 ` [PATCH 4.4 00/48] 4.4.44-stable review Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 01/48] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 02/48] Input: i8042 - add Pegatron touchpad to noloop table Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 03/48] selftests: do not require bash to run netsocktests testcase Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 04/48] selftests: do not require bash for the generated test Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 05/48] mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} Greg Kroah-Hartman
2017-02-09 15:26 ` Ben Hutchings
2017-02-10 5:00 ` Dan Williams
2017-02-10 5:00 ` Dan Williams
2017-02-10 5:00 ` Dan Williams
2017-01-18 10:46 ` [PATCH 4.4 06/48] ocfs2: fix crash caused by stale lvb with fsdlm plugin Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 07/48] mm/hugetlb.c: fix reservation race when freeing surplus pages Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 08/48] KVM: x86: fix emulation of "MOV SS, null selector" Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 10/48] jump_labels: API for flushing deferred jump label updates Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 11/48] KVM: x86: flush pending lapic jump label updates on module unload Greg Kroah-Hartman
2017-01-18 10:46 ` Greg Kroah-Hartman [this message]
2017-01-18 10:46 ` [PATCH 4.4 16/48] nl80211: fix sched scan netlink socket owner destruction Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 17/48] USB: serial: kl5kusb105: fix line-state error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 18/48] USB: serial: ch341: fix initial modem-control state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 19/48] USB: serial: ch341: fix open error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 20/48] USB: serial: ch341: fix control-message " Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 21/48] USB: serial: ch341: fix open and resume after B0 Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 22/48] Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 23/48] i2c: print correct device invalid address Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 24/48] i2c: fix kernel memory disclosure in dev interface Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 25/48] xhci: fix deadlock at host remove by running watchdog correctly Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 27/48] mnt: Protect the mountpoint hashtable with mount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 28/48] tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 29/48] sysrq: attach sysrq handler correctly for 32-bit kernel Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 30/48] sysctl: Drop reference added by grab_header in proc_sys_readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 31/48] drm/radeon: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 32/48] USB: serial: ch341: fix resume after reset Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 33/48] USB: serial: ch341: fix modem-control and B0 handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 34/48] x86/cpu: Fix bootup crashes by sanitizing the argument of the clearcpuid= command-line option Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 35/48] btrfs: fix locking when we put back a delayed ref thats too new Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 36/48] btrfs: fix error handling when run_delayed_extent_op fails Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 37/48] pinctrl: meson: fix gpio request disabling other modes Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 38/48] pNFS: Fix race in pnfs_wait_on_layoutreturn Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 39/48] NFS: Fix a performance regression in readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 40/48] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 41/48] cpufreq: powernv: Disable preemption while checking CPU throttling state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 42/48] block: cfq_cpd_alloc() should use @gfp Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 43/48] ACPI / APEI: Fix NMI notification handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 44/48] blk-mq: Always schedule hctx->next_cpu Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 45/48] bus: vexpress-config: fix device reference leak Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 46/48] powerpc/ibmebus: Fix further device reference leaks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 47/48] powerpc/ibmebus: Fix device reference leaks in sysfs interface Greg Kroah-Hartman
2017-01-18 18:45 ` [PATCH 4.4 00/48] 4.4.44-stable review Guenter Roeck
2017-01-19 18:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170118104626.177322576@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=srutherford@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.