From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jim Mattson <jmattson@google.com>,
David Hildenbrand <david@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 3.18 19/24] kvm: nVMX: Dont allow L2 to access the hardware CR8
Date: Tue, 3 Oct 2017 14:18:40 +0200 [thread overview]
Message-ID: <20171003113649.039336668@linuxfoundation.org> (raw)
In-Reply-To: <20171003113646.772919167@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream.
If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.
This fixes CVE-2017-12154.
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8275,6 +8275,11 @@ static void prepare_vmcs02(struct kvm_vc
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
page_to_phys(vmx->nested.virtual_apic_page));
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
+ } else {
+#ifdef CONFIG_X86_64
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
+ CPU_BASED_CR8_STORE_EXITING;
+#endif
}
/*
next prev parent reply other threads:[~2017-10-03 12:19 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 12:18 [PATCH 3.18 00/24] 3.18.73-stable review Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 01/24] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 02/24] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 03/24] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 04/24] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 05/24] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 06/24] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 07/24] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 08/24] crypto: talitos - fix sha224 Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 09/24] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 10/24] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 11/24] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 12/24] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 13/24] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 14/24] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 15/24] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 16/24] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 17/24] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 18/24] arm64: Make sure SPsel is always set Greg Kroah-Hartman
2017-10-03 12:18 ` Greg Kroah-Hartman [this message]
2017-10-03 12:18 ` [PATCH 3.18 20/24] PCI: Fix race condition with driver_override Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 21/24] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 22/24] x86/fpu: Dont let userspace set bogus xcomp_bv Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 23/24] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 24/24] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
2017-10-03 19:25 ` [PATCH 3.18 00/24] 3.18.73-stable review Shuah Khan
2017-10-04 7:53 ` Greg Kroah-Hartman
2017-10-03 20:29 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171003113649.039336668@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=david@redhat.com \
--cc=jmattson@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).