| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 |
- From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
- From: Peter Shier <[email protected]>
- Date: Mon, 25 Feb 2019 11:48:06 +0000
- Subject: [PATCH] KVM: nVMX: unconditionally cancel preemption timer in
- free_nested (CVE-2019-7221)
- Bugzilla: 1671904
- There are multiple code paths where an hrtimer may have been started to
- emulate an L1 VMX preemption timer that can result in a call to free_nested
- without an intervening L2 exit where the hrtimer is normally
- cancelled. Unconditionally cancel in free_nested to cover all cases.
- Embargoed until Feb 7th 2019.
- Signed-off-by: Peter Shier <[email protected]>
- Reported-by: Jim Mattson <[email protected]>
- Reviewed-by: Jim Mattson <[email protected]>
- Reported-by: Felix Wilhelm <[email protected]>
- Cc: [email protected]
- Message-Id: <[email protected]>
- Signed-off-by: Paolo Bonzini <[email protected]>
- CVE-2019-7221
- (backported from commit ecec76885bcfe3294685dc363fd1273df0d5d65f)
- [tyhicks: Backport to 4.18:
- - free_nested() is in arch/x86/kvm/vmx.c]
- Signed-off-by: Tyler Hicks <[email protected]>
- Signed-off-by: Thomas Lamprecht <[email protected]>
- ---
- arch/x86/kvm/vmx.c | 1 +
- 1 file changed, 1 insertion(+)
- diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
- index 7ade6cb125d3..37b095e7f00a 100644
- --- a/arch/x86/kvm/vmx.c
- +++ b/arch/x86/kvm/vmx.c
- @@ -7681,6 +7681,7 @@ static void free_nested(struct vcpu_vmx *vmx)
- if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
- return;
-
- + hrtimer_cancel(&vmx->nested.preemption_timer);
- vmx->nested.vmxon = false;
- vmx->nested.smm.vmxon = false;
- free_vpid(vmx->nested.vpid02);
|
