| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 |
- From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
- From: Paolo Bonzini <[email protected]>
- Date: Mon, 25 Feb 2019 11:48:07 +0000
- Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents
- (CVE-2019-7222)
- Bugzilla: 1671930
- Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
- memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
- when passed an operand that points to an MMIO address. The page fault
- will use uninitialized kernel stack memory as the CR2 and error code.
- The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
- exit to userspace; however, it is not an easy fix, so for now just
- ensure that the error code and CR2 are zero.
- Embargoed until Feb 7th 2019.
- Reported-by: Felix Wilhelm <[email protected]>
- Cc: [email protected]
- Signed-off-by: Paolo Bonzini <[email protected]>
- CVE-2019-7222
- (cherry picked from commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a)
- Signed-off-by: Tyler Hicks <[email protected]>
- Signed-off-by: Thomas Lamprecht <[email protected]>
- ---
- arch/x86/kvm/x86.c | 7 +++++++
- 1 file changed, 7 insertions(+)
- diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
- index b3df576413cd..13804929adce 100644
- --- a/arch/x86/kvm/x86.c
- +++ b/arch/x86/kvm/x86.c
- @@ -4632,6 +4632,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
- {
- u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
-
- + /*
- + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
- + * is returned, but our callers are not ready for that and they blindly
- + * call kvm_inject_page_fault. Ensure that they at least do not leak
- + * uninitialized kernel stack memory into cr2 and error code.
- + */
- + memset(exception, 0, sizeof(*exception));
- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
- exception);
- }
|
