diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch')
| -rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch | 156 |
1 files changed, 0 insertions, 156 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch deleted file mode 100644 index 5cff1af9..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0005-kvm-x86-use-correct-privilege-level-for-sgdt-sidt-fx.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 45e0a2316524254692219fce805e247dc8dadb20 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Wed, 6 Jun 2018 17:38:09 +0200 -Subject: [PATCH 05/10] kvm: x86: use correct privilege level for - sgdt/sidt/fxsave/fxrstor access - -commit 3c9fa24ca7c9c47605672916491f79e8ccacb9e6 upstream. - -The functions that were used in the emulation of fxrstor, fxsave, sgdt and -sidt were originally meant for task switching, and as such they did not -check privilege levels. This is very bad when the same functions are used -in the emulation of unprivileged instructions. This is CVE-2018-10853. - -The obvious fix is to add a new argument to ops->read_std and ops->write_std, -which decides whether the access is a "system" access or should use the -processor's CPL. - -Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12) -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - arch/x86/include/asm/kvm_emulate.h | 6 ++++-- - arch/x86/kvm/emulate.c | 12 ++++++------ - arch/x86/kvm/x86.c | 18 ++++++++++++++---- - 3 files changed, 24 insertions(+), 12 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h -index e9cd7be..0b7d332 100644 ---- a/arch/x86/include/asm/kvm_emulate.h -+++ b/arch/x86/include/asm/kvm_emulate.h -@@ -105,11 +105,12 @@ struct x86_emulate_ops { - * @addr: [IN ] Linear address from which to read. - * @val: [OUT] Value read from memory, zero-extended to 'u_long'. - * @bytes: [IN ] Number of bytes to read from memory. -+ * @system:[IN ] Whether the access is forced to be at CPL0. - */ - int (*read_std)(struct x86_emulate_ctxt *ctxt, - unsigned long addr, void *val, - unsigned int bytes, -- struct x86_exception *fault); -+ struct x86_exception *fault, bool system); - - /* - * read_phys: Read bytes of standard (non-emulated/special) memory. -@@ -127,10 +128,11 @@ struct x86_emulate_ops { - * @addr: [IN ] Linear address to which to write. - * @val: [OUT] Value write to memory, zero-extended to 'u_long'. - * @bytes: [IN ] Number of bytes to write to memory. -+ * @system:[IN ] Whether the access is forced to be at CPL0. - */ - int (*write_std)(struct x86_emulate_ctxt *ctxt, - unsigned long addr, void *val, unsigned int bytes, -- struct x86_exception *fault); -+ struct x86_exception *fault, bool system); - /* - * fetch: Read bytes of standard (non-emulated/special) memory. - * Used for instruction fetch. -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index b6ec3e9..1e96a5a 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -805,14 +805,14 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) - static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear, - void *data, unsigned size) - { -- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); -+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true); - } - - static int linear_write_system(struct x86_emulate_ctxt *ctxt, - ulong linear, void *data, - unsigned int size) - { -- return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); -+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true); - } - - static int segmented_read_std(struct x86_emulate_ctxt *ctxt, -@@ -826,7 +826,7 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt, - rc = linearize(ctxt, addr, size, false, &linear); - if (rc != X86EMUL_CONTINUE) - return rc; -- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); -+ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false); - } - - static int segmented_write_std(struct x86_emulate_ctxt *ctxt, -@@ -840,7 +840,7 @@ static int segmented_write_std(struct x86_emulate_ctxt *ctxt, - rc = linearize(ctxt, addr, size, true, &linear); - if (rc != X86EMUL_CONTINUE) - return rc; -- return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); -+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false); - } - - /* -@@ -2893,12 +2893,12 @@ static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt, - #ifdef CONFIG_X86_64 - base |= ((u64)base3) << 32; - #endif -- r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL); -+ r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true); - if (r != X86EMUL_CONTINUE) - return false; - if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg)) - return false; -- r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL); -+ r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true); - if (r != X86EMUL_CONTINUE) - return false; - if ((perm >> bit_idx) & mask) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index af8e120..2c4d91e 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -4383,10 +4383,15 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt); - - static int emulator_read_std(struct x86_emulate_ctxt *ctxt, - gva_t addr, void *val, unsigned int bytes, -- struct x86_exception *exception) -+ struct x86_exception *exception, bool system) - { - struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -- return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); -+ u32 access = 0; -+ -+ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3) -+ access |= PFERR_USER_MASK; -+ -+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception); - } - - static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, -@@ -4430,12 +4435,17 @@ static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes - } - - static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val, -- unsigned int bytes, struct x86_exception *exception) -+ unsigned int bytes, struct x86_exception *exception, -+ bool system) - { - struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); -+ u32 access = PFERR_WRITE_MASK; -+ -+ if (!system && kvm_x86_ops->get_cpl(vcpu) == 3) -+ access |= PFERR_USER_MASK; - - return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, -- PFERR_WRITE_MASK, exception); -+ access, exception); - } - - int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, --- -2.7.4 - |