CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
This commit is contained in:
parent
c139414777
commit
6c1de60a56
49
KVM-MTRR-remove-MSR-0x2f8.patch
Normal file
49
KVM-MTRR-remove-MSR-0x2f8.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
|
||||||
|
Date: Mon, 16 May 2016 09:45:35 -0400
|
||||||
|
Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
|
||||||
|
was introduced by 9ba075a664df ("KVM: MTRR support").
|
||||||
|
|
||||||
|
0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
|
||||||
|
size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
|
||||||
|
which made access to index 124 out of bounds. The surrounding code only
|
||||||
|
WARNs in this situation, thus the guest gained a limited read/write
|
||||||
|
access to struct kvm_arch_vcpu.
|
||||||
|
|
||||||
|
0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
|
||||||
|
MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8
|
||||||
|
was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
|
||||||
|
not implemented in KVM, therefore 0x2f8 could never do anything useful
|
||||||
|
and getting rid of it is safe.
|
||||||
|
|
||||||
|
This fixes CVE-2016-TBD.
|
||||||
|
|
||||||
|
Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Reported-by: David Matlack <dmatlack@google.com>
|
||||||
|
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/mtrr.c | 2 --
|
||||||
|
1 file changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
|
||||||
|
index 3f8c732117ec..c146f3c262c3 100644
|
||||||
|
--- a/arch/x86/kvm/mtrr.c
|
||||||
|
+++ b/arch/x86/kvm/mtrr.c
|
||||||
|
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
|
||||||
|
case MSR_MTRRdefType:
|
||||||
|
case MSR_IA32_CR_PAT:
|
||||||
|
return true;
|
||||||
|
- case 0x2f8:
|
||||||
|
- return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.5.5
|
||||||
|
|
@ -619,6 +619,9 @@ Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
|||||||
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||||
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||||
|
|
||||||
|
#CVE-2016-3713 rhbz 1332139 1336410
|
||||||
|
Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2146,6 +2149,7 @@ fi
|
|||||||
%changelog
|
%changelog
|
||||||
* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-1
|
* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-1
|
||||||
- Linux v4.6
|
- Linux v4.6
|
||||||
|
- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
|
||||||
|
|
||||||
* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1
|
* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1
|
||||||
- Linux v4.6-rc7-116-ga2ccb68b1e6a
|
- Linux v4.6-rc7-116-ga2ccb68b1e6a
|
||||||
|
Loading…
Reference in New Issue
Block a user