pve-kernel-qoup/patches/kernel/0014-KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 25 Feb 2019 11:48:07 +0000
Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents
 (CVE-2019-7222)

Bugzilla: 1671930

Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
when passed an operand that points to an MMIO address.  The page fault
will use uninitialized kernel stack memory as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just
ensure that the error code and CR2 are zero.

Embargoed until Feb 7th 2019.

Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

CVE-2019-7222

(cherry picked from commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 arch/x86/kvm/x86.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index b3df576413cd..13804929adce 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4632,6 +4632,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
 {
 	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
 
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
 					  exception);
 }
backport fixes for multiple KVM vulnerabilities Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2019-02-25 16:51:28 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Paolo Bonzini <pbonzini@redhat.com>`
			`Date: Mon, 25 Feb 2019 11:48:07 +0000`
			`Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents`
			`(CVE-2019-7222)`

			`Bugzilla: 1671930`

			`Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with`
			`memory operand, INVEPT, INVVPID) can incorrectly inject a page fault`
			`when passed an operand that points to an MMIO address. The page fault`
			`will use uninitialized kernel stack memory as the CR2 and error code.`

			`The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR`
			`exit to userspace; however, it is not an easy fix, so for now just`
			`ensure that the error code and CR2 are zero.`

			`Embargoed until Feb 7th 2019.`

			`Reported-by: Felix Wilhelm <fwilhelm@google.com>`
			`Cc: stable@kernel.org`
			`Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>`

			`CVE-2019-7222`

			`(cherry picked from commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a)`
			`Signed-off-by: Tyler Hicks <tyhicks@canonical.com>`
			`Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>`
			`---`
			`arch/x86/kvm/x86.c \| 7 +++++++`
			`1 file changed, 7 insertions(+)`

			`diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c`
			`index b3df576413cd..13804929adce 100644`
			`--- a/arch/x86/kvm/x86.c`
			`+++ b/arch/x86/kvm/x86.c`
			`@@ -4632,6 +4632,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,`
			`{`
			`u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;`

			`+ /*`
			`+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED`
			`+ * is returned, but our callers are not ready for that and they blindly`
			`+ * call kvm_inject_page_fault. Ensure that they at least do not leak`
			`+ * uninitialized kernel stack memory into cr2 and error code.`
			`+ */`
			`+ memset(exception, 0, sizeof(*exception));`
			`return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,`
			`exception);`
			`}`