Three security fixes.

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJcXHSEAAoJEL/70l94x66DpJUH/Rl3uJGdezeL/BgDkABruIuv
 kJwjWUPjjVtcrz1UPjc8YENDG7g0tLDlFajRXXxMJh+MWMDi/YED27ev4fbGJEnZ
 ApApV0pWNLev+Y5QK4GRn4T9iW4HSuqlDW3gjj9PP0E/93lX8DCALQ+yD1sGsmmE
 yG+0rGOcWqlxD3pPhVESHmi/AGzsD82GDe2in8z/iET8ucxy1lmFlISEYbSxXNa/
 o06C65The6sIn3IrqbP3aKEZ9mrpCe51pJm0YwJJpmg6UWcBiNuU+lbzg6qOthP7
 1fmYy+j/BM+9cFEnFxp8gUW4LWTtlta5cDcDJhTXdaw8XFroac+T1z6ZGQd7838=
 =iKIE
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "Three security fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
  KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
  kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
This commit is contained in:
Linus Torvalds 2019-02-07 15:53:26 -07:00
commit e303a067ce
3 changed files with 10 additions and 1 deletions

View File

@ -211,6 +211,7 @@ static void free_nested(struct kvm_vcpu *vcpu)
if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
return;
hrtimer_cancel(&vmx->nested.preemption_timer);
vmx->nested.vmxon = false;
vmx->nested.smm.vmxon = false;
free_vpid(vmx->nested.vpid02);

View File

@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
{
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
/*
* FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
* is returned, but our callers are not ready for that and they blindly
* call kvm_inject_page_fault. Ensure that they at least do not leak
* uninitialized kernel stack memory into cr2 and error code.
*/
memset(exception, 0, sizeof(*exception));
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
exception);
}

View File

@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
if (ops->init)
ops->init(dev);
kvm_get_kvm(kvm);
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
if (ret < 0) {
kvm_put_kvm(kvm);
mutex_lock(&kvm->lock);
list_del(&dev->vm_node);
mutex_unlock(&kvm->lock);
@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
return ret;
}
kvm_get_kvm(kvm);
cd->fd = ret;
return 0;
}