Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-15 08:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
6d1068b3a9
linux/arch/x86
History
Petr Matousek 6d1068b3a9 KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461) 
On hosts without the XSAVE support unprivileged local user can trigger
oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
ioctl.

invalid opcode: 0000 [#2] SMP
Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
...
Pid: 24935, comm: zoog_kvm_monito Tainted: G      D      3.2.0-3-686-pae
EIP: 0060:[<f8b9550c>] EFLAGS: 00210246 CPU: 0
EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
task.ti=d7c62000)
Stack:
 00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
 ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
 c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
Call Trace:
 [<f8b940a9>] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
...
 [<c12bfb44>] ? syscall_call+0x7/0xb
Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01
d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
EIP: [<f8b9550c>] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
0068:d7c63e70

QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
X86_FEATURE_XSAVE even on hosts that do not support it, might be
susceptible to this attack from inside the guest as well.

Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
2012-11-12 21:16:45 -02:00
..
boot x86, boot: Explicitly include autoconf.h for hostprogs 2012-10-14 12:41:28 -07:00
configs x86/Kconfig: Turn off DEBUG_NX_TEST module in defconfigs 2012-09-05 10:43:12 +02:00
crypto crypto: aesni - fix XTS mode on x86-32, add wrapper function for asmlinkage aesni_enc() 2012-10-18 14:01:33 -07:00
ia32 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2012-10-10 12:02:25 +09:00
include EFI updates for 3.7 2012-10-26 10:17:38 +02:00
kernel Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-10-26 09:35:46 -07:00
kvm KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461) 2012-11-12 21:16:45 -02:00
lguest virtio: remove CONFIG_VIRTIO_RING 2012-09-28 15:05:15 +09:30
lib UAPI: x86: Fix insn_sanity build failure after UAPI split 2012-10-02 18:01:56 +01:00
math-emu x86: Rename trap_no to trap_nr in thread_struct 2012-03-13 06:24:09 +01:00
mm x86, mm: Undo incorrect revert in arch/x86/mm/init.c 2012-10-25 15:45:45 -07:00
net x86: bpf_jit_comp: add XOR instruction for BPF JIT 2012-09-24 16:54:35 -04:00
oprofile oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() 2012-10-15 14:38:24 +02:00
pci PCI changes for the 3.7 merge window: 2012-10-01 12:05:36 -07:00
platform EFI updates for 3.7 2012-10-26 10:17:38 +02:00
power x86, kvm: Call restore_sched_clock_state() only after %gs is initialized 2012-04-02 13:53:00 +02:00
realmode x86, suspend: Correct the restore of CR4, EFER; skip computing EFLAGS.ID 2012-10-02 08:42:31 +02:00
syscalls Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal 2012-10-10 12:02:25 +09:00
tools UAPI: x86: Fix the test_get_len tool 2012-10-02 18:01:56 +01:00
um Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
vdso time: Convert x86_64 to using new update_vsyscall 2012-09-24 12:38:09 -04:00
video x86: Use vga_default_device() when determining whether an fb is primary 2012-04-24 09:50:17 +01:00
xen Merge commit 'v3.7-rc1' into stable/for-linus-3.7 2012-10-19 15:19:19 -04:00
.gitignore
Kbuild x86, realmode: realmode.bin infrastructure 2012-05-08 11:41:48 -07:00
Kconfig Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
Kconfig.cpu x86/Kconfig: Clean up Kconfig defaults 2012-09-13 17:45:33 +02:00
Kconfig.debug x86/tlb: add tlb_flushall_shift knob into debugfs 2012-06-27 19:29:10 -07:00
Makefile kbuild: Fix accidental revert in commit fe04ddf 2012-10-15 13:01:05 -07:00
Makefile_32.cpu
Makefile.um um: fix linker script generation 2012-04-09 13:59:00 -04:00