[pve-kernel-jessie.git] / KVM-svm-unconditionally-intercept-DB.patch

From 34e2179e6322105e7de2e78bb14d34fb2b04942b Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 26 Nov 2015 12:09:59 +0000
Subject: KVM: svm: unconditionally intercept #DB

This is needed to avoid the possibility that the guest triggers
an infinite stream of #DB exceptions (CVE-2015-8104).

VMX is not affected: because it does not save DR6 in the VMCS,
it already intercepts #DB unconditionally.

Reported-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cbdb967af3d54993f5814f1cee0ed311a055377d)
CVE-2015-8104
BugLink: https://bugs.launchpad.net/bugs/1520184
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 78547f7..d8af78e 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
 	set_exception_intercept(svm, UD_VECTOR);
 	set_exception_intercept(svm, MC_VECTOR);
 	set_exception_intercept(svm, AC_VECTOR);
+	set_exception_intercept(svm, DB_VECTOR);
 
 	set_intercept(svm, INTERCEPT_INTR);
 	set_intercept(svm, INTERCEPT_NMI);
@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
 	mark_dirty(svm->vmcb, VMCB_SEG);
 }
 
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_svm *svm = to_svm(vcpu);
 
-	clr_exception_intercept(svm, DB_VECTOR);
 	clr_exception_intercept(svm, BP_VECTOR);
 
-	if (svm->nmi_singlestep)
-		set_exception_intercept(svm, DB_VECTOR);
-
 	if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-		if (vcpu->guest_debug &
-		    (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-			set_exception_intercept(svm, DB_VECTOR);
 		if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
 			set_exception_intercept(svm, BP_VECTOR);
 	} else
@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
 		if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
 			svm->vmcb->save.rflags &=
 				~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-		update_db_bp_intercept(&svm->vcpu);
 	}
 
 	if (svm->vcpu.guest_debug &
@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
 	 */
 	svm->nmi_singlestep = true;
 	svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-	update_db_bp_intercept(vcpu);
 }
 
 static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = {
 	.vcpu_load = svm_vcpu_load,
 	.vcpu_put = svm_vcpu_put,
 
-	.update_db_bp_intercept = update_db_bp_intercept,
+	.update_db_bp_intercept = update_bp_intercept,
 	.get_msr = svm_get_msr,
 	.set_msr = svm_set_msr,
 	.get_segment_base = svm_get_segment_base,
-- 
cgit v0.10.2
Commit	Line	Data
0f6e7c5a DM	1	From 34e2179e6322105e7de2e78bb14d34fb2b04942b Mon Sep 17 00:00:00 2001
	2	From: Paolo Bonzini <pbonzini@redhat.com>
	3	Date: Thu, 26 Nov 2015 12:09:59 +0000
	4	Subject: KVM: svm: unconditionally intercept #DB
	5
	6	This is needed to avoid the possibility that the guest triggers
	7	an infinite stream of #DB exceptions (CVE-2015-8104).
	8
	9	VMX is not affected: because it does not save DR6 in the VMCS,
	10	it already intercepts #DB unconditionally.
	11
	12	Reported-by: Jan Beulich <jbeulich@suse.com>
	13	Cc: stable@vger.kernel.org
	14	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	15	(cherry picked from commit cbdb967af3d54993f5814f1cee0ed311a055377d)
	16	CVE-2015-8104
	17	BugLink: https://bugs.launchpad.net/bugs/1520184
	18	Acked-by: Stefan Bader <stefan.bader@canonical.com>
	19	Acked-by: Tim Gardner <tim.gardner@canonical.com>
	20	Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
	21
	22	diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
	23	index 78547f7..d8af78e 100644
	24	--- a/arch/x86/kvm/svm.c
	25	+++ b/arch/x86/kvm/svm.c
	26	@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
	27	set_exception_intercept(svm, UD_VECTOR);
	28	set_exception_intercept(svm, MC_VECTOR);
	29	set_exception_intercept(svm, AC_VECTOR);
	30	+ set_exception_intercept(svm, DB_VECTOR);
	31
	32	set_intercept(svm, INTERCEPT_INTR);
	33	set_intercept(svm, INTERCEPT_NMI);
	34	@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
	35	mark_dirty(svm->vmcb, VMCB_SEG);
	36	}
	37
	38	-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
	39	+static void update_bp_intercept(struct kvm_vcpu *vcpu)
	40	{
	41	struct vcpu_svm *svm = to_svm(vcpu);
	42
	43	- clr_exception_intercept(svm, DB_VECTOR);
	44	clr_exception_intercept(svm, BP_VECTOR);
	45
	46	- if (svm->nmi_singlestep)
	47	- set_exception_intercept(svm, DB_VECTOR);
	48	-
	49	if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
	50	- if (vcpu->guest_debug &
	51	- (KVM_GUESTDBG_SINGLESTEP \| KVM_GUESTDBG_USE_HW_BP))
	52	- set_exception_intercept(svm, DB_VECTOR);
	53	if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
	54	set_exception_intercept(svm, BP_VECTOR);
	55	} else
	56	@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
	57	if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
	58	svm->vmcb->save.rflags &=
	59	~(X86_EFLAGS_TF \| X86_EFLAGS_RF);
	60	- update_db_bp_intercept(&svm->vcpu);
	61	}
	62
	63	if (svm->vcpu.guest_debug &
	64	@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
65	*/
66	svm->nmi_singlestep = true;
67	svm->vmcb->save.rflags \|= (X86_EFLAGS_TF \| X86_EFLAGS_RF);
68	- update_db_bp_intercept(vcpu);
69	}
70
71	static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
72	@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = {
73	.vcpu_load = svm_vcpu_load,
74	.vcpu_put = svm_vcpu_put,
75
76	- .update_db_bp_intercept = update_db_bp_intercept,
77	+ .update_db_bp_intercept = update_bp_intercept,
78	.get_msr = svm_get_msr,
79	.set_msr = svm_set_msr,
80	.get_segment_base = svm_get_segment_base,
81	--
82	cgit v0.10.2
83