]>
Commit | Line | Data |
---|---|---|
0f6e7c5a DM |
1 | From 34e2179e6322105e7de2e78bb14d34fb2b04942b Mon Sep 17 00:00:00 2001 |
2 | From: Paolo Bonzini <pbonzini@redhat.com> | |
3 | Date: Thu, 26 Nov 2015 12:09:59 +0000 | |
4 | Subject: KVM: svm: unconditionally intercept #DB | |
5 | ||
6 | This is needed to avoid the possibility that the guest triggers | |
7 | an infinite stream of #DB exceptions (CVE-2015-8104). | |
8 | ||
9 | VMX is not affected: because it does not save DR6 in the VMCS, | |
10 | it already intercepts #DB unconditionally. | |
11 | ||
12 | Reported-by: Jan Beulich <jbeulich@suse.com> | |
13 | Cc: stable@vger.kernel.org | |
14 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | |
15 | (cherry picked from commit cbdb967af3d54993f5814f1cee0ed311a055377d) | |
16 | CVE-2015-8104 | |
17 | BugLink: https://bugs.launchpad.net/bugs/1520184 | |
18 | Acked-by: Stefan Bader <stefan.bader@canonical.com> | |
19 | Acked-by: Tim Gardner <tim.gardner@canonical.com> | |
20 | Signed-off-by: Luis Henriques <luis.henriques@canonical.com> | |
21 | ||
22 | diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c | |
23 | index 78547f7..d8af78e 100644 | |
24 | --- a/arch/x86/kvm/svm.c | |
25 | +++ b/arch/x86/kvm/svm.c | |
26 | @@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event) | |
27 | set_exception_intercept(svm, UD_VECTOR); | |
28 | set_exception_intercept(svm, MC_VECTOR); | |
29 | set_exception_intercept(svm, AC_VECTOR); | |
30 | + set_exception_intercept(svm, DB_VECTOR); | |
31 | ||
32 | set_intercept(svm, INTERCEPT_INTR); | |
33 | set_intercept(svm, INTERCEPT_NMI); | |
34 | @@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, | |
35 | mark_dirty(svm->vmcb, VMCB_SEG); | |
36 | } | |
37 | ||
38 | -static void update_db_bp_intercept(struct kvm_vcpu *vcpu) | |
39 | +static void update_bp_intercept(struct kvm_vcpu *vcpu) | |
40 | { | |
41 | struct vcpu_svm *svm = to_svm(vcpu); | |
42 | ||
43 | - clr_exception_intercept(svm, DB_VECTOR); | |
44 | clr_exception_intercept(svm, BP_VECTOR); | |
45 | ||
46 | - if (svm->nmi_singlestep) | |
47 | - set_exception_intercept(svm, DB_VECTOR); | |
48 | - | |
49 | if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { | |
50 | - if (vcpu->guest_debug & | |
51 | - (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) | |
52 | - set_exception_intercept(svm, DB_VECTOR); | |
53 | if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) | |
54 | set_exception_intercept(svm, BP_VECTOR); | |
55 | } else | |
56 | @@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm) | |
57 | if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) | |
58 | svm->vmcb->save.rflags &= | |
59 | ~(X86_EFLAGS_TF | X86_EFLAGS_RF); | |
60 | - update_db_bp_intercept(&svm->vcpu); | |
61 | } | |
62 | ||
63 | if (svm->vcpu.guest_debug & | |
64 | @@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) | |
65 | */ | |
66 | svm->nmi_singlestep = true; | |
67 | svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); | |
68 | - update_db_bp_intercept(vcpu); | |
69 | } | |
70 | ||
71 | static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) | |
72 | @@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = { | |
73 | .vcpu_load = svm_vcpu_load, | |
74 | .vcpu_put = svm_vcpu_put, | |
75 | ||
76 | - .update_db_bp_intercept = update_db_bp_intercept, | |
77 | + .update_db_bp_intercept = update_bp_intercept, | |
78 | .get_msr = svm_get_msr, | |
79 | .set_msr = svm_set_msr, | |
80 | .get_segment_base = svm_get_segment_base, | |
81 | -- | |
82 | cgit v0.10.2 | |
83 |