From 73c23b9bb4013ab908044c7ba544f632e2935237 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 8 Feb 2017 10:28:13 +0100 Subject: [PATCH] fix CVE-2017-2596: kvm: page reference leakage Linux kernel built with the KVM virtualisation support(CONFIG_KVM), with nested virtualisation(nVMX) feature enabled(nested=1), is vulnerable to host memory leakage issue. It could occur while emulating VMXON instruction in 'handle_vmon'. A L1 guest user could use this flaw to leak host memory potentially resulting in DoS. --- ...age-reference-leakage-in-handle_vmon.patch | 46 +++++++++++++++++++ Makefile | 1 + 2 files changed, 47 insertions(+) create mode 100644 CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch diff --git a/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch b/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch new file mode 100644 index 0000000..27ba688 --- /dev/null +++ b/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch @@ -0,0 +1,46 @@ +Subject: [PATCH] kvm: fix page struct leak in handle_vmon +From: Paolo Bonzini +Date: 2017-01-24 10:56:21 + +handle_vmon gets a reference on VMXON region page, +but does not release it. Release the reference. + +Found by syzkaller; based on a patch by Dmitry. + +Reported-by: Dmitry Vyukov +Signed-off-by: Paolo Bonzini +Reviewed-by: David Hildenbrand +Backported-by: Fabian Grünbichler +--- + arch/x86/kvm/vmx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 42cc3d6f4d20..0f7345035210 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6676,14 +6676,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, + } + + page = nested_get_page(vcpu, vmptr); +- if (page == NULL || +- *(u32 *)kmap(page) != VMCS12_REVISION) { ++ if (page == NULL) { + nested_vmx_failInvalid(vcpu); ++ skip_emulated_instruction(vcpu); ++ return 1; ++ } ++ if (*(u32 *)kmap(page) != VMCS12_REVISION) { + kunmap(page); ++ nested_release_page_clean(page); ++ nested_vmx_failInvalid(vcpu); + skip_emulated_instruction(vcpu); + return 1; + } + kunmap(page); ++ nested_release_page_clean(page); + vmx->nested.vmxon_ptr = vmptr; + break; + case EXIT_REASON_VMCLEAR: +-- +1.8.3.1 diff --git a/Makefile b/Makefile index e016b3a..2c440be 100644 --- a/Makefile +++ b/Makefile @@ -269,6 +269,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR} cd ${KERNEL_SRC}; patch -p1 < ../0001-Revert-mm-throttle-on-IO-only-when-there-are-too-man.patch cd ${KERNEL_SRC}; patch -p1 < ../0002-Revert-mm-oom-rework-oom-detection.patch cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2583-KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch + cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/' touch $@ -- 2.39.2