]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commit
projects / mirror_ubuntu-eoan-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e29b06c) | patch
x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed
authorBoris Ostrovsky <boris.ostrovsky@oracle.com>
Fri, 31 Jan 2020 11:06:00 +0000 (12:06 +0100)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Fri, 14 Feb 2020 15:11:08 +0000 (16:11 +0100)
commit8bed6123885a5855cce39fff47f32d1bc2591cc0
treec8d001d2def5573604adc45d02c45acfc6880c0ftree
parente29b06c2c996bc240afa1bdf4e2079d7fd551aa0commit | diff
x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed

CVE-2019-3016

There is a potential race in record_steal_time() between setting
host-local vcpu->arch.st.steal.preempted to zero (i.e. clearing
KVM_VCPU_PREEMPTED) and propagating this value to the guest with
kvm_write_guest_cached(). Between those two events the guest may
still see KVM_VCPU_PREEMPTED in its copy of kvm_steal_time, set
KVM_VCPU_FLUSH_TLB and assume that hypervisor will do the right
thing. Which it won't.

Instad of copying, we should map kvm_steal_time and that will
guarantee atomicity of accesses to @preempted.

This is part of CVE-2019-3016.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(backported from commit b043138246a41064527cf019a3d51d9f015e9796)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Sultan Alsawaf <sultan.alsawaf@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
arch/x86/kvm/x86.c diff | blob | blame | history
Ubuntu Eoan Linux kernel mirror