fix CVE-2015-8104

author Dietmar Maurer <dietmar@proxmox.com>

Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)

committer Dietmar Maurer <dietmar@proxmox.com>

Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)
author Dietmar Maurer <dietmar@proxmox.com>
Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)
committer Dietmar Maurer <dietmar@proxmox.com>
Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)
diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch

new file mode 100644 (file)

index 0000000..318cb66
--- /dev/null
+++ b/KVM-svm-unconditionally-intercept-DB.patch
@@ -0,0 +1,83 @@
+From 34e2179e6322105e7de2e78bb14d34fb2b04942b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 26 Nov 2015 12:09:59 +0000
+Subject: KVM: svm: unconditionally intercept #DB
+
+This is needed to avoid the possibility that the guest triggers
+an infinite stream of #DB exceptions (CVE-2015-8104).
+
+VMX is not affected: because it does not save DR6 in the VMCS,
+it already intercepts #DB unconditionally.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit cbdb967af3d54993f5814f1cee0ed311a055377d)
+CVE-2015-8104
+BugLink: https://bugs.launchpad.net/bugs/1520184
+Acked-by: Stefan Bader <stefan.bader@canonical.com>
+Acked-by: Tim Gardner <tim.gardner@canonical.com>
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 78547f7..d8af78e 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
+       set_exception_intercept(svm, UD_VECTOR);
+       set_exception_intercept(svm, MC_VECTOR);
+       set_exception_intercept(svm, AC_VECTOR);
++      set_exception_intercept(svm, DB_VECTOR);
+ 
+       set_intercept(svm, INTERCEPT_INTR);
+       set_intercept(svm, INTERCEPT_NMI);
+@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
+       mark_dirty(svm->vmcb, VMCB_SEG);
+ }
+ 
+-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
++static void update_bp_intercept(struct kvm_vcpu *vcpu)
+ {
+       struct vcpu_svm *svm = to_svm(vcpu);
+ 
+-      clr_exception_intercept(svm, DB_VECTOR);
+       clr_exception_intercept(svm, BP_VECTOR);
+ 
+-      if (svm->nmi_singlestep)
+-              set_exception_intercept(svm, DB_VECTOR);
+-
+       if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
+-              if (vcpu->guest_debug &
+-                  (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
+-                      set_exception_intercept(svm, DB_VECTOR);
+               if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
+                       set_exception_intercept(svm, BP_VECTOR);
+       } else
+@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
+               if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
+                       svm->vmcb->save.rflags &=
+                               ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
+-              update_db_bp_intercept(&svm->vcpu);
+       }
+ 
+       if (svm->vcpu.guest_debug &
+@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
+        */
+       svm->nmi_singlestep = true;
+       svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
+-      update_db_bp_intercept(vcpu);
+ }
+ 
+ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
+@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = {
+       .vcpu_load = svm_vcpu_load,
+       .vcpu_put = svm_vcpu_put,
+ 
+-      .update_db_bp_intercept = update_db_bp_intercept,
++      .update_db_bp_intercept = update_bp_intercept,
+       .get_msr = svm_get_msr,
+       .set_msr = svm_set_msr,
+       .get_segment_base = svm_get_segment_base,
+-- 
+cgit v0.10.2
+
diff --git a/Makefile b/Makefile

index 9a4bdae286b03b0a1bf6c1f927a380c8aa493cf1..cf5edd405463e8048a2c7f43ffa13c1fe7714a66 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ RELEASE=4.1
  
  # also update proxmox-ve/changelog if you change KERNEL_VER or KREL
  KERNEL_VER=4.2.6
-PKGREL=25
+PKGREL=26
  # also include firmware of previous version into
  # the fw package:  fwlist-2.6.32-PREV-pve
  KREL=1
@@ -219,6 +219,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
         #cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
         cd ${KERNEL_SRC}; patch -p1 <../kvmstealtime.patch
         cd ${KERNEL_SRC}; patch -p1 <../kvm-x86-obey-KVM_X86_QUIRK_CD_NW_CLEARED-in-kvm_set_cr0.patch
+       cd ${KERNEL_SRC}; patch -p1 <../KVM-svm-unconditionally-intercept-DB.patch
         sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
         touch $@
  
diff --git a/changelog.Debian b/changelog.Debian

index 9023a53b486bb6dbb0c23adbc0f67cfe3892b42f..698abc4bd6ac83e8fdb94541184813c5943cd9e6 100644 (file)
--- a/changelog.Debian
+++ b/changelog.Debian
@@ -1,3 +1,9 @@
+pve-kernel (4.2.3-26) unstable; urgency=medium
+
+  * fix CVE-2015-8104 (KVM-svm-unconditionally-intercept-DB.patch)
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 09 Dec 2015 10:32:45 +0100
+
  pve-kernel (4.2.3-25) unstable; urgency=medium
  
    * blacklist ipmi_watchdog.ko
author	Dietmar Maurer <dietmar@proxmox.com>
	Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Wed, 9 Dec 2015 09:33:14 +0000 (10:33 +0100)
KVM-svm-unconditionally-intercept-DB.patch	[new file with mode: 0644]	patch \| blob
Makefile		patch \| blob \| blame \| history
changelog.Debian		patch \| blob \| blame \| history