fix CVE-2017-2596: kvm: page reference leakage

Linux kernel built with the KVM virtualisation
support(CONFIG_KVM), with nested virtualisation(nVMX)
feature enabled(nested=1), is vulnerable to host memory
leakage issue. It could occur while emulating VMXON
instruction in 'handle_vmon'.

A L1 guest user could use this flaw to leak host memory
potentially resulting in DoS.

diff --git a/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch b/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
new file mode 100644 (file)
index 0000000..27ba688
--- /dev/null
+++ b/CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
@@ -0,0 +1,46 @@
+Subject:    [PATCH] kvm: fix page struct leak in handle_vmon
+From:       Paolo Bonzini <pbonzini () redhat ! com>
+Date:       2017-01-24 10:56:21
+
+handle_vmon gets a reference on VMXON region page,
+but does not release it. Release the reference.
+
+Found by syzkaller; based on a patch by Dmitry.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Backported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 42cc3d6f4d20..0f7345035210 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6676,14 +6676,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
+               }
+ 
+               page = nested_get_page(vcpu, vmptr);
+-              if (page == NULL ||
+-                  *(u32 *)kmap(page) != VMCS12_REVISION) {
++              if (page == NULL) {
+                       nested_vmx_failInvalid(vcpu);
++                      skip_emulated_instruction(vcpu);
++                      return 1;
++              }
++              if (*(u32 *)kmap(page) != VMCS12_REVISION) {
+                       kunmap(page);
++                      nested_release_page_clean(page);
++                      nested_vmx_failInvalid(vcpu);
+                       skip_emulated_instruction(vcpu);
+                       return 1;
+               }
+               kunmap(page);
++              nested_release_page_clean(page);
+               vmx->nested.vmxon_ptr = vmptr;
+               break;
+       case EXIT_REASON_VMCLEAR:
+-- 
+1.8.3.1

diff --git a/Makefile b/Makefile
index e016b3a53989e2cb960be1234d0040ed1a84eade..2c440befc4064e2e878324673eb50566a3ccbabb 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -269,6 +269,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
        cd ${KERNEL_SRC}; patch -p1 < ../0001-Revert-mm-throttle-on-IO-only-when-there-are-too-man.patch
        cd ${KERNEL_SRC}; patch -p1 < ../0002-Revert-mm-oom-rework-oom-detection.patch
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2583-KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch
+       cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
        sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
        touch $@