]>
Commit | Line | Data |
---|---|---|
de6f4b1d TL |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
3 | Date: Fri, 31 Jan 2020 08:06:40 -0300 | |
4 | Subject: [PATCH] x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit | |
5 | ||
6 | CVE-2019-3016 | |
7 | CVE-2020-3016 | |
8 | ||
9 | kvm_steal_time_set_preempted() may accidentally clear KVM_VCPU_FLUSH_TLB | |
10 | bit if it is called more than once while VCPU is preempted. | |
11 | ||
12 | This is part of CVE-2019-3016. | |
13 | ||
14 | (This bug was also independently discovered by Jim Mattson | |
15 | <jmattson@google.com>) | |
16 | ||
17 | Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
18 | Reviewed-by: Joao Martins <joao.m.martins@oracle.com> | |
19 | Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> | |
20 | Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> | |
21 | --- | |
22 | arch/x86/kvm/x86.c | 3 +++ | |
23 | 1 file changed, 3 insertions(+) | |
24 | ||
25 | diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c | |
6ad15537 | 26 | index 9c45e6ca30fd..80e860bd39d5 100644 |
de6f4b1d TL |
27 | --- a/arch/x86/kvm/x86.c |
28 | +++ b/arch/x86/kvm/x86.c | |
6ad15537 | 29 | @@ -3399,6 +3399,9 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu) |
de6f4b1d TL |
30 | if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) |
31 | return; | |
32 | ||
33 | + if (vcpu->arch.st.steal.preempted) | |
34 | + return; | |
35 | + | |
36 | vcpu->arch.st.steal.preempted = KVM_VCPU_PREEMPTED; | |
37 | ||
38 | kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime, |