From 11dc6a09a2f3564db6c5ee39636b03d58fd79c66 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Nov 10 2015 12:48:40 +0000 Subject: CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) --- diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch new file mode 100644 index 0000000..021af4c --- /dev/null +++ b/KVM-svm-unconditionally-intercept-DB.patch @@ -0,0 +1,80 @@ +From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 10 Nov 2015 13:22:53 +0100 +Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB + +This is needed to avoid the possibility that the guest triggers +an infinite stream of #DB exceptions (CVE-2015-8104). + +VMX is not affected: because it does not save DR6 in the VMCS, +it already intercepts #DB unconditionally. + +Reported-by: Jan Beulich +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/svm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 7203b3cc71b5..184e50b3c35a 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm) + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm) + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = { + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 44bc2dd..905dd88 100644 --- a/kernel.spec +++ b/kernel.spec @@ -635,6 +635,9 @@ Patch546: drm-radeon-fix-dpms-when-driver-backlight-control-is.patch #CVE-2015-5307 rhbz 1277172 1279688 Patch550: KVM-x86-work-around-infinite-loop-in-microcode-when-.patch +#CVE-2015-8104 rhbz 1278496 1279691 +Patch551: KVM-svm-unconditionally-intercept-DB.patch + # END OF PATCH DEFINITIONS %endif @@ -2080,6 +2083,7 @@ fi # %changelog * Tue Nov 10 2015 Josh Boyer +- CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) - CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) * Thu Nov 5 2015 Peter Robinson