diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 0000000..8066b2e --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack +Signed-off-by: Radim Krčmář +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 8710f87..42027f3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -666,6 +666,9 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch +#CVE-2016-3713 rhbz 1332139 1336410 +Patch718: KVM-MTRR-remove-MSR-0x2f8.patch + # END OF PATCH DEFINITIONS %endif @@ -2187,6 +2190,9 @@ fi # # %changelog +* Mon May 16 2016 Josh Boyer +- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410) + * Fri May 13 2016 Josh Boyer - CVE-2016-0758 pointer corruption in asn1 decoder (rhbz 1300257 1335386)