| From 541ab2aeb28251bf7135c7961f3a6080eebcc705 Mon Sep 17 00:00:00 2001 |
| From: Fuqian Huang <huangfq.daxian@gmail.com> |
| Date: Thu, 12 Sep 2019 12:18:17 +0800 |
| Subject: KVM: x86: work around leak of uninitialized stack contents |
| |
| From: Fuqian Huang <huangfq.daxian@gmail.com> |
| |
| commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream. |
| |
| Emulation of VMPTRST can incorrectly inject a page fault |
| when passed an operand that points to an MMIO address. |
| The page fault will use uninitialized kernel stack memory |
| as the CR2 and error code. |
| |
| The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR |
| exit to userspace; however, it is not an easy fix, so for now just ensure |
| that the error code and CR2 are zero. |
| |
| Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com> |
| Cc: stable@vger.kernel.org |
| [add comment] |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/x86.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/arch/x86/kvm/x86.c |
| +++ b/arch/x86/kvm/x86.c |
| @@ -4721,6 +4721,13 @@ int kvm_write_guest_virt_system(struct k |
| /* kvm_write_guest_virt_system can pull in tons of pages. */ |
| vcpu->arch.l1tf_flush_l1d = true; |
| |
| + /* |
| + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED |
| + * is returned, but our callers are not ready for that and they blindly |
| + * call kvm_inject_page_fault. Ensure that they at least do not leak |
| + * uninitialized kernel stack memory into cr2 and error code. |
| + */ |
| + memset(exception, 0, sizeof(*exception)); |
| return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, |
| PFERR_WRITE_MASK, exception); |
| } |