Skip to content

Commit 353c095

Browse files
bonzinibonzini
committed
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
Bugzilla: 1671930 Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with memory operand, INVEPT, INVVPID) can incorrectly inject a page fault when passed an operand that points to an MMIO address. The page fault will use uninitialized kernel stack memory as the CR2 and error code. The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR exit to userspace; however, it is not an easy fix, so for now just ensure that the error code and CR2 are zero. Embargoed until Feb 7th 2019. Reported-by: Felix Wilhelm <fwilhelm@google.com> Cc: stable@kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 parent cfa3938 commit 353c095

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

arch/x86/kvm/x86.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
51165116
{
51175117
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
51185118

5119+
/*
5120+
* FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
5121+
* is returned, but our callers are not ready for that and they blindly
5122+
* call kvm_inject_page_fault. Ensure that they at least do not leak
5123+
* uninitialized kernel stack memory into cr2 and error code.
5124+
*/
5125+
memset(exception, 0, sizeof(*exception));
51195126
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
51205127
exception);
51215128
}

0 commit comments

Comments
 (0)