Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

torvalds · torvalds · commit e303a067ceed · 2019-02-07T15:53:26.000-07:00
Pull KVM fixes from Paolo Bonzini: "Three security fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
@@ -211,6 +211,7 @@ static void free_nested(struct kvm_vcpu *vcpu)
 	if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
 		return;
 
+	hrtimer_cancel(&vmx->nested.preemption_timer);
 	vmx->nested.vmxon = false;
 	vmx->nested.smm.vmxon = false;
 	free_vpid(vmx->nested.vpid02);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
 {
 	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
 
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
 					  exception);
 }
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
@@ -3000,16 +3000,17 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
 	if (ops->init)
 		ops->init(dev);
 
+	kvm_get_kvm(kvm);
 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
 	if (ret < 0) {
+		kvm_put_kvm(kvm);
 		mutex_lock(&kvm->lock);
 		list_del(&dev->vm_node);
 		mutex_unlock(&kvm->lock);
 		ops->destroy(dev);
 		return ret;
 	}
 
-	kvm_get_kvm(kvm);
 	cd->fd = ret;
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,`
`5116`	`5116`	`{`
`5117`	`5117`	`u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;`
`5118`	`5118`
	`5119`	`+ /*`
	`5120`	`+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED`
	`5121`	`+ * is returned, but our callers are not ready for that and they blindly`
	`5122`	`+ * call kvm_inject_page_fault. Ensure that they at least do not leak`
	`5123`	`+ * uninitialized kernel stack memory into cr2 and error code.`
	`5124`	`+ */`
	`5125`	`+ memset(exception, 0, sizeof(*exception));`
`5119`	`5126`	`return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,`
`5120`	`5127`	`exception);`
`5121`	`5128`	`}`