From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xiaohan Zhang <zhangxiaohan1@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.9 023/120] KVM: x86: fix emulation of "MOV SS, null selector"
Date: Wed, 18 Jan 2017 11:45:41 +0100 [thread overview]
Message-ID: <20170118104649.071756734@linuxfoundation.org> (raw)
In-Reply-To: <20170118104648.120216880@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 33ab91103b3415e12457e3104f0e4517ce12d0f3 upstream.
This is CVE-2017-2583. On Intel this causes a failed vmentry because
SS's type is neither 3 nor 7 (even though the manual says this check is
only done for usable SS, and the dmesg splat says that SS is unusable!).
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
The fix fabricates a data segment descriptor when SS is set to a null
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
this in turn ensures CPL < 3 because RPL must be equal to CPL.
Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
the bug and deciphering the manuals.
Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 38 insertions(+), 10 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1544,7 +1544,6 @@ static int write_segment_descriptor(stru
&ctxt->exception);
}
-/* Does not support long mode */
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
u16 selector, int seg, u8 cpl,
enum x86_transfer_type transfer,
@@ -1581,20 +1580,34 @@ static int __load_segment_descriptor(str
rpl = selector & 3;
- /* NULL selector is not valid for TR, CS and SS (except for long mode) */
- if ((seg == VCPU_SREG_CS
- || (seg == VCPU_SREG_SS
- && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
- || seg == VCPU_SREG_TR)
- && null_selector)
- goto exception;
-
/* TR should be in GDT only */
if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
goto exception;
- if (null_selector) /* for NULL selector skip all following checks */
+ /* NULL selector is not valid for TR, CS and (except for long mode) SS */
+ if (null_selector) {
+ if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
+ goto exception;
+
+ if (seg == VCPU_SREG_SS) {
+ if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
+ goto exception;
+
+ /*
+ * ctxt->ops->set_segment expects the CPL to be in
+ * SS.DPL, so fake an expand-up 32-bit data segment.
+ */
+ seg_desc.type = 3;
+ seg_desc.p = 1;
+ seg_desc.s = 1;
+ seg_desc.dpl = cpl;
+ seg_desc.d = 1;
+ seg_desc.g = 1;
+ }
+
+ /* Skip all following checks */
goto load;
+ }
ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
if (ret != X86EMUL_CONTINUE)
@@ -1710,6 +1723,21 @@ static int load_segment_descriptor(struc
u16 selector, int seg)
{
u8 cpl = ctxt->ops->cpl(ctxt);
+
+ /*
+ * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
+ * they can load it at CPL<3 (Intel's manual says only LSS can,
+ * but it's wrong).
+ *
+ * However, the Intel manual says that putting IST=1/DPL=3 in
+ * an interrupt gate will result in SS=3 (the AMD manual instead
+ * says it doesn't), so allow SS=3 in __load_segment_descriptor
+ * and only forbid it here.
+ */
+ if (seg == VCPU_SREG_SS && selector == 3 &&
+ ctxt->mode == X86EMUL_MODE_PROT64)
+ return emulate_exception(ctxt, GP_VECTOR, 0, true);
+
return __load_segment_descriptor(ctxt, selector, seg, cpl,
X86_TRANSFER_NONE, NULL);
}
next prev parent reply other threads:[~2017-01-18 11:04 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170118105210epcas1p4840f421605eedf74bbde441d7e96f084@epcas1p4.samsung.com>
2017-01-18 10:45 ` [PATCH 4.9 000/120] 4.9.5-stable review Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 001/120] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 002/120] Input: i8042 - add Pegatron touchpad to noloop table Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 003/120] pinctrl: imx: fix imx_pinctrl_desc initialization Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 006/120] regulator: tps65086: Fix 25mV ranges for BUCK regulators Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 007/120] regulator: axp20x: Fix axp809 ldo_io registration error on cold boot Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 008/120] drm/tegra: dpaux: Fix error handling Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 009/120] drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 010/120] drm/savage: dereferencing an error pointer Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 011/120] selftests: do not require bash to run netsocktests testcase Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 012/120] selftests: do not require bash for the generated test Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 013/120] zram: revalidate disk under init_lock Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 014/120] zram: support BDI_CAP_STABLE_WRITES Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 015/120] dax: fix deadlock with DAX 4k holes Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 016/120] mm: pmd dirty emulation in page fault handler Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 017/120] mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 018/120] ocfs2: fix crash caused by stale lvb with fsdlm plugin Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 019/120] mm, memcg: fix the active list aging for lowmem requests when memcg is enabled Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 020/120] mm: support anonymous stable page Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 021/120] mm/slab.c: fix SLAB freelist randomization duplicate entries Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 022/120] mm/hugetlb.c: fix reservation race when freeing surplus pages Greg Kroah-Hartman
2017-01-18 10:45 ` Greg Kroah-Hartman [this message]
2017-01-18 10:45 ` [PATCH 4.9 025/120] jump_labels: API for flushing deferred jump label updates Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 026/120] KVM: x86: flush pending lapic jump label updates on module unload Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 031/120] KVM: x86: Introduce segmented_write_std Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 032/120] efi/libstub/arm*: Pass latest memory map to the kernel Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 033/120] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code Greg Kroah-Hartman
2017-01-18 14:38 ` Prarit Bhargava
2017-01-18 16:33 ` Greg Kroah-Hartman
2017-01-18 16:55 ` Prarit Bhargava
2017-01-18 17:20 ` Greg Kroah-Hartman
2017-01-19 12:18 ` Prarit Bhargava
2017-01-18 22:25 ` Ingo Molnar
2017-01-19 10:32 ` Prarit Bhargava
2017-01-19 11:49 ` Greg Kroah-Hartman
2017-01-19 12:05 ` Prarit Bhargava
2017-01-19 13:49 ` Greg Kroah-Hartman
2017-01-19 13:21 ` Ingo Molnar
2017-01-19 13:49 ` Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 034/120] efi/x86: Prune invalid memory map entries and fix boot regression Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 036/120] nl80211: fix sched scan netlink socket owner destruction Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 037/120] gpio: Move freeing of GPIO hogs before numbing of the device Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 039/120] bridge: netfilter: Fix dropping packets that moving through bridge interface Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 040/120] x86/cpu/AMD: Clean up cpu_llc_id assignment per topology feature Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 041/120] x86/bugs: Separate AMD E400 erratum and C1E bug Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 042/120] x86/CPU/AMD: Fix Bulldozer topology Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 043/120] wusbcore: Fix one more crypto-on-the-stack bug Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 044/120] usb: musb: fix runtime PM in debugfs Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 045/120] USB: serial: kl5kusb105: fix line-state error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 046/120] USB: serial: ch341: fix initial modem-control state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 047/120] USB: serial: ch341: fix resume after reset Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 048/120] USB: serial: ch341: fix open error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 049/120] USB: serial: ch341: fix control-message " Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 050/120] USB: serial: ch341: fix open and resume after B0 Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 051/120] Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 052/120] i2c: print correct device invalid address Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 053/120] i2c: fix kernel memory disclosure in dev interface Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 054/120] fix a fencepost error in pipe_advance() Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 055/120] xhci: fix deadlock at host remove by running watchdog correctly Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 056/120] btrfs: fix crash when tracepoint arguments are freed by wq callbacks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 057/120] ASoC: hdmi-codec: use unsigned type to structure members with bit-field Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 058/120] Revert "tty: serial: 8250: add CON_CONSDEV to flags" Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 060/120] pid: fix lockdep deadlock warning due to ucount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 061/120] mnt: Protect the mountpoint hashtable with mount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 062/120] drivers: char: mem: Fix thinkos in kmem address checks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 063/120] dmaengine: omap-dma: Fix dynamic lch_map allocation Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 064/120] virtio_blk: avoid DMA to stack for the sense buffer Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 065/120] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 066/120] tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 067/120] ibmvscsis: Fix srp_transfer_data fail return code Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 068/120] orinoco: Use shash instead of ahash for MIC calculations Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 069/120] sysrq: attach sysrq handler correctly for 32-bit kernel Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 070/120] extcon: return error code on failure Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 071/120] Clearing FIFOs in RS485 emulation mode causes subsequent transmits to break Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 072/120] sysctl: Drop reference added by grab_header in proc_sys_readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 073/120] net/af_iucv: dont use paged skbs for TX on HiperSockets Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 074/120] drm/i915/gen9: Fix PCODE polling timeout in stable backport Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 075/120] drm: Clean up planes in atomic commit helper failure path Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 076/120] drm/radeon: update smc firmware selection for SI Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 077/120] drm/radeon: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 078/120] drm/amdgpu: update si kicker smc firmware Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 079/120] drm/amdgpu: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 080/120] USB: serial: ch341: fix modem-control and B0 handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 081/120] net/mlx5: Only cancel recovery work when cleaning up device Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 082/120] i2c: piix4: Avoid race conditions with IMC Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 083/120] x86/cpu: Fix bootup crashes by sanitizing the argument of the clearcpuid= command-line option Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 084/120] nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 085/120] btrfs: fix locking when we put back a delayed ref thats too new Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 086/120] btrfs: fix error handling when run_delayed_extent_op fails Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 087/120] pinctrl: meson: fix gpio request disabling other modes Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 088/120] NFS: fix typo in parameter description Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 089/120] pNFS: Fix race in pnfs_wait_on_layoutreturn Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 090/120] NFS: Fix a performance regression in readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 091/120] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 092/120] i2c: mux: pca954x: fix i2c mux selection caching Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 094/120] drm: avoid uninitialized timestamp use in wait_vblank Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 095/120] drm/panel: simple: Check against num_timings when setting preferred for timing Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 097/120] drm: Initialise drm_mm.head_node.allocated Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 099/120] remoteproc: st: Fix error return code in st_rproc_probe() Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 100/120] powerpc/64: Simplify adaptation to new ISA v3.00 HPTE format Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 101/120] cpufreq: powernv: Disable preemption while checking CPU throttling state Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 102/120] regulators: helpers: Fix handling of bypass_val_on in get_bypass_regmap Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 103/120] ACPI / CPPC: set an error code on probe error path Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 104/120] block: Change extern inline to static inline Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 105/120] block: cfq_cpd_alloc() should use @gfp Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 106/120] ACPI / APEI: Fix NMI notification handling Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 107/120] powercap/intel_rapl: fix and tidy up error handling Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 108/120] iw_cxgb4: Fix error return code in c4iw_rdev_open() Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 109/120] bq24190_charger: Fix PM runtime use for bq24190_battery_set_property Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 110/120] power: supply: bq27xxx_battery: Fix register map for BQ27510 and BQ27520 Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 111/120] blk-mq: Always schedule hctx->next_cpu Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 112/120] bus: vexpress-config: fix device reference leak Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 113/120] powerpc/mm: Correct process and partition table max size Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 114/120] powerpc/ibmebus: Fix further device reference leaks Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 115/120] powerpc/ibmebus: Fix device reference leaks in sysfs interface Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 116/120] powerpc/powernv: Dont warn on PE init if unfreeze is unsupported Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 117/120] arm64: hugetlb: fix the wrong address for several functions Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 118/120] arm64: hugetlb: remove the wrong pmd check in find_num_contig() Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 119/120] arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags Greg Kroah-Hartman
2017-01-18 18:44 ` [PATCH 4.9 000/120] 4.9.5-stable review Guenter Roeck
2017-01-18 20:22 ` Greg Kroah-Hartman
2017-01-19 18:07 ` Shuah Khan
2017-01-19 18:17 ` Greg Kroah-Hartman
[not found] ` <58802cd1.c3161c0a.43eb6.d94b@mx.google.com>
[not found] ` <m2tw8t2u08.fsf@baylibre.com>
2017-01-21 8:57 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170118104649.071756734@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
--cc=zhangxiaohan1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).