[0/2] KVM: nVMX: fix out-of-bounds access (CVE-2017-12188)
mbox series

Message ID 1507649459-144559-1-git-send-email-pbonzini@redhat.com
Headers show
  • KVM: nVMX: fix out-of-bounds access (CVE-2017-12188)
Related show


Paolo Bonzini Oct. 10, 2017, 3:30 p.m. UTC
Due to a combination of a bug in nEPT (patch 1), and a broken safety
net elsewhere in the MMU code (patch 2), a malicious guest could use
nested EPT to overwrite kernel memory.  In particular, the arrays in
struct guest_walker could be accessed with index -1 and the "level" and
"max_level" fields overwritten:

struct guest_walker {
        int level;
        unsigned max_level;
        gfn_t table_gfn[PT_MAX_FULL_LEVELS];

Because the level field is used as an index into array, it is at least
possible to overwrite the kernel stack and this should be treated as a
possible guest-to-host escape on Intel hosts with nested virtualization

While the incorrect code in patch 1 is present since Linux 3.12, the
bug only affects Linux kernels 4.6 and newer.  Therefore, stable kernels
only need to apply the second patch, which has the advantage of applying
more cleanly.

The bug was discovered by Ladislav (Ladi) Prosek from Red Hat.



Ladi Prosek (2):
  KVM: nVMX: update last_nonleaf_level when initializing nested EPT
  KVM: MMU: always terminate page walks at level 1

 arch/x86/kvm/mmu.c         | 15 ++++++++-------
 arch/x86/kvm/paging_tmpl.h |  3 ++-
 2 files changed, 10 insertions(+), 8 deletions(-)