linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Fuqian Huang <huangfq.daxian@gmail.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.4 16/56] KVM: x86: work around leak of uninitialized stack contents
Date: Fri, 20 Sep 2019 00:03:57 +0200	[thread overview]
Message-ID: <20190919214752.638662940@linuxfoundation.org> (raw)
In-Reply-To: <20190919214742.483643642@linuxfoundation.org>

From: Fuqian Huang <huangfq.daxian@gmail.com>

commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream.

Emulation of VMPTRST can incorrectly inject a page fault
when passed an operand that points to an MMIO address.
The page fault will use uninitialized kernel stack memory
as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just ensure
that the error code and CR2 are zero.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: stable@vger.kernel.org
[add comment]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4337,6 +4337,13 @@ static int emulator_write_std(struct x86
 	if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
 		access |= PFERR_USER_MASK;
 
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
 					   access, exception);
 }



  parent reply	other threads:[~2019-09-19 22:22 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-19 22:03 [PATCH 4.4 00/56] 4.4.194-stable review Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 01/56] bridge/mdb: remove wrong use of NLM_F_MULTI Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 02/56] cdc_ether: fix rndis support for Mediatek based smartphones Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 03/56] ipv6: Fix the link time qualifier of ping_v6_proc_exit_net() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 04/56] isdn/capi: check message length in capi_write() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 05/56] net: Fix null de-reference of device refcount Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 06/56] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 07/56] sctp: Fix the link time qualifier of sctp_ctrlsock_exit() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 08/56] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 09/56] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 10/56] tipc: add NULL pointer check before calling kfree_rcu Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 11/56] tun: fix use-after-free when register netdev failed Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 12/56] Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur" Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 13/56] Btrfs: fix assertion failure during fsync and use of stale transaction Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 14/56] genirq: Prevent NULL pointer dereference in resend_irqs() Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 15/56] KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl Greg Kroah-Hartman
2019-09-19 22:03 ` Greg Kroah-Hartman [this message]
2019-09-19 22:03 ` [PATCH 4.4 17/56] KVM: nVMX: handle page fault in vmread Greg Kroah-Hartman
2019-09-19 22:03 ` [PATCH 4.4 18/56] MIPS: VDSO: Prevent use of smp_processor_id() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 19/56] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 20/56] clk: rockchip: Dont yell about bad mmc phases when getting Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 21/56] driver core: Fix use-after-free and double free on glue directory Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 22/56] crypto: talitos - check AES key size Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 23/56] crypto: talitos - check data blocksize in ablkcipher Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 24/56] x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 25/56] MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 26/56] ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 27/56] USB: usbcore: Fix slab-out-of-bounds bug during device reset Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 28/56] media: tm6000: double free if usb disconnect while streaming Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 29/56] x86/boot: Add missing bootparam that breaks boot on some platforms Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 30/56] xen-netfront: do not assume sk_buff_head list is empty in error handling Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 31/56] KVM: coalesced_mmio: add bounds checking Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 32/56] serial: sprd: correct the wrong sequence of arguments Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 33/56] tty/serial: atmel: reschedule TX after RX was started Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 34/56] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 35/56] s390/bpf: fix lcgr instruction encoding Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 36/56] ARM: OMAP2+: Fix omap4 errata warning on other SoCs Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 37/56] s390/bpf: use 32-bit index for tail calls Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 38/56] NFSv4: Fix return values for nfs4_file_open() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 39/56] NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 40/56] Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 41/56] ARM: 8874/1: mm: only adjust sections of valid mm structures Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 42/56] r8152: Set memory to all 0xFFs on failed reg reads Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 43/56] x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 44/56] netfilter: nf_conntrack_ftp: Fix debug output Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 45/56] NFSv2: Fix eof handling Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 46/56] NFSv2: Fix write regression Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 47/56] cifs: set domainName when a domain-key is used in multiuser Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 48/56] cifs: Use kzfree() to zero out the password Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 49/56] sky2: Disable MSI on yet another ASUS boards (P6Xxxx) Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 50/56] tools/power turbostat: fix buffer overrun Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 51/56] net: seeq: Fix the function used to release some memory in an error handling path Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 52/56] dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 53/56] keys: Fix missing null pointer check in request_key_auth_describe() Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 54/56] floppy: fix usercopy direction Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 55/56] media: technisat-usb2: break out of loop at end of buffer Greg Kroah-Hartman
2019-09-19 22:04 ` [PATCH 4.4 56/56] ARC: export "abort" for modules Greg Kroah-Hartman
2019-09-20  4:00 ` [PATCH 4.4 00/56] 4.4.194-stable review kernelci.org bot
2019-09-20 13:41 ` Guenter Roeck
2019-09-20 13:47 ` Jon Hunter
2019-09-20 14:35 ` Naresh Kamboju
2019-09-20 21:38 ` shuah

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190919214752.638662940@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=huangfq.daxian@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).