diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-26 16:55:38 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-26 16:56:58 +0200 |
| commit | 97a4e58591bdcd9ff75aeafcfd9bd97ab9030505 (patch) | |
| tree | 119740f749dda910fb20a30513ce6d50dbe4f77f /debian/patches | |
| parent | 298df0b934077d783f463d58c3990139474c7aef (diff) | |
| download | linux-debian-97a4e58591bdcd9ff75aeafcfd9bd97ab9030505.tar.gz | |
[x86] KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID (CVE-2022-1789)
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch | 53 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/debian/patches/bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch b/debian/patches/bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch new file mode 100644 index 000000000..8a85cab80 --- /dev/null +++ b/debian/patches/bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch @@ -0,0 +1,53 @@ +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri, 20 May 2022 13:48:11 -0400 +Subject: KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID +Origin: https://git.kernel.org/linus/9f46c187e2e680ecd9de7983e4d081c3391acc76 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-1789 + +With shadow paging enabled, the INVPCID instruction results in a call +to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the +invlpg callback is not set and the result is a NULL pointer dereference. +Fix it trivially by checking for mmu->invlpg before every call. + +There are other possibilities: + +- check for CR0.PG, because KVM (like all Intel processors after P5) + flushes guest TLB on CR0.PG changes so that INVPCID/INVLPG are a + nop with paging disabled + +- check for EFER.LMA, because KVM syncs and flushes when switching + MMU contexts outside of 64-bit mode + +All of these are tricky, go for the simple solution. This is CVE-2022-1789. + +Reported-by: Yongkang Jia <kangel@zju.edu.cn> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[fix conflict due to missing b9e5603c2a3accbadfec570ac501a54431a6bdba] +Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/kvm/mmu/mmu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -5416,14 +5416,16 @@ void kvm_mmu_invpcid_gva(struct kvm_vcpu + uint i; + + if (pcid == kvm_get_active_pcid(vcpu)) { +- mmu->invlpg(vcpu, gva, mmu->root_hpa); ++ if (mmu->invlpg) ++ mmu->invlpg(vcpu, gva, mmu->root_hpa); + tlb_flush = true; + } + + for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) { + if (VALID_PAGE(mmu->prev_roots[i].hpa) && + pcid == kvm_get_pcid(vcpu, mmu->prev_roots[i].pgd)) { +- mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa); ++ if (mmu->invlpg) ++ mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa); + tlb_flush = true; + } + } diff --git a/debian/patches/series b/debian/patches/series index f795671e9..82bf77791 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -99,6 +99,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/x86/KVM-x86-mmu-fix-NULL-pointer-dereference-on-guest-IN.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |