Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2663062imj; Mon, 11 Feb 2019 06:40:05 -0800 (PST) X-Google-Smtp-Source: AHgI3IabXV5r4xdtL4BZDwS3RdoWm7/aN32LQfGYCPx3O6V/TnOEkAuQdTrYBJ2j67JAUN311c3A X-Received: by 2002:a17:902:9a07:: with SMTP id v7mr37018296plp.247.1549896005390; Mon, 11 Feb 2019 06:40:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549896005; cv=none; d=google.com; s=arc-20160816; b=TghVtTydR6ToD/Naw6DVgd97zqMB8tcZTc3evTmXhg1gdJdfLoiXhk7MGFzqZ6TgOh KxNLsXn/6Ufd7VW9C4JVZdedCYkgQ4BkzLyWUYZMCjaIaG+c8IUJdbmT26RSnQ04NujG vvO6frLajJ4zeD5asICz5+mTzMIyhA4RT91KEyv61c+ZyzrzIuWojG3pLJ9jPTbJ08ig L5ZedjgbKDJKU3kizSkYARaJrzgX/lgoIpGiMPqXpr+CM5Kq7WLStcx8ygf+9ndeE9rr 0V4KPYK46JKDsA4KjSCfjpBYJF5bXC7+5vwiKMxKp0h2B6tBp2nz69uWnNHhXiSWwFUt AjPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3x79KcVbrFIxiMJZkxEgaHRAwCe/O7Hh/d9XoDuRZO8=; b=1Ah9gdvT/8AKFskptAo1MFfbma3IBDH4o/aYxQKLmC5iwQhUoGwo0Sk2LsY7ZqTnOL 1fRQSaAHCWjPjDr32u0rRKVq4Lo/3yZ8vPcRLexX5l6bsEACBbdhVZbNz6Ro1i3FFNb+ cYqaAg4OnnZf9nPzo+XnLZ292p8VViGVq62vpTL/cg3QMdwwARYMOvrSo0FDMJKDTSWE dTVFPx/ZlZaGjkStbs+wr+s8+oWwPh4pItSbsBRSs/1McjiPR4FCO2yN8F3+zSDnFMlp 2R5TkWrVfXDQLGlNsom0A4jp4o2s1KOKBCTzvAi0MOsxAyygKi1uBd9Z7EWmDAJ9r1C3 /eOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SyRYKULH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z20si9241099pgv.159.2019.02.11.06.39.49; Mon, 11 Feb 2019 06:40:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SyRYKULH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731658AbfBKOiX (ORCPT + 99 others); Mon, 11 Feb 2019 09:38:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:48090 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730875AbfBKOiV (ORCPT ); Mon, 11 Feb 2019 09:38:21 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89D072081B; Mon, 11 Feb 2019 14:38:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549895901; bh=YDOL7bNZ5gzlTYR1zB3MeFJwNbUHJ3VUBEJPYBUHONI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SyRYKULHI91q8WRHIjjjxaKGXQ8+ouUvZJ7mOAZNdruGSmmuevIxwPaZtSN+3vfqW meQv3FdH7MOQL7AJgR/tmwKcsKxNqECsMzovzhPKwtfmtDRFQ+wA7iCd25bBiBQBfx WpQhqHFHTKiVOspkKBPVW4SJVhf7ru3WcbpeeGms= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Felix Wilhelm , stable@kernel.org, Paolo Bonzini Subject: [PATCH 4.20 339/352] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Date: Mon, 11 Feb 2019 15:19:26 +0100 Message-Id: <20190211141908.744528005@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190211141846.543045703@linuxfoundation.org> References: <20190211141846.543045703@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paolo Bonzini commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream. Bugzilla: 1671930 Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with memory operand, INVEPT, INVVPID) can incorrectly inject a page fault when passed an operand that points to an MMIO address. The page fault will use uninitialized kernel stack memory as the CR2 and error code. The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR exit to userspace; however, it is not an easy fix, so for now just ensure that the error code and CR2 are zero. Embargoed until Feb 7th 2019. Reported-by: Felix Wilhelm Cc: stable@kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5041,6 +5041,13 @@ int kvm_read_guest_virt(struct kvm_vcpu { u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + /* + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED + * is returned, but our callers are not ready for that and they blindly + * call kvm_inject_page_fault. Ensure that they at least do not leak + * uninitialized kernel stack memory into cr2 and error code. + */ + memset(exception, 0, sizeof(*exception)); return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception); }