Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2439230imj; Mon, 18 Feb 2019 06:06:28 -0800 (PST) X-Google-Smtp-Source: AHgI3IaIVZbLHqiptZOLCRUXDUwh8pFHroudb2HGLb4WBhdtNZZxAOn5vfvf5BxSfYF1ctYbvMN5 X-Received: by 2002:a17:902:be05:: with SMTP id r5mr14675488pls.48.1550498788763; Mon, 18 Feb 2019 06:06:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550498788; cv=none; d=google.com; s=arc-20160816; b=cfP1k8qcqx/Bm5joe/kFaWdT8/Dh77MQnBVZaBoCZ6iWnYyN3zvEqjGNXETPn91qOP BcjmzT/W1Ug/05CchAa7l+1UaPBwS1oTp7YfpZNzRGPxSQHY8BsgIPPc0GokabqXqWt1 mAWYoKtWoAHWlcqBMkOW5g+QK24WMq+7Vn+PrUoGTpqUkgwUUB9HZEPHH2/5x+guAVmW SyYtYUdt5Ub1NE+/rlA0zRVT2CwUVXO8u7XcsyEZIP6XXZgkNVX2PJV7ZE88mM5R0eIW 1e/EQkj7+qMmUM1+27DdCKK7/gaQgqwZE34tyBXmPm4269m8t+/koTH6vn+sP75xN09W ZlMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5W/5MVvdRDYG0IGnTZk53EZkf0XypsmHzC+ivdFs06s=; b=J/7I363VpNSfMIHcnNTS+j/JvX5i7aoiFDbNmFr5uPwq1u8SCLibObkmgzrt8Zo8Vp pElTSRkoIuXwhLABq2jolmhMlb0xx4H3rcOkNaOUeTQ62wSRSa7WPzcxAQepKT1GUOK4 W8GFK9Ap5f6IilqI1cI7tcxwK4+IiXxwPZQZXlsone53C1/C7X25mvBCtNOChEknsXDo Q4OAgZJ1JNdWOpbIkmCOm3vmyvr6VGK+cY2kxULAFYY0P+G6Ad46RlDyICoUU9u5zkwm bzvWRCwJEA8R7AQ6WeO0OU70/nXl8c4eurblyH/47e6jpn5xJob9nwPEvpfMAytBi68n 5NuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oGl9lgbn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y2si12857082pga.118.2019.02.18.06.06.12; Mon, 18 Feb 2019 06:06:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oGl9lgbn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390070AbfBROFD (ORCPT + 99 others); Mon, 18 Feb 2019 09:05:03 -0500 Received: from mail.kernel.org ([198.145.29.99]:47644 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389152AbfBROFA (ORCPT ); Mon, 18 Feb 2019 09:05:00 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8CDCC21901; Mon, 18 Feb 2019 14:04:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550498700; bh=qpvnPINqk/FmxpqDBcnXpRExdi6gNI/J38+G+yhPuuM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oGl9lgbnr5cv6TlPjzhSCeOtkkbmN3WUrqqERZJcEpvVL5+9BKTDGWSyjhFE+VWJZ /Jo1mMQH2uDH7d471TqCrHUKoJZE0Ozgpbg4yNJ6krtTOv4K0YETUUeKtFFZTddVJc mJmaafKejQpKr8FFODA2K5qm9ds+x5NdHjxAqoLU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Felix Wilhelm , stable@kernel.org, Paolo Bonzini Subject: [PATCH 4.4 092/143] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) Date: Mon, 18 Feb 2019 14:43:40 +0100 Message-Id: <20190218133532.418002402@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190218133529.099444112@linuxfoundation.org> References: <20190218133529.099444112@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paolo Bonzini commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream. Bugzilla: 1671930 Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with memory operand, INVEPT, INVVPID) can incorrectly inject a page fault when passed an operand that points to an MMIO address. The page fault will use uninitialized kernel stack memory as the CR2 and error code. The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR exit to userspace; however, it is not an easy fix, so for now just ensure that the error code and CR2 are zero. Embargoed until Feb 7th 2019. Reported-by: Felix Wilhelm Cc: stable@kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -4247,6 +4247,13 @@ int kvm_read_guest_virt(struct kvm_vcpu { u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + /* + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED + * is returned, but our callers are not ready for that and they blindly + * call kvm_inject_page_fault. Ensure that they at least do not leak + * uninitialized kernel stack memory into cr2 and error code. + */ + memset(exception, 0, sizeof(*exception)); return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception); }