[044/127] KVM: VMX: fix vmx null pointer dereference on debug register access

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Greg KH

Subject: [044/127] KVM: VMX: fix vmx null pointer dereference on debug register access

Date: Tuesday, December 7, 2010 - 5:43 pm

2.6.32-stable review patch.  If anyone has any objections, please let us know.

------------------

There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.

CVE-2010-0435

On upstream bug was fixed differently around 2.6.34.

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 arch/x86/kvm/x86.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_c
 {
 	struct kvm_vcpu *vcpu = ctxt->vcpu;
 
+	if (!kvm_x86_ops->get_dr)
+		return X86EMUL_UNHANDLEABLE;
+
 	switch (dr) {
 	case 0 ... 3:
 		*dest = kvm_x86_ops->get_dr(vcpu, dr);
@@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_c
 	unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
 	int exception;
 
+	if (!kvm_x86_ops->set_dr)
+		return X86EMUL_UNHANDLEABLE;
+
 	kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
 	if (exception) {
 		/* FIXME: better handling */


--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[044/127] KVM: VMX: fix vmx null pointer dereference on de ..., Greg KH, (Tue Dec 7, 5:43 pm)


linux-kernel:
Dave Jones	Re: OT: character encodings (was: Linux 2.6.20-rc4)
Greg Kroah-Hartman	[PATCH 17/36] sysdev: detect multiple driver registrations
Sam Ravnborg	Re: [PATCH] kbuild: fix make V=1
Nick Piggin	Re: [PATCH 0/24] make atomic_read() behave consistently across all architectures
Greg Kroah-Hartman	[PATCH 10/36] driver core: Convert debug functions declared inline __attribute__((...
git:
Stephen R. van den Berg	Re: [RFC] origin link for cherry-pick and revert
Junio C Hamano	Re: [PATCH 1/2] Teach git-describe to display distances from tags.
Johannes Schindelin	Re: [PATCH 2/2] git-svn: support fetch with autocrlf on
Junio C Hamano	Re: [PATCH 6/6] Teach core object handling functions about gitlinks
James Henstridge	Re: VCS comparison table
linux-netdev:
Jarek Poplawski	Re: [PATCH] flush_work_sync vs. flush_scheduled_work Re: [PATCH] PHYLIB: IRQ event...
Lennert Buytenhek	Re: Distributed Switch Architecture(DSA)
Daniel Schaffrath	Re: tcp bw in 2.6
Matt Mackall	Re: [regression] nf_iterate(), BUG: unable to handle kernel NULL pointer dereference
Guo-Fu Tseng	Re: jme: UDP checksum error, and lots of them
openbsd-misc:
Claudio Jeker	Re: Vlan Tag on Vlan Tag (l2tunneling)
Josh Grosse	ssh/sshd challenge-response seems to have stopped working in -current
Pieter Verberne	File collision while using pkg_add
Tomas Bodzar	bsd: uvm_mapent_alloc: out of static map entries
Community First Financial	Teacher A+ Loan
git-commits-head:
Linux Kernel Mailing List	ath9k: Added get_survey callback in order to get channel noise
Linux Kernel Mailing List	tracing: protect reader of cmdline output
Linux Kernel Mailing List	kconfig: recalc symbol value before showing search results
Linux Kernel Mailing List	swsusp: provide users with a hint about the no_console_suspend option
Linux Kernel Mailing List	[ARM] 5185/1: Fix spi num_chipselect for lubbock