aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-02-07 17:53:26 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2019-02-07 17:53:26 -0500
commite303a067ceede918fbf90ff3dc8affbb98bad4e8 (patch)
tree13f5048bee966ccf8af6e64c3454c5d8bcc7586e
parentee6c0737a0253d6e79063f0a74c1101fdaad0812 (diff)
parentecec76885bcfe3294685dc363fd1273df0d5d65f (diff)
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull KVM fixes from Paolo Bonzini: "Three security fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
Diffstat
-rw-r--r--arch/x86/kvm/vmx/nested.c1
-rw-r--r--arch/x86/kvm/x86.c7
-rw-r--r--virt/kvm/kvm_main.c3
3 files changed, 10 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 8ff20523661b..d8ea4ebd79e7 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -211,6 +211,7 @@ static void free_nested(struct kvm_vcpu *vcpu)
211 if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) 211 if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
212 return; 212 return;
213 213
214 hrtimer_cancel(&vmx->nested.preemption_timer);
214 vmx->nested.vmxon = false; 215 vmx->nested.vmxon = false;
215 vmx->nested.smm.vmxon = false; 216 vmx->nested.smm.vmxon = false;
216 free_vpid(vmx->nested.vpid02); 217 free_vpid(vmx->nested.vpid02);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3d27206f6c01..e67ecf25e690 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
5116{ 5116{
5117 u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; 5117 u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
5118 5118
5119 /*
5120 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
5121 * is returned, but our callers are not ready for that and they blindly
5122 * call kvm_inject_page_fault. Ensure that they at least do not leak
5123 * uninitialized kernel stack memory into cr2 and error code.
5124 */
5125 memset(exception, 0, sizeof(*exception));
5119 return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, 5126 return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
5120 exception); 5127 exception);
5121} 5128}
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 5ecea812cb6a..585845203db8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
3000 if (ops->init) 3000 if (ops->init)
3001 ops->init(dev); 3001 ops->init(dev);
3002 3002
3003 kvm_get_kvm(kvm);
3003 ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); 3004 ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
3004 if (ret < 0) { 3005 if (ret < 0) {
3006 kvm_put_kvm(kvm);
3005 mutex_lock(&kvm->lock); 3007 mutex_lock(&kvm->lock);
3006 list_del(&dev->vm_node); 3008 list_del(&dev->vm_node);
3007 mutex_unlock(&kvm->lock); 3009 mutex_unlock(&kvm->lock);
@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
3009 return ret; 3011 return ret;
3010 } 3012 }
3011 3013
3012 kvm_get_kvm(kvm);
3013 cd->fd = ret; 3014 cd->fd = ret;
3014 return 0; 3015 return 0;
3015} 3016}
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-26 02:48:19 -0500