KVM: Fix fs/gs reload oops with invalid ldt

kvm reloads the host's fs and gs blindly, however the underlying segment descriptors may be invalid due to the user modifying the ldt after loading them. Fix by using the safe accessors (loadsegment() and load_gs_index()) instead of home grown unsafe versions. This is CVE-2010-3698. KVM-Stable-Tag. Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
author: Avi Kivity <avi@redhat.com> 2010-10-19 10:46:55 -0400
committer: Marcelo Tosatti <mtosatti@redhat.com> 2010-10-19 12:21:45 -0400
commit: 9581d442b9058d3699b4be568b6e5eae38a41493 (patch)
tree: 76d1b596d873514fdb9b3bf75d6d7b3cbfada85d /arch/x86/include/asm
parent: 2b666ca4a68cbc22483b0f2e1ba3c0e59b01ae9e (diff)
1 files changed, 0 insertions, 24 deletions
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 502e53f999cf..c52e2eb40a1e 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -652,20 +652,6 @@ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
        return (struct kvm_mmu_page *)page_private(page);
 }
-static inline u16 kvm_read_fs(void)
-{
-        u16 seg;
-        asm("mov %%fs, %0" : "=g"(seg));
-        return seg;
-}
-static inline u16 kvm_read_gs(void)
-{
-        u16 seg;
-        asm("mov %%gs, %0" : "=g"(seg));
-        return seg;
-}
 static inline u16 kvm_read_ldt(void)
 {
        u16 ldt;
@@ -673,16 +659,6 @@ static inline u16 kvm_read_ldt(void)
        return ldt;
 }
-static inline void kvm_load_fs(u16 sel)
-{
-        asm("mov %0, %%fs" : : "rm"(sel));
-}
-static inline void kvm_load_gs(u16 sel)
-{
-        asm("mov %0, %%gs" : : "rm"(sel));
-}
 static inline void kvm_load_ldt(u16 sel)
 {
        asm("lldt %0" : : "rm"(sel));
author	Avi Kivity <avi@redhat.com>	2010-10-19 10:46:55 -0400
committer	Marcelo Tosatti <mtosatti@redhat.com>	2010-10-19 12:21:45 -0400
commit	9581d442b9058d3699b4be568b6e5eae38a41493 (patch)
tree	76d1b596d873514fdb9b3bf75d6d7b3cbfada85d /arch/x86/include/asm
parent	2b666ca4a68cbc22483b0f2e1ba3c0e59b01ae9e (diff)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 502e53f999cf..c52e2eb40a1e 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h
@@ -652,20 +652,6 @@ static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
652	return (struct kvm_mmu_page *)page_private(page);	652	return (struct kvm_mmu_page *)page_private(page);
653	}	653	}
654		654
655	static inline u16 kvm_read_fs(void)
656	{
657	u16 seg;
658	asm("mov %%fs, %0" : "=g"(seg));
659	return seg;
660	}
661
662	static inline u16 kvm_read_gs(void)
663	{
664	u16 seg;
665	asm("mov %%gs, %0" : "=g"(seg));
666	return seg;
667	}
668
669	static inline u16 kvm_read_ldt(void)	655	static inline u16 kvm_read_ldt(void)
670	{	656	{
671	u16 ldt;	657	u16 ldt;
@@ -673,16 +659,6 @@ static inline u16 kvm_read_ldt(void)
673	return ldt;	659	return ldt;
674	}	660	}
675		661
676	static inline void kvm_load_fs(u16 sel)
677	{
678	asm("mov %0, %%fs" : : "rm"(sel));
679	}
680
681	static inline void kvm_load_gs(u16 sel)
682	{
683	asm("mov %0, %%gs" : : "rm"(sel));
684	}
685
686	static inline void kvm_load_ldt(u16 sel)	662	static inline void kvm_load_ldt(u16 sel)
687	{	663	{
688	asm("lldt %0" : : "rm"(sel));	664	asm("lldt %0" : : "rm"(sel));