diff options
| author | Avi Kivity <avi@redhat.com> | 2010-10-19 10:46:55 -0400 |
|---|---|---|
| committer | Marcelo Tosatti <mtosatti@redhat.com> | 2010-10-19 12:21:45 -0400 |
| commit | 9581d442b9058d3699b4be568b6e5eae38a41493 (patch) | |
| tree | 76d1b596d873514fdb9b3bf75d6d7b3cbfada85d /arch/x86/kvm/svm.c | |
| parent | 2b666ca4a68cbc22483b0f2e1ba3c0e59b01ae9e (diff) | |
KVM: Fix fs/gs reload oops with invalid ldt
kvm reloads the host's fs and gs blindly, however the underlying segment
descriptors may be invalid due to the user modifying the ldt after loading
them.
Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
of home grown unsafe versions.
This is CVE-2010-3698.
KVM-Stable-Tag.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'arch/x86/kvm/svm.c')
| -rw-r--r-- | arch/x86/kvm/svm.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 81ed28cb36e6..8a3f9f64f86f 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c | |||
| @@ -3163,8 +3163,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) | |||
| 3163 | sync_lapic_to_cr8(vcpu); | 3163 | sync_lapic_to_cr8(vcpu); |
| 3164 | 3164 | ||
| 3165 | save_host_msrs(vcpu); | 3165 | save_host_msrs(vcpu); |
| 3166 | fs_selector = kvm_read_fs(); | 3166 | savesegment(fs, fs_selector); |
| 3167 | gs_selector = kvm_read_gs(); | 3167 | savesegment(gs, gs_selector); |
| 3168 | ldt_selector = kvm_read_ldt(); | 3168 | ldt_selector = kvm_read_ldt(); |
| 3169 | svm->vmcb->save.cr2 = vcpu->arch.cr2; | 3169 | svm->vmcb->save.cr2 = vcpu->arch.cr2; |
| 3170 | /* required for live migration with NPT */ | 3170 | /* required for live migration with NPT */ |
| @@ -3251,10 +3251,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) | |||
| 3251 | vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp; | 3251 | vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp; |
| 3252 | vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip; | 3252 | vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip; |
| 3253 | 3253 | ||
| 3254 | kvm_load_fs(fs_selector); | ||
| 3255 | kvm_load_gs(gs_selector); | ||
| 3256 | kvm_load_ldt(ldt_selector); | ||
| 3257 | load_host_msrs(vcpu); | 3254 | load_host_msrs(vcpu); |
| 3255 | loadsegment(fs, fs_selector); | ||
| 3256 | #ifdef CONFIG_X86_64 | ||
| 3257 | load_gs_index(gs_selector); | ||
| 3258 | wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs); | ||
| 3259 | #else | ||
| 3260 | loadsegment(gs, gs_selector); | ||
| 3261 | #endif | ||
| 3262 | kvm_load_ldt(ldt_selector); | ||
| 3258 | 3263 | ||
| 3259 | reload_tss(vcpu); | 3264 | reload_tss(vcpu); |
| 3260 | 3265 | ||