KVM: Fix fs/gs reload oops with invalid ldt

kvm reloads the host's fs and gs blindly, however the underlying segment descriptors may be invalid due to the user modifying the ldt after loading them. Fix by using the safe accessors (loadsegment() and load_gs_index()) instead of home grown unsafe versions. This is CVE-2010-3698. KVM-Stable-Tag. Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
author: Avi Kivity <avi@redhat.com> 2010-10-19 10:46:55 -0400
committer: Marcelo Tosatti <mtosatti@redhat.com> 2010-10-19 12:21:45 -0400
commit: 9581d442b9058d3699b4be568b6e5eae38a41493 (patch)
tree: 76d1b596d873514fdb9b3bf75d6d7b3cbfada85d /arch/x86/kvm/vmx.c
parent: 2b666ca4a68cbc22483b0f2e1ba3c0e59b01ae9e (diff)
1 files changed, 9 insertions, 15 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 49b25eee25ac..7bddfab12013 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -803,7 +803,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
         */
        vmx->host_state.ldt_sel = kvm_read_ldt();
        vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
-        vmx->host_state.fs_sel = kvm_read_fs();
+        savesegment(fs, vmx->host_state.fs_sel);
        if (!(vmx->host_state.fs_sel & 7)) {
                vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
                vmx->host_state.fs_reload_needed = 0;
@@ -811,7 +811,7 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
                vmcs_write16(HOST_FS_SELECTOR, 0);
                vmx->host_state.fs_reload_needed = 1;
        }
-        vmx->host_state.gs_sel = kvm_read_gs();
+        savesegment(gs, vmx->host_state.gs_sel);
        if (!(vmx->host_state.gs_sel & 7))
                vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel);
        else {
@@ -841,27 +841,21 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
 static void __vmx_load_host_state(struct vcpu_vmx *vmx)
 {
-        unsigned long flags;
        if (!vmx->host_state.loaded)
                return;
        ++vmx->vcpu.stat.host_state_reload;
        vmx->host_state.loaded = 0;
        if (vmx->host_state.fs_reload_needed)
-                kvm_load_fs(vmx->host_state.fs_sel);
+                loadsegment(fs, vmx->host_state.fs_sel);
        if (vmx->host_state.gs_ldt_reload_needed) {
                kvm_load_ldt(vmx->host_state.ldt_sel);
-                /*
-                 * If we have to reload gs, we must take care to
-                 * preserve our gs base.
-                 */
-                local_irq_save(flags);
-                kvm_load_gs(vmx->host_state.gs_sel);
 #ifdef CONFIG_X86_64
-                wrmsrl(MSR_GS_BASE, vmcs_readl(HOST_GS_BASE));
+                load_gs_index(vmx->host_state.gs_sel);
+                wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
+#else
+                loadsegment(gs, vmx->host_state.gs_sel);
 #endif
-                local_irq_restore(flags);
        }
        reload_tss();
 #ifdef CONFIG_X86_64
@@ -2589,8 +2583,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
        vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS);  /* 22.2.4 */
        vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
        vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
-        vmcs_write16(HOST_FS_SELECTOR, kvm_read_fs());    /* 22.2.4 */
+        vmcs_write16(HOST_FS_SELECTOR, 0);            /* 22.2.4 */
-        vmcs_write16(HOST_GS_SELECTOR, kvm_read_gs());    /* 22.2.4 */
+        vmcs_write16(HOST_GS_SELECTOR, 0);            /* 22.2.4 */
        vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS);  /* 22.2.4 */
 #ifdef CONFIG_X86_64
        rdmsrl(MSR_FS_BASE, a);
author	Avi Kivity <avi@redhat.com>	2010-10-19 10:46:55 -0400
committer	Marcelo Tosatti <mtosatti@redhat.com>	2010-10-19 12:21:45 -0400
commit	9581d442b9058d3699b4be568b6e5eae38a41493 (patch)
tree	76d1b596d873514fdb9b3bf75d6d7b3cbfada85d /arch/x86/kvm/vmx.c
parent	2b666ca4a68cbc22483b0f2e1ba3c0e59b01ae9e (diff)