[Kernel-packages] [Bug 1678676] Re: linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in handle_invept()

Mon, 24 Apr 2017 15:21:12 -0700 

This is CVE-2017-8106.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-8106

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1678676

Title:
  linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
  handle_invept()

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Trusty:
  Triaged

Bug description:
  KVM in linux 3.11 - 3.14 (including ubuntu 14.04 linux <= 3.13.0-113.160) has 
a
  flaw in INVEPT emulation that could crash the host.

  [ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000070
  [ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
  [ 1046.389577] PGD 0 
  [ 1046.390273] Oops: 0000 [#1] SMP 

  (tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)

  The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
  (crafted or buggy) guest issues a single-context INVEPT instruction
  *without* VMPTRLD like this:

        kvm_cpu_vmxon(phys_addr);
        ept_sync_context(0);

  (requires nested EPT; full linux kernel module code attached)

  This code is introduced in upstream commit 
bfd0a56b90005f8c8a004baf407ad90045c2b11e
  (nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
  (KVM: nVMX: Don't advertise single context invalidation for invept).
  Therefore there should be two ways to fix this.

  a. pullup bfd0a56b90005f (and 45e11817d5703e)
  b. check current_vmcs12 before accessing for minimal fix:

  diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
  index d9e567f..d785e9c 100644
  --- a/arch/x86/kvm/vmx.c
  +++ b/arch/x86/kvm/vmx.c
  @@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)
   
        switch (type) {
        case VMX_EPT_EXTENT_CONTEXT:
  +             if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
  +                     break;
                if ((operand.eptp & eptp_mask) !=
                                (nested_ept_get_cr3(vcpu) & eptp_mask))
                        break;

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to