Three security fixes.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJcXHSEAAoJEL/70l94x66DpJUH/Rl3uJGdezeL/BgDkABruIuv kJwjWUPjjVtcrz1UPjc8YENDG7g0tLDlFajRXXxMJh+MWMDi/YED27ev4fbGJEnZ ApApV0pWNLev+Y5QK4GRn4T9iW4HSuqlDW3gjj9PP0E/93lX8DCALQ+yD1sGsmmE yG+0rGOcWqlxD3pPhVESHmi/AGzsD82GDe2in8z/iET8ucxy1lmFlISEYbSxXNa/ o06C65The6sIn3IrqbP3aKEZ9mrpCe51pJm0YwJJpmg6UWcBiNuU+lbzg6qOthP7 1fmYy+j/BM+9cFEnFxp8gUW4LWTtlta5cDcDJhTXdaw8XFroac+T1z6ZGQd7838= =iKIE -----END PGP SIGNATURE----- Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "Three security fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
2019-02-07 15:53:26 -07:00 · 2019-02-07 15:53:26 -07:00 · e303a067ce
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@ -211,6 +211,7 @@ static void free_nested(struct kvm_vcpu *vcpu)
 	if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
 		return;

+	hrtimer_cancel(&vmx->nested.preemption_timer);
 	vmx->nested.vmxon = false;
 	vmx->nested.smm.vmxon = false;
 	free_vpid(vmx->nested.vpid02);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
 {
 	u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;

+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
 					  exception);
 }
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
 	if (ops->init)
 		ops->init(dev);

+	kvm_get_kvm(kvm);
 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
 	if (ret < 0) {
+		kvm_put_kvm(kvm);
 		mutex_lock(&kvm->lock);
 		list_del(&dev->vm_node);
 		mutex_unlock(&kvm->lock);
@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
 		return ret;
 	}

-	kvm_get_kvm(kvm);
 	cd->fd = ret;
 	return 0;
 }