diff mbox series

[SRU,Trusty,1/1] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

Message ID 20180126165758.5977-2-kleber.souza@canonical.com
State New
Headers show
Series Fix for CVE-2017-1000407 | expand

Commit Message

Kleber Sacilotto de Souza Jan. 26, 2018, 4:57 p.m. UTC 
From: Andrew Honig <ahonig@google.com>

This fixes CVE-2017-1000407.

KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
the guest floods this port with writes it generates exceptions and
instability in the host kernel, leading to a crash.  With this change
guest writes to port 0x80 on Intel will behave the same as they
currently behave on AMD systems.

Prevent the flooding by removing the code that sets port 0x80 as a
passthrough port.  This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
for AMD chipsets and this patch is for Intel.

Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

CVE-2017-1000407
(backported from commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 arch/x86/kvm/vmx.c | 5 -----
 1 file changed, 5 deletions(-)

Comments

Stefan Bader Feb. 2, 2018, 9:41 a.m. UTC | #1 
On 26.01.2018 17:57, Kleber Sacilotto de Souza wrote:
> From: Andrew Honig <ahonig@google.com>
> 
> This fixes CVE-2017-1000407.
> 
> KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
> the guest floods this port with writes it generates exceptions and
> instability in the host kernel, leading to a crash.  With this change
> guest writes to port 0x80 on Intel will behave the same as they
> currently behave on AMD systems.
> 
> Prevent the flooding by removing the code that sets port 0x80 as a
> passthrough port.  This is essentially the same as upstream patch
> 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
> for AMD chipsets and this patch is for Intel.
> 
> Signed-off-by: Andrew Honig <ahonig@google.com>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
> 
> CVE-2017-1000407
> (backported from commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
> ---
>  arch/x86/kvm/vmx.c | 5 -----
>  1 file changed, 5 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 36af261a7dee..8454a201bd64 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -8719,12 +8719,7 @@ static int __init vmx_init(void)
>  	for (i = 0; i < max_shadow_read_only_fields; i++)
>  		clear_bit(shadow_read_only_fields[i], vmx_vmread_bitmap);
>  
> -	/*
> -	 * Allow direct access to the PC debug port (it is often used for I/O
> -	 * delays, but the vmexits simply slow things down).
> -	 */
>  	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
> -	clear_bit(0x80, vmx_io_bitmap_a);
>  
>  	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
>  
>
diff mbox series

Patch

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 36af261a7dee..8454a201bd64 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8719,12 +8719,7 @@  static int __init vmx_init(void)
 	for (i = 0; i < max_shadow_read_only_fields; i++)
 		clear_bit(shadow_read_only_fields[i], vmx_vmread_bitmap);
 
-	/*
-	 * Allow direct access to the PC debug port (it is often used for I/O
-	 * delays, but the vmexits simply slow things down).
-	 */
 	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
-	clear_bit(0x80, vmx_io_bitmap_a);
 
 	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);