| Message ID | 20180126165758.5977-3-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Artful,1/1] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts | expand |
Hi Khaled, On 01/26/18 17:57, Kleber Sacilotto de Souza wrote: > From: Andrew Honig <ahonig@google.com> > > This fixes CVE-2017-1000407. I noticed that the above line has been removed on the commit pushed to artful tree. This line comes from the mainline commit and we tend not to remove anything from the original commit message when applying it to our trees, that's why I had the line with the CVE number below the original provenance block. If you used our maint-modify-patch tool to add the CVE number, it always add it to the first line of the commit message, so in that case it would be OK to keep both lines at the top. Thanks, Kleber > > KVM allows guests to directly access I/O port 0x80 on Intel hosts. If > the guest floods this port with writes it generates exceptions and > instability in the host kernel, leading to a crash. With this change > guest writes to port 0x80 on Intel will behave the same as they > currently behave on AMD systems. > > Prevent the flooding by removing the code that sets port 0x80 as a > passthrough port. This is essentially the same as upstream patch > 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was > for AMD chipsets and this patch is for Intel. > > Signed-off-by: Andrew Honig <ahonig@google.com> > Signed-off-by: Jim Mattson <jmattson@google.com> > Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs") > Cc: <stable@vger.kernel.org> > Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> > > CVE-2017-1000407 > (cherry picked from commit d59d51f088014f25c2562de59b9abff4f42a7468) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/kvm/vmx.c | 5 ----- > 1 file changed, 5 deletions(-) > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > index cb044cd17790..2a4bf9e267d8 100644 > --- a/arch/x86/kvm/vmx.c > +++ b/arch/x86/kvm/vmx.c > @@ -6599,12 +6599,7 @@ static __init int hardware_setup(void) > memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); > memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); > > - /* > - * Allow direct access to the PC debug port (it is often used for I/O > - * delays, but the vmexits simply slow things down). > - */ > memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); > - clear_bit(0x80, vmx_io_bitmap_a); > > memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE); > >
On 2018-02-05 11:17:52 , Kleber Souza wrote: > Hi Khaled, > > On 01/26/18 17:57, Kleber Sacilotto de Souza wrote: > > From: Andrew Honig <ahonig@google.com> > > > > This fixes CVE-2017-1000407. > > I noticed that the above line has been removed on the commit pushed to > artful tree. This line comes from the mainline commit and we tend not to > remove anything from the original commit message when applying it to our > trees, that's why I had the line with the CVE number below the original > provenance block. If you used our maint-modify-patch tool to add the CVE > number, it always add it to the first line of the commit message, so in > that case it would be OK to keep both lines at the top. > > Thanks, > Kleber I see. I thought the line "This fixes CVE-..." was added by you so I was trying to keep the format consistent. I will fix it. Thanks -Khaled > > > > > KVM allows guests to directly access I/O port 0x80 on Intel hosts. If > > the guest floods this port with writes it generates exceptions and > > instability in the host kernel, leading to a crash. With this change > > guest writes to port 0x80 on Intel will behave the same as they > > currently behave on AMD systems. > > > > Prevent the flooding by removing the code that sets port 0x80 as a > > passthrough port. This is essentially the same as upstream patch > > 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was > > for AMD chipsets and this patch is for Intel. > > > > Signed-off-by: Andrew Honig <ahonig@google.com> > > Signed-off-by: Jim Mattson <jmattson@google.com> > > Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs") > > Cc: <stable@vger.kernel.org> > > Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> > > > > CVE-2017-1000407 > > (cherry picked from commit d59d51f088014f25c2562de59b9abff4f42a7468) > > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > > --- > > arch/x86/kvm/vmx.c | 5 ----- > > 1 file changed, 5 deletions(-) > > > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > > index cb044cd17790..2a4bf9e267d8 100644 > > --- a/arch/x86/kvm/vmx.c > > +++ b/arch/x86/kvm/vmx.c > > @@ -6599,12 +6599,7 @@ static __init int hardware_setup(void) > > memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); > > memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); > > > > - /* > > - * Allow direct access to the PC debug port (it is often used for I/O > > - * delays, but the vmexits simply slow things down). > > - */ > > memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); > > - clear_bit(0x80, vmx_io_bitmap_a); > > > > memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE); > > > >
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index cb044cd17790..2a4bf9e267d8 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -6599,12 +6599,7 @@ static __init int hardware_setup(void) memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); - /* - * Allow direct access to the PC debug port (it is often used for I/O - * delays, but the vmexits simply slow things down). - */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); - clear_bit(0x80, vmx_io_bitmap_a); memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);