From patchwork Fri Jan 26 16:57:58 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 866496
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zSlTd6MJmz9s7s;
	Sat, 27 Jan 2018 03:58:13 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ef7KL-0005oU-Dy; Fri, 26 Jan 2018 16:58:09 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1ef7KI-0005mr-H3
	for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:58:06 +0000
Received: from mail-wr0-f197.google.com ([209.85.128.197])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1ef7KI-0003Tq-9c
	for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:58:06 +0000
Received: by mail-wr0-f197.google.com with SMTP id 62so557983wrf.8
	for <kernel-team@lists.ubuntu.com>;
	Fri, 26 Jan 2018 08:58:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=kc9mH3J45qTXoBJtDfu7BmUK3GhVgsA7f7jMvl+Kt60=;
	b=AF9XxQpmktf6yOMB7PSarDY4NimCpCKCnJ3CTEIKXmnjSF+U36swn8MFVTNuBndUi/
	MQ7QRtVgL4NXD7ahe4a8c+pAtUdOW3JmB/V3RMjAOO4x2S8M9YL/5UVq+oNPwQncA3Xv
	UQze84J7F2JeoJFT3hPKDVrTTKTgsisKxxM5pi1a1S1DOFFG3HfYZ+hg8zwH3gc2Rnjg
	P691Dcxc0mnLHS+yEya8eMKsBd9yKJNw5zMny2bZw9pvP+HxMB3vEQanYFVOyBI0MkVn
	lzFhnUwD0B3XYsoKo0o3L/wDAeECDhfQGbSiGx0BoRjd2L8B5Yp/ndC1Gx/EZ8CXT7gw
	JUGg==
X-Gm-Message-State: AKwxytfv6tzII7aANrPWSp0XQJ0HpWBezIQwZIZhJiUrx36bCiBjWrdp
	4Fj83Iy8YyD+AU4nHiC8rJ0/5KmgfD+GKWDNLihll9GB6aMHRvu5SO6q6sO61s8QDSpuHLt50ms
	fKu2WiOGpWsjlHGDtudHEYkXIDMu7VJW8Hyf6yXMyHw==
X-Received: by 10.28.140.1 with SMTP id o1mr10328100wmd.141.1516985885700;
	Fri, 26 Jan 2018 08:58:05 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x226nEcRILY8fwoORv3TeDCD68eaQJJJUHp1bnrSUVuZGbMWGkNgnoc6UkjRilTC2fVn/gEVQvA==
X-Received: by 10.28.140.1 with SMTP id o1mr10328093wmd.141.1516985885531;
	Fri, 26 Jan 2018 08:58:05 -0800 (PST)
Received: from localhost ([212.121.131.210])
	by smtp.gmail.com with ESMTPSA id
	j144sm4211194wmj.45.2018.01.26.08.58.04
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 26 Jan 2018 08:58:04 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Artful][PATCH 1/1] KVM: VMX: remove I/O port 0x80 bypass on
	Intel hosts
Date: Fri, 26 Jan 2018 17:57:58 +0100
Message-Id: <20180126165758.5977-3-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180126165758.5977-1-kleber.souza@canonical.com>
References: <20180126165758.5977-1-kleber.souza@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Andrew Honig <ahonig@google.com>

This fixes CVE-2017-1000407.

KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
the guest floods this port with writes it generates exceptions and
instability in the host kernel, leading to a crash.  With this change
guest writes to port 0x80 on Intel will behave the same as they
currently behave on AMD systems.

Prevent the flooding by removing the code that sets port 0x80 as a
passthrough port.  This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
for AMD chipsets and this patch is for Intel.

Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

CVE-2017-1000407
(cherry picked from commit d59d51f088014f25c2562de59b9abff4f42a7468)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 arch/x86/kvm/vmx.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index cb044cd17790..2a4bf9e267d8 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6599,12 +6599,7 @@ static __init int hardware_setup(void)
 	memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
 	memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
 
-	/*
-	 * Allow direct access to the PC debug port (it is often used for I/O
-	 * delays, but the vmexits simply slow things down).
-	 */
 	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
-	clear_bit(0x80, vmx_io_bitmap_a);
 
 	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);