AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-10 08:45:08 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
7f9ad1dfa3
linux_dsm_epyc7002/arch
History
Liran Alon 7f9ad1dfa3 KVM: nVMX: Fix kernel info-leak when enabling KVM_CAP_HYPERV_ENLIGHTENED_VMCS more than once 
Consider the case that userspace enables KVM_CAP_HYPERV_ENLIGHTENED_VMCS twice:
1) kvm_vcpu_ioctl_enable_cap() is called to enable
KVM_CAP_HYPERV_ENLIGHTENED_VMCS which calls nested_enable_evmcs().
2) nested_enable_evmcs() sets enlightened_vmcs_enabled to true and fills
vmcs_version which is then copied to userspace.
3) kvm_vcpu_ioctl_enable_cap() is called again to enable
KVM_CAP_HYPERV_ENLIGHTENED_VMCS which calls nested_enable_evmcs().
4) This time nested_enable_evmcs() just returns 0 as
enlightened_vmcs_enabled is already true. *Without filling
vmcs_version*.
5) kvm_vcpu_ioctl_enable_cap() continues as usual and copies
*uninitialized* vmcs_version to userspace which leads to kernel info-leak.

Fix this issue by simply changing nested_enable_evmcs() to always fill
vmcs_version output argument. Even when enlightened_vmcs_enabled is
already set to true.

Note that SVM's nested_enable_evmcs() should not be modified because it
always returns a non-zero value (-ENODEV) which results in
kvm_vcpu_ioctl_enable_cap() skipping the copy of vmcs_version to
userspace (as it should).

Fixes: 57b119da35 ("KVM: nVMX: add KVM_CAP_HYPERV_ENLIGHTENED_VMCS capability")
Reported-by: syzbot+cfbc368e283d381f8cef@syzkaller.appspotmail.com
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-27 12:49:46 +01:00
..
alpha TTY/Serial fixes for 4.20-rc2 2018-11-10 13:32:14 -06:00
arc mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
arm Merge branch 'spectre' of git://git.armlinux.org.uk/~rmk/linux-arm 2018-11-18 10:45:09 -08:00
arm64 efi/arm: Defer persistent reservations until after paging_init() 2018-11-15 10:04:46 +01:00
c6x c6x changes for 4.20 2018-10-31 15:39:25 -07:00
csky csky: dtb Kbuild fixup patches for linux-4.20-rc1 2018-11-01 09:04:30 -07:00
h8300 mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
hexagon mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
ia64 memblock: stop using implicit alignment to SMP_CACHE_BYTES 2018-10-31 08:54:16 -07:00
m68k s390 updates for 4.20-rc2 2018-11-09 06:30:44 -06:00
microblaze s390 updates for 4.20-rc2 2018-11-09 06:30:44 -06:00
mips MIPS: Fix `dma_alloc_coherent' returning a non-coherent allocation 2018-11-05 10:08:13 -08:00
nds32 s390 updates for 4.20-rc2 2018-11-09 06:30:44 -06:00
nios2 mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
openrisc mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
parisc Merge branch 'parisc-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2018-11-14 13:42:41 -06:00
powerpc PPC KVM fixes for 4.20 2018-11-25 18:56:32 +01:00
riscv RISC-V: Silence some module warnings on 32-bit 2018-11-12 18:12:24 -08:00
s390 s390 updates for 4.20-rc2 2018-11-09 06:30:44 -06:00
sh mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
sparc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2018-11-01 09:07:04 -07:00
um for-linus-20181109 2018-11-09 16:31:51 -06:00
unicore32 memblock: stop using implicit alignment to SMP_CACHE_BYTES 2018-10-31 08:54:16 -07:00
x86 KVM: nVMX: Fix kernel info-leak when enabling KVM_CAP_HYPERV_ENLIGHTENED_VMCS more than once 2018-11-27 12:49:46 +01:00
xtensa Xtensa fixes for v4.20-rc3 2018-11-16 10:10:27 -06:00
.gitignore
Kconfig New gcc plugin: stackleak 2018-11-01 11:46:27 -07:00