tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

KVM: x86: work around leak of uninitialized stack contents

Emulation of VMPTRST can incorrectly inject a page fault
when passed an operand that points to an MMIO address.
The page fault will use uninitialized kernel stack memory
as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just ensure
that the error code and CR2 are zero.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: stable@vger.kernel.org
[add comment]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

authored by Fuqian Huang and committed by Paolo Bonzini 541ab2ae f7eea636

options
unified split
Changed files
+7
arch
x86
kvm
x86.c
+7
arch/x86/kvm/x86.c
··· 5312 5312 /* kvm_write_guest_virt_system can pull in tons of pages. */ 5313 5313 vcpu->arch.l1tf_flush_l1d = true; 5314 5314 5315 + /* 5316 + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED 5317 + * is returned, but our callers are not ready for that and they blindly 5318 + * call kvm_inject_page_fault. Ensure that they at least do not leak 5319 + * uninitialized kernel stack memory into cr2 and error code. 5320 + */ 5321 + memset(exception, 0, sizeof(*exception)); 5315 5322 return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, 5316 5323 PFERR_WRITE_MASK, exception); 5317 5324 }