tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
"Three security fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

Linus Torvalds e303a067 ee6c0737

+10 -1
unified split
+1
arch/x86/kvm/vmx/nested.c
··· 211 211 if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) 212 212 return; 213 213 214 + hrtimer_cancel(&vmx->nested.preemption_timer); 214 215 vmx->nested.vmxon = false; 215 216 vmx->nested.smm.vmxon = false; 216 217 free_vpid(vmx->nested.vpid02);
+7
arch/x86/kvm/x86.c
··· 5116 5116 { 5117 5117 u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; 5118 5118 5119 + /* 5120 + * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED 5121 + * is returned, but our callers are not ready for that and they blindly 5122 + * call kvm_inject_page_fault. Ensure that they at least do not leak 5123 + * uninitialized kernel stack memory into cr2 and error code. 5124 + */ 5125 + memset(exception, 0, sizeof(*exception)); 5119 5126 return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, 5120 5127 exception); 5121 5128 }
+2 -1
virt/kvm/kvm_main.c
··· 3000 3000 if (ops->init) 3001 3001 ops->init(dev); 3002 3002 3003 + kvm_get_kvm(kvm); 3003 3004 ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); 3004 3005 if (ret < 0) { 3006 + kvm_put_kvm(kvm); 3005 3007 mutex_lock(&kvm->lock); 3006 3008 list_del(&dev->vm_node); 3007 3009 mutex_unlock(&kvm->lock); ··· 3011 3009 return ret; 3012 3010 } 3013 3011 3014 - kvm_get_kvm(kvm); 3015 3012 cd->fd = ret; 3016 3013 return 0; 3017 3014 }