diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2017-01-12 15:02:32 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2017-06-17 15:45:30 +0200 |
| commit | 3b06d33775a7a2317b286bcde3eb264be053abc3 (patch) | |
| tree | 507c14837d479d33ad311bf696fcfa118ab9d0a0 /lib/debugobjects.c | |
| parent | 1670aaa14e9446607b0afd1c5bc3d1c7941676a2 (diff) | |
KVM: x86: fix emulation of "MOV SS, null selector"
commit 33ab91103b3415e12457e3104f0e4517ce12d0f3 upstream.
This is CVE-2017-2583. On Intel this causes a failed vmentry because
SS's type is neither 3 nor 7 (even though the manual says this check is
only done for usable SS, and the dmesg splat says that SS is unusable!).
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
The fix fabricates a data segment descriptor when SS is set to a null
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
this in turn ensures CPL < 3 because RPL must be equal to CPL.
Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
the bug and deciphering the manuals.
[js] backport to 3.12
Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions