rpms/kernel/F-10 kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.92, 1.1206.2.93

[Chuck Ebbert]

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv570

Modified Files:
      Tag: private-fedora-10-2_6_27
	kernel.spec 
Added Files:
      Tag: private-fedora-10-2_6_27
	kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch 
Log Message:
Backport "KVM: x86: Disallow hypercalls for guest callers in rings > 0"

kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch:
 arch/x86/kvm/x86.c       |    6 ++++++
 include/linux/kvm_para.h |    1 +
 2 files changed, 7 insertions(+)

--- NEW FILE kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch ---
>From 07708c4af1346ab1521b26a202f438366b7bcffd Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka at siemens.com>
Date: Mon, 3 Aug 2009 18:43:28 +0200
Subject: KVM: x86: Disallow hypercalls for guest callers in rings > 0

From: Jan Kiszka <jan.kiszka at siemens.com>

[ backport to 2.6.27 by <cebbert at redhat.com> ]

commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream.

So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
hypercalls. Normally, such callers cannot provide any hand-crafted MMU
command structure as it has to be passed by its physical address, but
they can still crash the guest kernel by passing random addresses.

To close the hole, this patch considers hypercalls valid only if issued
from guest ring 0. This may still be relaxed on a per-hypercall base in
the future once required.

Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/kvm/x86.c       |    6 ++++++
 include/linux/kvm_para.h |    1 +
 2 files changed, 7 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2576,6 +2576,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
 		a3 &= 0xFFFFFFFF;
 	}
 
+	if (kvm_x86_ops->get_cpl(vcpu) != 0) {
+		ret = -KVM_EPERM;
+		goto out;
+	}
+
 	switch (nr) {
 	case KVM_HC_VAPIC_POLL_IRQ:
 		ret = 0;
@@ -2587,6 +2592,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
 		ret = -KVM_ENOSYS;
 		break;
 	}
+out:
 	vcpu->arch.regs[VCPU_REGS_RAX] = ret;
 	kvm_x86_ops->decache_regs(vcpu);
 	++vcpu->stat.hypercalls;
--- a/include/linux/kvm_para.h
+++ b/include/linux/kvm_para.h
@@ -13,6 +13,7 @@
 #define KVM_ENOSYS		1000
 #define KVM_EFAULT		EFAULT
 #define KVM_E2BIG		E2BIG
+#define KVM_EPERM		EPERM
 
 #define KVM_HC_VAPIC_POLL_IRQ		1
 #define KVM_HC_MMU_OP			2


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.92
retrieving revision 1.1206.2.93
diff -u -p -r1.1206.2.92 -r1.1206.2.93
--- kernel.spec	24 Sep 2009 20:02:57 -0000	1.1206.2.92
+++ kernel.spec	26 Sep 2009 16:20:45 -0000	1.1206.2.93
@@ -783,6 +783,9 @@ Patch15000: linux-2.6-ppc64-vs-broadcom.
 Patch15001: linux-2.6-ppc64-vs-broadcom-lmb-no-init-1.patch
 Patch15002: linux-2.6-ppc64-vs-broadcom-lmb-no-init-2.patch
 
+# kvm hypercall must be from cpl0 on guest
+Patch15100: kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1415,6 +1418,9 @@ ApplyPatch linux-2.6-ppc64-vs-broadcom.p
 ApplyPatch linux-2.6-ppc64-vs-broadcom-lmb-no-init-1.patch
 ApplyPatch linux-2.6-ppc64-vs-broadcom-lmb-no-init-2.patch
 
+# kvm hypercall must be from cpl0 on guest
+ApplyPatch kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1990,6 +1996,9 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Sat Sep 26 2009  Chuck Ebbert <cebbert at redhat.com>  2.6.27.35-170.2.93
+- Backport "KVM: x86: Disallow hypercalls for guest callers in rings > 0"
+
 * Thu Sep 24 2009  Chuck Ebbert <cebbert at redhat.com>  2.6.27.35-170.2.92
 - Linux 2.6.27.35
 - Drop merged patches: