rpms/kernel/F-11 kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch, NONE, 1.1 kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch, NONE, 1.1 kvm-vmx-check-cpl-before-emulating-debug-register-access.patch, NONE, 1.1 kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch, NONE, 1.1 kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch, NONE, 1.1 kernel.spec, 1.1743, 1.1744

Chuck Ebbert cebbert at fedoraproject.org
Sat Sep 26 17:49:02 UTC 2009 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27947

Modified Files:
	kernel.spec 
Added Files:
	kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch 
	kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch 
	kvm-vmx-check-cpl-before-emulating-debug-register-access.patch 
	kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch 
	kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch 
Log Message:
KVM fixes from 2.6.31.1, including fix for CVE-2009-3290

kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch:
 kvmclock.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch ---
>From a20316d2aa41a8f4fd171648bad8f044f6060826 Mon Sep 17 00:00:00 2001
From: Glauber Costa <glommer at redhat.com>
Date: Mon, 31 Aug 2009 03:04:31 -0400
Subject: KVM guest: fix bogus wallclock physical address calculation

From: Glauber Costa <glommer at redhat.com>

commit a20316d2aa41a8f4fd171648bad8f044f6060826 upstream.

The use of __pa() to calculate the address of a C-visible symbol
is wrong, and can lead to unpredictable results. See arch/x86/include/asm/page.h
for details.

It should be replaced with __pa_symbol(), that does the correct math here,
by taking relocations into account.  This ensures the correct wallclock data
structure physical address is passed to the hypervisor.

Signed-off-by: Glauber Costa <glommer at redhat.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/kernel/kvmclock.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -50,8 +50,8 @@ static unsigned long kvm_get_wallclock(v
 	struct timespec ts;
 	int low, high;
 
-	low = (int)__pa(&wall_clock);
-	high = ((u64)__pa(&wall_clock) >> 32);
+	low = (int)__pa_symbol(&wall_clock);
+	high = ((u64)__pa_symbol(&wall_clock) >> 32);
 	native_write_msr(MSR_KVM_WALL_CLOCK, low, high);
 
 	vcpu_time = &get_cpu_var(hv_clock);

kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch:
 mmu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- NEW FILE kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch ---
>From 3b80fffe2b31fb716d3ebe729c54464ee7856723 Mon Sep 17 00:00:00 2001
From: Izik Eidus <ieidus at redhat.com>
Date: Tue, 28 Jul 2009 15:26:58 -0300
Subject: KVM: MMU: make __kvm_mmu_free_some_pages handle empty list

From: Izik Eidus <ieidus at redhat.com>

commit 3b80fffe2b31fb716d3ebe729c54464ee7856723 upstream.

First check if the list is empty before attempting to look at list
entries.

Signed-off-by: Izik Eidus <ieidus at redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/kvm/mmu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2612,7 +2612,8 @@ EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page
 
 void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
 {
-	while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES) {
+	while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES &&
+	       !list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
 		struct kvm_mmu_page *sp;
 
 		sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,

kvm-vmx-check-cpl-before-emulating-debug-register-access.patch:
 include/asm/kvm_host.h |    1 +
 kvm/vmx.c              |    2 ++
 kvm/x86.c              |   13 +++++++++++++
 3 files changed, 16 insertions(+)

--- NEW FILE kvm-vmx-check-cpl-before-emulating-debug-register-access.patch ---
>From 0a79b009525b160081d75cef5dbf45817956acf2 Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi at redhat.com>
Date: Tue, 1 Sep 2009 12:03:25 +0300
Subject: KVM: VMX: Check cpl before emulating debug register access

From: Avi Kivity <avi at redhat.com>

commit 0a79b009525b160081d75cef5dbf45817956acf2 upstream.

Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
code to emulate the instruction even though it was issued from guest
userspace, possibly leading to an unexpected trap later.

Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/vmx.c              |    2 ++
 arch/x86/kvm/x86.c              |   13 +++++++++++++
 3 files changed, 16 insertions(+)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -620,6 +620,7 @@ void kvm_queue_exception(struct kvm_vcpu
 void kvm_queue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code);
 void kvm_inject_page_fault(struct kvm_vcpu *vcpu, unsigned long cr2,
 			   u32 error_code);
+bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl);
 
 int kvm_pic_set_irq(void *opaque, int irq, int level);
 
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2865,6 +2865,8 @@ static int handle_dr(struct kvm_vcpu *vc
 	unsigned long val;
 	int dr, reg;
 
+	if (!kvm_require_cpl(vcpu, 0))
+		return 1;
 	dr = vmcs_readl(GUEST_DR7);
 	if (dr & DR7_GD) {
 		/*
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -217,6 +217,19 @@ static void __queue_exception(struct kvm
 }
 
 /*
+ * Checks if cpl <= required_cpl; if true, return true.  Otherwise queue
+ * a #GP and return false.
+ */
+bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl)
+{
+	if (kvm_x86_ops->get_cpl(vcpu) <= required_cpl)
+		return true;
+	kvm_queue_exception_e(vcpu, GP_VECTOR, 0);
+	return false;
+}
+EXPORT_SYMBOL_GPL(kvm_require_cpl);
+
+/*
  * Load the pae pdptrs.  Return true is they are all valid.
  */
 int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3)

kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch:
 vmx.c |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

--- NEW FILE kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch ---
>From 5fff7d270bd6a4759b6d663741b729cdee370257 Mon Sep 17 00:00:00 2001
From: Gleb Natapov <gleb at redhat.com>
Date: Thu, 27 Aug 2009 18:41:30 +0300
Subject: KVM: VMX: Fix cr8 exiting control clobbering by EPT

From: Gleb Natapov <gleb at redhat.com>

commit 5fff7d270bd6a4759b6d663741b729cdee370257 upstream.

Don't call adjust_vmx_controls() two times for the same control.
It restores options that were dropped earlier.  This loses us the cr8
exit control, which causes a massive performance regression Windows x64.

Signed-off-by: Gleb Natapov <gleb at redhat.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/kvm/vmx.c |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1206,12 +1206,9 @@ static __init int setup_vmcs_config(stru
 	if (_cpu_based_2nd_exec_control & SECONDARY_EXEC_ENABLE_EPT) {
 		/* CR3 accesses and invlpg don't need to cause VM Exits when EPT
 		   enabled */
-		min &= ~(CPU_BASED_CR3_LOAD_EXITING |
-			 CPU_BASED_CR3_STORE_EXITING |
-			 CPU_BASED_INVLPG_EXITING);
-		if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PROCBASED_CTLS,
-					&_cpu_based_exec_control) < 0)
-			return -EIO;
+		_cpu_based_exec_control &= ~(CPU_BASED_CR3_LOAD_EXITING |
+					     CPU_BASED_CR3_STORE_EXITING |
+					     CPU_BASED_INVLPG_EXITING);
 		rdmsr(MSR_IA32_VMX_EPT_VPID_CAP,
 		      vmx_capability.ept, vmx_capability.vpid);
 	}

kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch:
 arch/x86/kvm/x86.c       |    6 ++++++
 include/linux/kvm_para.h |    1 +
 2 files changed, 7 insertions(+)

--- NEW FILE kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch ---
>From 07708c4af1346ab1521b26a202f438366b7bcffd Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka at siemens.com>
Date: Mon, 3 Aug 2009 18:43:28 +0200
Subject: KVM: x86: Disallow hypercalls for guest callers in rings > 0

From: Jan Kiszka <jan.kiszka at siemens.com>

commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream.

So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
hypercalls. Normally, such callers cannot provide any hand-crafted MMU
command structure as it has to be passed by its physical address, but
they can still crash the guest kernel by passing random addresses.

To close the hole, this patch considers hypercalls valid only if issued
from guest ring 0. This may still be relaxed on a per-hypercall base in
the future once required.

Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 arch/x86/kvm/x86.c       |    6 ++++++
 include/linux/kvm_para.h |    1 +
 2 files changed, 7 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2885,6 +2885,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
 		a3 &= 0xFFFFFFFF;
 	}
 
+	if (kvm_x86_ops->get_cpl(vcpu) != 0) {
+		ret = -KVM_EPERM;
+		goto out;
+	}
+
 	switch (nr) {
 	case KVM_HC_VAPIC_POLL_IRQ:
 		ret = 0;
@@ -2896,6 +2901,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
 		ret = -KVM_ENOSYS;
 		break;
 	}
+out:
 	kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
 	++vcpu->stat.hypercalls;
 	return r;
--- a/include/linux/kvm_para.h
+++ b/include/linux/kvm_para.h
@@ -13,6 +13,7 @@
 #define KVM_ENOSYS		1000
 #define KVM_EFAULT		EFAULT
 #define KVM_E2BIG		E2BIG
+#define KVM_EPERM		EPERM
 
 #define KVM_HC_VAPIC_POLL_IRQ		1
 #define KVM_HC_MMU_OP			2


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1743
retrieving revision 1.1744
diff -u -p -r1.1743 -r1.1744
--- kernel.spec	25 Sep 2009 07:59:50 -0000	1.1743
+++ kernel.spec	26 Sep 2009 17:49:00 -0000	1.1744
@@ -751,6 +751,13 @@ Patch14200: hostap-revert-toxic-part-of-
 # fix cfq performance regression in 2.6.30
 Patch14300: linux-2.6-cfq-choose-new-next-req.patch
 
+# kvm fixes from 2.6.31.1, including fix for CVE-2009-3290
+Patch14400: kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
+Patch14401: kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch
+Patch14402: kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
+Patch14403: kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
+Patch14404: kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1398,6 +1405,13 @@ ApplyPatch hostap-revert-toxic-part-of-c
 # fix cfq performance regression in 2.6.30
 ApplyPatch linux-2.6-cfq-choose-new-next-req.patch
 
+# kvm fixes from 2.6.31.1, including fix for CVE-2009-3290
+ApplyPatch kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
+ApplyPatch kvm-mmu-make-__kvm_mmu_free_some_pages-handle-empty-list.patch
+ApplyPatch kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
+ApplyPatch kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
+ApplyPatch kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1986,6 +2000,9 @@ fi
 # and build.
 
 %changelog
+* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.8-65
+- KVM fixes from 2.6.31.1, including fix for CVE-2009-3290
+
 * Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.8-64
 - Fix serious CFQ performance regression.

More information about the fedora-extras-commits mailing list