rpms/kernel/F-10 kvm-x86-emulator-limit-insns-to-15-bytes.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.116, 1.1206.2.117

Wed Dec 9 07:07:06 UTC 2009

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24439

Modified Files:
      Tag: private-fedora-10-2_6_27
	kernel.spec 
Added Files:
      Tag: private-fedora-10-2_6_27
	kvm-x86-emulator-limit-insns-to-15-bytes.patch 
Log Message:
Limit x86 instructions to 15 bytes in KVM (CVE-2009-4031)

kvm-x86-emulator-limit-insns-to-15-bytes.patch:
 arch/x86/kvm/x86_emulate.c        |    5 ++++-
 include/asm-x86/kvm_x86_emulate.h |    2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

--- NEW FILE kvm-x86-emulator-limit-insns-to-15-bytes.patch ---
From: Avi Kivity <avi at redhat.com>
Date: Tue, 24 Nov 2009 13:20:15 +0000 (+0200)
Subject: KVM: x86 emulator: limit instructions to 15 bytes
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb

KVM: x86 emulator: limit instructions to 15 bytes

[ <cebbert at redhat.com>: backport to 2.6.27 ]

While we are never normally passed an instruction that exceeds 15 bytes,
smp games can cause us to attempt to interpret one, which will cause
large latencies in non-preempt hosts.

Cc: stable at kernel.org
Signed-off-by: Avi Kivity <avi at redhat.com>
---

diff -u a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
--- a/include/asm-x86/kvm_x86_emulate.h
+++ b/include/asm-x86/kvm_x86_emulate.h
@@ -128,7 +128,7 @@ struct decode_cache {
 	u8 seg_override;
 	unsigned int d;
 	unsigned long regs[NR_VCPU_REGS];
-	unsigned long eip;
+	unsigned long eip, eip_orig;
 	/* modrm */
 	u8 modrm;
 	u8 modrm_mod;
diff -u a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
--- a/arch/x86/kvm/x86_emulate.c
+++ b/arch/x86/kvm/x86_emulate.c
@@ -581,6 +581,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
 {
 	int rc = 0;
 
+	/* x86 instructions are limited to 15 bytes. */
+	if (eip + size - ctxt->decode.eip_orig > 15)
+		return X86EMUL_UNHANDLEABLE;
 	eip += ctxt->cs_base;
 	while (size--) {
 		rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
@@ -839,7 +842,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 	/* Shadow copy of register state. Committed on successful emulation. */
 
 	memset(c, 0, sizeof(struct decode_cache));
-	c->eip = ctxt->vcpu->arch.rip;
+	c->eip = c->eip_orig = ctxt->vcpu->arch.rip;
 	ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
 	memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.116
retrieving revision 1.1206.2.117
diff -u -p -r1.1206.2.116 -r1.1206.2.117
--- kernel.spec	8 Dec 2009 23:38:14 -0000	1.1206.2.116
+++ kernel.spec	9 Dec 2009 07:07:04 -0000	1.1206.2.117
@@ -794,6 +794,9 @@ Patch15250: x86-fix-csum_ipv6_magic-asm-
 # Fix ext3 file corruption in some cases
 Patch15400: jbd-fix-return-value-of-journal-start-commit.patch
 
+# CVE-2009-4031
+Patch15500: kvm-x86-emulator-limit-insns-to-15-bytes.patch
+
 # fix null deref in r128
 Patch16200: drm-r128-add-test-for-initialisation-to-all-ioctls-that-require-it.patch
 
@@ -1437,6 +1440,9 @@ ApplyPatch sky2-set-sky2_hw_ram_buffer-i
 ApplyPatch tcp-fix-config_tcp_md5sig-config_preempt-timer-bug.patch
 ApplyPatch x86-fix-csum_ipv6_magic-asm-memory-clobber.patch
 
+# CVE-2009-4031
+ApplyPatch kvm-x86-emulator-limit-insns-to-15-bytes.patch
+
 # Fix ext3 file corruption in some cases
 ApplyPatch jbd-fix-return-value-of-journal-start-commit.patch
 
@@ -2018,6 +2024,9 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Wed Dec 09 2009 Chuck Ebbert <cebbert at redhat.com>  2.6.27.41-170.2.117
+- Limit x86 instructions to 15 bytes in KVM (CVE-2009-4031)
+
 * Tue Dec 08 2009 Chuck Ebbert <cebbert at redhat.com>  2.6.27.41-170.2.116
 - Linux 2.6.27.41
 


