rpms/kernel/F-10 kvm-x86-emulator-limit-insns-to-15-bytes.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.116, 1.1206.2.117
Chuck Ebbert
cebbert at fedoraproject.org
Wed Dec 9 07:07:06 UTC 2009
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24439
Modified Files:
Tag: private-fedora-10-2_6_27
kernel.spec
Added Files:
Tag: private-fedora-10-2_6_27
kvm-x86-emulator-limit-insns-to-15-bytes.patch
Log Message:
Limit x86 instructions to 15 bytes in KVM (CVE-2009-4031)
kvm-x86-emulator-limit-insns-to-15-bytes.patch:
arch/x86/kvm/x86_emulate.c | 5 ++++-
include/asm-x86/kvm_x86_emulate.h | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
--- NEW FILE kvm-x86-emulator-limit-insns-to-15-bytes.patch ---
From: Avi Kivity <avi at redhat.com>
Date: Tue, 24 Nov 2009 13:20:15 +0000 (+0200)
Subject: KVM: x86 emulator: limit instructions to 15 bytes
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb
KVM: x86 emulator: limit instructions to 15 bytes
[ <cebbert at redhat.com>: backport to 2.6.27 ]
While we are never normally passed an instruction that exceeds 15 bytes,
smp games can cause us to attempt to interpret one, which will cause
large latencies in non-preempt hosts.
Cc: stable at kernel.org
Signed-off-by: Avi Kivity <avi at redhat.com>
---
diff -u a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
--- a/include/asm-x86/kvm_x86_emulate.h
+++ b/include/asm-x86/kvm_x86_emulate.h
@@ -128,7 +128,7 @@ struct decode_cache {
u8 seg_override;
unsigned int d;
unsigned long regs[NR_VCPU_REGS];
- unsigned long eip;
+ unsigned long eip, eip_orig;
/* modrm */
u8 modrm;
u8 modrm_mod;
diff -u a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
--- a/arch/x86/kvm/x86_emulate.c
+++ b/arch/x86/kvm/x86_emulate.c
@@ -581,6 +581,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
{
int rc = 0;
+ /* x86 instructions are limited to 15 bytes. */
+ if (eip + size - ctxt->decode.eip_orig > 15)
+ return X86EMUL_UNHANDLEABLE;
eip += ctxt->cs_base;
while (size--) {
rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
@@ -839,7 +842,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
/* Shadow copy of register state. Committed on successful emulation. */
memset(c, 0, sizeof(struct decode_cache));
- c->eip = ctxt->vcpu->arch.rip;
+ c->eip = c->eip_orig = ctxt->vcpu->arch.rip;
ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.116
retrieving revision 1.1206.2.117
diff -u -p -r1.1206.2.116 -r1.1206.2.117
--- kernel.spec 8 Dec 2009 23:38:14 -0000 1.1206.2.116
+++ kernel.spec 9 Dec 2009 07:07:04 -0000 1.1206.2.117
@@ -794,6 +794,9 @@ Patch15250: x86-fix-csum_ipv6_magic-asm-
# Fix ext3 file corruption in some cases
Patch15400: jbd-fix-return-value-of-journal-start-commit.patch
+# CVE-2009-4031
+Patch15500: kvm-x86-emulator-limit-insns-to-15-bytes.patch
+
# fix null deref in r128
Patch16200: drm-r128-add-test-for-initialisation-to-all-ioctls-that-require-it.patch
@@ -1437,6 +1440,9 @@ ApplyPatch sky2-set-sky2_hw_ram_buffer-i
ApplyPatch tcp-fix-config_tcp_md5sig-config_preempt-timer-bug.patch
ApplyPatch x86-fix-csum_ipv6_magic-asm-memory-clobber.patch
+# CVE-2009-4031
+ApplyPatch kvm-x86-emulator-limit-insns-to-15-bytes.patch
+
# Fix ext3 file corruption in some cases
ApplyPatch jbd-fix-return-value-of-journal-start-commit.patch
@@ -2018,6 +2024,9 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Wed Dec 09 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.41-170.2.117
+- Limit x86 instructions to 15 bytes in KVM (CVE-2009-4031)
+
* Tue Dec 08 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.41-170.2.116
- Linux 2.6.27.41
More information about the fedora-extras-commits
mailing list