From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 19 Dec 2014 01:46:56 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.64~35^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df35a2f5e24ab87b025b15ed90976d0f665abfa7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
---

diff --git a/queue-3.14/series b/queue-3.14/series
index d2ab4002342..52245a5fa88 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -2,3 +2,4 @@ isofs-fix-infinite-looping-over-ce-entries.patch
 x86-tls-validate-tls-entries-to-protect-espfix.patch
 x86-tls-disallow-unusual-tls-segments.patch
 x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch
+x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
diff --git a/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch b/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
new file mode 100644
index 00000000000..8a685521fc5
--- /dev/null
+++ b/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
@@ -0,0 +1,68 @@
+From 29fa6825463c97e5157284db80107d1bfac5d77b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 29fa6825463c97e5157284db80107d1bfac5d77b upstream.
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning.  There is no F00F bug
+   workaround any more because Linux's standard IDT handling already
+   works around the F00F bug, but the warning still exists.  This
+   is only cosmetic, and, in any event, there is no such thing as
+   KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
+   there should be no APM BIOS anyway.
+
+ - Disables tboot.  I think that the tboot code should check the
+   CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32.  espfix32 should *not* be
+   disabled under KVM paravirt.
+
+The last point is the purpose of this patch.  It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests.  Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kvm.c      |    9 ++++++++-
+ arch/x86/kernel/kvmclock.c |    1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -280,7 +280,14 @@ do_async_page_fault(struct pt_regs *regs
+ static void __init paravirt_ops_setup(void)
+ {
+ 	pv_info.name = "KVM";
+-	pv_info.paravirt_enabled = 1;
++
++	/*
++	 * KVM isn't paravirt in the sense of paravirt_enabled.  A KVM
++	 * guest kernel works like a bare metal kernel with additional
++	 * features, and paravirt_enabled is about features that are
++	 * missing.
++	 */
++	pv_info.paravirt_enabled = 0;
+ 
+ 	if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+ 		pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -263,7 +263,6 @@ void __init kvmclock_init(void)
+ #endif
+ 	kvm_get_preset_lpj();
+ 	clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
+-	pv_info.paravirt_enabled = 1;
+ 	pv_info.name = "KVM";
+ 
+ 	if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))