From df35a2f5e24ab87b025b15ed90976d0f665abfa7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 18 Dec 2014 17:46:56 -0800 Subject: [PATCH] 3.14-stable patches added patches: x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch --- queue-3.14/series | 1 + ...on-kvm-guests-for-espfix32-s-benefit.patch | 68 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch diff --git a/queue-3.14/series b/queue-3.14/series index d2ab4002342..52245a5fa88 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -2,3 +2,4 @@ isofs-fix-infinite-looping-over-ce-entries.patch x86-tls-validate-tls-entries-to-protect-espfix.patch x86-tls-disallow-unusual-tls-segments.patch x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch +x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch diff --git a/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch b/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch new file mode 100644 index 00000000000..8a685521fc5 --- /dev/null +++ b/queue-3.14/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch @@ -0,0 +1,68 @@ +From 29fa6825463c97e5157284db80107d1bfac5d77b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 5 Dec 2014 19:03:28 -0800 +Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit + +From: Andy Lutomirski + +commit 29fa6825463c97e5157284db80107d1bfac5d77b upstream. + +paravirt_enabled has the following effects: + + - Disables the F00F bug workaround warning. There is no F00F bug + workaround any more because Linux's standard IDT handling already + works around the F00F bug, but the warning still exists. This + is only cosmetic, and, in any event, there is no such thing as + KVM on a CPU with the F00F bug. + + - Disables 32-bit APM BIOS detection. On a KVM paravirt system, + there should be no APM BIOS anyway. + + - Disables tboot. I think that the tboot code should check the + CPUID hypervisor bit directly if it matters. + + - paravirt_enabled disables espfix32. espfix32 should *not* be + disabled under KVM paravirt. + +The last point is the purpose of this patch. It fixes a leak of the +high 16 bits of the kernel stack address on 32-bit KVM paravirt +guests. Fixes CVE-2014-8134. + +Suggested-by: Konrad Rzeszutek Wilk +Signed-off-by: Andy Lutomirski +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kvm.c | 9 ++++++++- + arch/x86/kernel/kvmclock.c | 1 - + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -280,7 +280,14 @@ do_async_page_fault(struct pt_regs *regs + static void __init paravirt_ops_setup(void) + { + pv_info.name = "KVM"; +- pv_info.paravirt_enabled = 1; ++ ++ /* ++ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM ++ * guest kernel works like a bare metal kernel with additional ++ * features, and paravirt_enabled is about features that are ++ * missing. ++ */ ++ pv_info.paravirt_enabled = 0; + + if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY)) + pv_cpu_ops.io_delay = kvm_io_delay; +--- a/arch/x86/kernel/kvmclock.c ++++ b/arch/x86/kernel/kvmclock.c +@@ -263,7 +263,6 @@ void __init kvmclock_init(void) + #endif + kvm_get_preset_lpj(); + clocksource_register_hz(&kvm_clock, NSEC_PER_SEC); +- pv_info.paravirt_enabled = 1; + pv_info.name = "KVM"; + + if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT)) -- 2.47.3