From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Dec 2019 09:41:16 +0000 (+0100)
Subject: 5.3-stable patches
X-Git-Tag: v5.4.3~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=47b713ba0f6f4f37cda85ba74cd2e61fb63998ff;p=thirdparty%2Fkernel%2Fstable-queue.git

5.3-stable patches

added patches:
	kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
---

diff --git a/queue-5.3/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/queue-5.3/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
new file mode 100644
index 00000000000..f6877b4d7b4
--- /dev/null
+++ b/queue-5.3/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
@@ -0,0 +1,43 @@
+From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Dec 2019 10:28:54 +0100
+Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.
+
+The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
+KVM_GET_EMULATED_CPUID.
+
+Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
+Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -497,7 +497,7 @@ static inline int __do_cpuid_func(struct
+ 
+ 	r = -E2BIG;
+ 
+-	if (*nent >= maxnent)
++	if (WARN_ON(*nent >= maxnent))
+ 		goto out;
+ 
+ 	do_host_cpuid(entry, function, 0);
+@@ -794,6 +794,9 @@ out:
+ static int do_cpuid_func(struct kvm_cpuid_entry2 *entry, u32 func,
+ 			 int *nent, int maxnent, unsigned int type)
+ {
++	if (*nent >= maxnent)
++		return -E2BIG;
++
+ 	if (type == KVM_GET_EMULATED_CPUID)
+ 		return __do_cpuid_func_emulated(entry, func, nent, maxnent);
+ 
diff --git a/queue-5.3/series b/queue-5.3/series
index 2173818b447..94c02450a1c 100644
--- a/queue-5.3/series
+++ b/queue-5.3/series
@@ -103,6 +103,7 @@ vcs-prevent-write-access-to-vcsu-devices.patch
 binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch
 binder-prevent-repeated-use-of-mmap-via-null-mapping.patch
 binder-handle-start-null-in-binder_update_page_range.patch
+kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
 alsa-hda-fix-pending-unsol-events-at-shutdown.patch
 cpufreq-imx-cpufreq-dt-correct-i.mx8mn-s-default-spe.patch
 md-raid0-fix-an-error-message-in-raid0_make_request.patch