git.baikalelectronics.ru Git - kernel.git/commit

author	Ladi Prosek <lprosek@redhat.com>
	Thu, 5 Oct 2017 09:10:23 +0000 (11:10 +0200)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Tue, 10 Oct 2017 13:31:28 +0000 (15:31 +0200)
commit	153612be0e51fce9e6fd0e2d4c919bf88d614b25
tree	4d820edec657b7fa4c79e1877b87ff86d5c3aed9	tree \| snapshot
parent	fdf510be5be0c2ef786a6db67a98237b178a14a9	commit \| diff

KVM: MMU: always terminate page walks at level 1

is_last_gpte() is not equivalent to the pseudo-code given in commit
47b5d66b5aa79 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
value of last_nonleaf_level may override the result even if level == 1.

It is critical for is_last_gpte() to return true on level == 1 to
terminate page walks. Otherwise memory corruption may occur as level
is used as an index to various data structures throughout the page
walking code. Even though the actual bug would be wherever the MMU is
initialized (as in the previous patch), be defensive and ensure here
that is_last_gpte() returns the correct value.

This patch is also enough to fix CVE-2017-12188.

Fixes: 47b5d66b5aa7904f6f52a9ce3f31887bcad2df40
Cc: stable@vger.kernel.org
Cc: Andy Honig <ahonig@google.com>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
[Panic if walk_addr_generic gets an incorrect level; this is a serious
bug and it's not worth a WARN_ON where the recovery path might hide
further exploitable issues; suggested by Andrew Honig. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

arch/x86/kvm/mmu.c		diff \| blob \| history
arch/x86/kvm/paging_tmpl.h		diff \| blob \| history