Browse code
linux kernel: fix CVE-2018-16882
CVE-2018-16882:
Original patch available at:
https://marc.info/?l=kvm&m=154514994222809&w=2
To apply on v4.9.154, added following to original patch:
+ vmx->nested.pi_desc_page = NULL;
Change-Id: I768cce10b000bc7ab576fcd20ca7a7bacbaffc1e
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6760
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
Ajay Kaher authored on 2019/02/20 04:56:48Showing 4 changed files
- SPECS/linux/0001-KVM_Fix_UAF_in_nested_posted_interrupt_processing.patch
- SPECS/linux/linux-aws.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,58 @@ |
| 0 |
+From c2dd5146e9fe1f22c77c1b011adf84eea0245806 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Cfir Cohen <cfir@google.com> |
|
| 2 |
+Date: Tue, 18 Dec 2018 08:18:41 -0800 |
|
| 3 |
+Subject: KVM: Fix UAF in nested posted interrupt processing |
|
| 4 |
+Commit: c2dd5146e9fe1f22c77c1b011adf84eea0245806 |
|
| 5 |
+ |
|
| 6 |
+nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It |
|
| 7 |
+caches the kmap()ed page object and pointer, however, it doesn't handle |
|
| 8 |
+errors correctly: it's possible to cache a valid pointer, then release |
|
| 9 |
+the page and later dereference the dangling pointer. |
|
| 10 |
+ |
|
| 11 |
+I was able to reproduce with the following steps: |
|
| 12 |
+ |
|
| 13 |
+1. Call vmlaunch with valid posted_intr_desc_addr but an invalid |
|
| 14 |
+MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed |
|
| 15 |
+pi_desc_page and pi_desc. Later the invalid EFER value fails |
|
| 16 |
+check_vmentry_postreqs() which fails the first vmlaunch. |
|
| 17 |
+ |
|
| 18 |
+2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr |
|
| 19 |
+(I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages |
|
| 20 |
+pi_desc_page is unmapped and released and pi_desc_page is set to NULL |
|
| 21 |
+(the "shouldn't happen" clause). Due to the invalid |
|
| 22 |
+posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and |
|
| 23 |
+nested_get_vmcs12_pages() returns. It doesn't return an error value so |
|
| 24 |
+vmlaunch proceeds. Note that at this time we have a dangling pointer in |
|
| 25 |
+vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs. |
|
| 26 |
+ |
|
| 27 |
+3. Issue an IPI in L2 guest code. This triggers a call to |
|
| 28 |
+vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which |
|
| 29 |
+dereferences the dangling pointer. |
|
| 30 |
+ |
|
| 31 |
+Vulnerable code requires nested and enable_apicv variables to be set to |
|
| 32 |
+true. The host CPU must also support posted interrupts. |
|
| 33 |
+ |
|
| 34 |
+Fixes: 5e2f30b756a37 "KVM: nVMX: get rid of nested_get_page()" |
|
| 35 |
+Cc: stable@vger.kernel.org |
|
| 36 |
+Reviewed-by: Andy Honig <ahonig@google.com> |
|
| 37 |
+Signed-off-by: Cfir Cohen <cfir@google.com> |
|
| 38 |
+Reviewed-by: Liran Alon <liran.alon@oracle.com> |
|
| 39 |
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
|
| 40 |
+Signed-off-by: Ajay Kaher <akaher@vmware.com> |
|
| 41 |
+--- |
|
| 42 |
+ arch/x86/kvm/vmx.c | 2 ++ |
|
| 43 |
+ 1 file changed, 2 insertions(+) |
|
| 44 |
+ |
|
| 45 |
+diff -Naur linux-4.4.171/arch/x86/kvm/vmx.c linux-4.4.171_CVE-2018-16882/arch/x86/kvm/vmx.c |
|
| 46 |
+--- linux-4.4.171/arch/x86/kvm/vmx.c 2019-01-17 02:46:12.000000000 +0530 |
|
| 47 |
+@@ -9284,6 +9284,9 @@ |
|
| 48 |
+ if (vmx->nested.pi_desc_page) { /* shouldn't happen */
|
|
| 49 |
+ kunmap(vmx->nested.pi_desc_page); |
|
| 50 |
+ nested_release_page(vmx->nested.pi_desc_page); |
|
| 51 |
++ vmx->nested.pi_desc_page = NULL; |
|
| 52 |
++ vmx->nested.pi_desc = NULL; |
|
| 53 |
++ vmcs_write64(POSTED_INTR_DESC_ADDR, -1ull); |
|
| 54 |
+ } |
|
| 55 |
+ vmx->nested.pi_desc_page = |
|
| 56 |
+ nested_get_page(vcpu, vmcs12->posted_intr_desc_addr); |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-aws |
| 4 | 4 |
Version: 4.9.154 |
| 5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -63,6 +63,9 @@ Patch47: 0002-xfs-verify-dinode-header-first.patch |
| 63 | 63 |
Patch48: 0003-xfs-enhance-dinode-verifier.patch |
| 64 | 64 |
#Fix CVE-2019-8912 |
| 65 | 65 |
Patch49: fix_use_after_free_in_sockfs_setattr.patch |
| 66 |
+# Fix for CVE-2018-16882 |
|
| 67 |
+Patch50: 0001-KVM_Fix_UAF_in_nested_posted_interrupt_processing.patch |
|
| 68 |
+ |
|
| 66 | 69 |
# Out-of-tree patches from AppArmor: |
| 67 | 70 |
Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch |
| 68 | 71 |
Patch72: 0002-apparmor-Fix-quieting-of-audit-messages-for-network-.patch |
| ... | ... |
@@ -227,6 +230,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 227 | 227 |
%patch47 -p1 |
| 228 | 228 |
%patch48 -p1 |
| 229 | 229 |
%patch49 -p1 |
| 230 |
+%patch50 -p1 |
|
| 230 | 231 |
|
| 231 | 232 |
%patch71 -p1 |
| 232 | 233 |
%patch72 -p1 |
| ... | ... |
@@ -436,6 +440,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 436 | 436 |
/usr/share/doc/* |
| 437 | 437 |
|
| 438 | 438 |
%changelog |
| 439 |
+* Mon Feb 25 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-3 |
|
| 440 |
+- Fix CVE-2018-16882 |
|
| 439 | 441 |
* Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2 |
| 440 | 442 |
- Fix CVE-2019-8912 |
| 441 | 443 |
* Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.9.154 |
| 5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -69,6 +69,8 @@ Patch49: 0002-xfs-verify-dinode-header-first.patch |
| 69 | 69 |
Patch50: 0003-xfs-enhance-dinode-verifier.patch |
| 70 | 70 |
#Fix CVE-2019-8912 |
| 71 | 71 |
Patch51: fix_use_after_free_in_sockfs_setattr.patch |
| 72 |
+# Fix for CVE-2018-16882 |
|
| 73 |
+Patch52: 0001-KVM_Fix_UAF_in_nested_posted_interrupt_processing.patch |
|
| 72 | 74 |
|
| 73 | 75 |
# Out-of-tree patches from AppArmor: |
| 74 | 76 |
Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch |
| ... | ... |
@@ -194,6 +196,7 @@ EOF |
| 194 | 194 |
%patch49 -p1 |
| 195 | 195 |
%patch50 -p1 |
| 196 | 196 |
%patch51 -p1 |
| 197 |
+%patch52 -p1 |
|
| 197 | 198 |
|
| 198 | 199 |
%patch71 -p1 |
| 199 | 200 |
%patch72 -p1 |
| ... | ... |
@@ -327,6 +330,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 327 | 327 |
/usr/src/linux-headers-%{uname_r}
|
| 328 | 328 |
|
| 329 | 329 |
%changelog |
| 330 |
+* Mon Feb 25 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-3 |
|
| 331 |
+- Fix CVE-2018-16882 |
|
| 330 | 332 |
* Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2 |
| 331 | 333 |
- Fix CVE-2019-8912 |
| 332 | 334 |
* Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.154 |
| 5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -66,6 +66,8 @@ Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
| 66 | 66 |
Patch46: 0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch |
| 67 | 67 |
Patch47: 0002-xfs-verify-dinode-header-first.patch |
| 68 | 68 |
Patch48: 0003-xfs-enhance-dinode-verifier.patch |
| 69 |
+# Fix for CVE-2018-16882 |
|
| 70 |
+Patch49: 0001-KVM_Fix_UAF_in_nested_posted_interrupt_processing.patch |
|
| 69 | 71 |
|
| 70 | 72 |
# HyperV PCI patches to Use vPCI_protocol_version_1.2 |
| 71 | 73 |
Patch51: 0001_PCI_hv_Allocate_physically_contiguous_hypercall_params_buffer.patch |
| ... | ... |
@@ -194,6 +196,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 194 | 194 |
%patch46 -p1 |
| 195 | 195 |
%patch47 -p1 |
| 196 | 196 |
%patch48 -p1 |
| 197 |
+%patch49 -p1 |
|
| 197 | 198 |
|
| 198 | 199 |
%patch51 -p1 |
| 199 | 200 |
%patch52 -p1 |
| ... | ... |
@@ -375,6 +378,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 375 | 375 |
/usr/share/doc/* |
| 376 | 376 |
|
| 377 | 377 |
%changelog |
| 378 |
+* Mon Feb 25 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-3 |
|
| 379 |
+- Fix CVE-2018-16882 |
|
| 378 | 380 |
* Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.9.154-2 |
| 379 | 381 |
- Fix CVE-2019-8912 |
| 380 | 382 |
* Mon Feb 04 2019 Ajay Kaher <akaher@vmware.com> 4.9.154-1 |