Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

2015-01-21 Thread Gianfranco Costamagna 
Hi Frank,



that code does only exist in VBox 4.3.x, older branches are not affected.

wonderful
Attached.


wonderful
These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.

Of course, there is absolutely no problem in adapting them :)

Correct, already contains fixes for all these problems.
wonderful


have many thanks,

Gianfranco


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

2015-01-21 Thread Frank Mehnert 
Hi Gianfranco,

On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
 the most CVEs from that CPU are related to the experimental VMSVGA
 implementation. This code is not documented and not announced and
 regular users will not use it. Therefore I suggest you to just disable
 that code by setting
 
   VBOX_WITH_VMSVGA=
   VBOX_WITH_VMSVGA3D=
 
 This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
 CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
 lengthy, therefore disabling this code is IMO the best solution.
 
 I presume starting from version 4.0 everything needs to be patched by
 disabling it?

that code does only exist in VBox 4.3.x, older branches are not affected.

 CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
 CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
 
 do you have any patch for = 4.2.x then?

Attached.

 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18

These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.

 4.3.20 (not affected at all I presume)

Correct, already contains fixes for all these problems.

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V.  Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val MaherIndex: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95343)
@@ -1290,7 +1290,13 @@
 if (rc2 == VERR_SEM_BUSY)
 return (uErrorCode  X86_TRAP_PF_RW) ? VINF_IOM_HC_MMIO_WRITE : VINF_IOM_HC_MMIO_READ;
 #endif
-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(pVM-iom.s, GCPhysFault));
+PIOMMMIORANGE pRange = iomMMIOGetRange(pVM-iom.s, GCPhysFault);
+if (RT_UNLIKELY(!pRange))
+{
+iomUnlock(pVM);
+return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+}
+VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, pRange);
 iomUnlock(pVM);
 return VBOXSTRICTRC_VAL(rcStrict);
 }
Index: include/VBox/hwacc_vmx.h
===
--- include/VBox/hwacc_vmx.h	(revision 96156)
+++ include/VBox/hwacc_vmx.h	(revision 96157)
@@ -519,6 +519,12 @@
 #define VMX_EXIT_WBINVD 54
 /** 55 XSETBV. Guest software attempted to execute XSETBV. */
 #define VMX_EXIT_XSETBV 55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND 57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC 59
 /** @} */
 
 
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96157)
@@ -4036,6 +4036,10 @@
 case VMX_EXIT_VMWRITE:  /* 25 Guest software executed VMWRITE. */
 case VMX_EXIT_VMXOFF:   /* 26 Guest software executed VMXOFF. */
 case VMX_EXIT_VMXON:/* 27 Guest software executed VMXON. */
+case VMX_EXIT_INVEPT:   /* 50 Guest software executed INVEPT. */
+case VMX_EXIT_INVVPID:  /* 53 Guest software executed INVVPID. */
+case VMX_EXIT_INVPCID:  /* 58 Guest software executed INVPCID. */
+case VMX_EXIT_VMFUNC:   /* 59 Guest software executed VMFUNC. */
 /** @todo inject #UD immediately */
 rc = VERR_EM_INTERPRETER;
 break;
Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95343)
@@ -1305,7 +1305,13 @@
 if (rc2 == VERR_SEM_BUSY)
 return VINF_IOM_HC_MMIO_READ_WRITE;
 #endif
-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(pVM-iom.s, GCPhysFault));
+PIOMMMIORANGE pRange = iomMMIOGetRange(pVM-iom.s, GCPhysFault);
+if (RT_UNLIKELY(!pRange))
+{
+iomUnlock(pVM);
+return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+}
+VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault,