[stable] Patch "KVM: VMX: fix vmx null pointer dereference on debug register access" has been added to the 2.6.32-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    KVM: VMX: fix vmx null pointer dereference on debug register access

to the 2.6.32-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
and it can be found in the queue-2.6.32 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@kernel.org> know about it.


>From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001
From: Gleb Natapov <g...@redhat.com>
Date: Wed, 10 Nov 2010 12:08:12 +0200
Subject: KVM: VMX: fix vmx null pointer dereference on debug register access

There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.

CVE-2010-0435

On upstream bug was fixed differently around 2.6.34.

Signed-off-by: Gleb Natapov <g...@redhat.com>
Signed-off-by: Avi Kivity <a...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
 arch/x86/kvm/x86.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_c
 {
        struct kvm_vcpu *vcpu = ctxt->vcpu;
 
+       if (!kvm_x86_ops->get_dr)
+               return X86EMUL_UNHANDLEABLE;
+
        switch (dr) {
        case 0 ... 3:
                *dest = kvm_x86_ops->get_dr(vcpu, dr);
@@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_c
        unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
        int exception;
 
+       if (!kvm_x86_ops->set_dr)
+               return X86EMUL_UNHANDLEABLE;
+
        kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
        if (exception) {
                /* FIXME: better handling */


Patches currently in stable-queue which might be from g...@redhat.com are

queue-2.6.32/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable