Hi, While going over the following .36 stable patch for .35 long term I noticed that the original load_gs_index() fix is not queued for .35. As I understand this means that a malicious guest could crash the kernel by corrupting its %gs ldt entry in a LDT. Want to submit the original fix for that to .35? I didn't apply this fix for the patch for now.
-Andi >From c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78 Mon Sep 17 00:00:00 2001 From: Avi Kivity <[email protected]> Date: Thu, 11 Nov 2010 12:37:26 +0200 Subject: KVM: VMX: Fix host userspace gsbase corruption From: Avi Kivity <[email protected]> commit c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78 upstream. We now use load_gs_index() to load gs safely; unfortunately this also changes MSR_KERNEL_GS_BASE, which we managed separately. This resulted in confusion and breakage running 32-bit host userspace on a 64-bit kernel. Fix by - saving guest MSR_KERNEL_GS_BASE before we we reload the host's gs - doing the host save/load unconditionally, instead of only when in guest long mode Things can be cleaned up further, but this is the minmal fix for now. Signed-off-by: Avi Kivity <[email protected]> Signed-off-by: Marcelo Tosatti <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> -- [email protected] -- Speaking for myself only. _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
