summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndy Honig <ahonig@google.com>2016-05-17 17:41:47 +0200
committerPaolo Bonzini <pbonzini@redhat.com>2016-05-18 18:04:32 +0200
commit9842df62004f366b9fed2423e24df10542ee0dc5 (patch)
treec744f6a7b442e18f1afc5207fbeee7216e5799b8
parent67c9dddc95ac16a09db996e8e4dcacfd94cf2306 (diff)
downloadlinux-9842df62004f366b9fed2423e24df10542ee0dc5.tar.gz
linux-9842df62004f366b9fed2423e24df10542ee0dc5.tar.bz2
linux-9842df62004f366b9fed2423e24df10542ee0dc5.zip
KVM: MTRR: remove MSR 0x2f8
MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support was introduced by 9ba075a664df ("KVM: MTRR support"). 0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, which made access to index 124 out of bounds. The surrounding code only WARNs in this situation, thus the guest gained a limited read/write access to struct kvm_arch_vcpu. 0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was not implemented in KVM, therefore 0x2f8 could never do anything useful and getting rid of it is safe. This fixes CVE-2016-3713. Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") Cc: stable@vger.kernel.org Reported-by: David Matlack <dmatlack@google.com> Signed-off-by: Andy Honig <ahonig@google.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r--arch/x86/kvm/mtrr.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
index 3f8c732117ec..c146f3c262c3 100644
--- a/arch/x86/kvm/mtrr.c
+++ b/arch/x86/kvm/mtrr.c
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
case MSR_MTRRdefType:
case MSR_IA32_CR_PAT:
return true;
- case 0x2f8:
- return true;
}
return false;
}