diff options
| author | Gleb Natapov <gleb@redhat.com> | 2010-11-10 12:08:12 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-12-09 13:26:47 -0800 |
| commit | 370c6b5200b04645ab1b00bad931ae899cd55471 (patch) | |
| tree | dcadfd9c4e6526cb776f8b68bfeb01503b591d84 /arch/x86 | |
| parent | 004e147bd32cda45140354ace87f55abed3b82cb (diff) | |
KVM: VMX: fix vmx null pointer dereference on debug register access
There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.
CVE-2010-0435
On upstream bug was fixed differently around 2.6.34.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'arch/x86')
| -rw-r--r-- | arch/x86/kvm/x86.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 724a6ad08643..0990f0a459d6 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest) { struct kvm_vcpu *vcpu = ctxt->vcpu; + if (!kvm_x86_ops->get_dr) + return X86EMUL_UNHANDLEABLE; + switch (dr) { case 0 ... 3: *dest = kvm_x86_ops->get_dr(vcpu, dr); @@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value) unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U; int exception; + if (!kvm_x86_ops->set_dr) + return X86EMUL_UNHANDLEABLE; + kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception); if (exception) { /* FIXME: better handling */ |