Bug#775888: Re: [vbox-dev] Fwd: Re: Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427

Wed, 21 Jan 2015 07:06:44 -0800 

Hi Gianfranco,

On Wednesday 21 January 2015 14:28:53 Gianfranco Costamagna wrote:
> >the most CVEs from that CPU are related to the experimental VMSVGA
> >implementation. This code is not documented and not announced and
> >regular users will not use it. Therefore I suggest you to just disable
> >that code by setting
> >
> >  VBOX_WITH_VMSVGA=
> >  VBOX_WITH_VMSVGA3D=
> >
> >This will automatically omit CVE-2014-6595, CVE-2014-6590, CVE-2014-6589,
> >CVE-2014-6588 and CVE-2015-0427. The actual patch to fix this code is a bit
> >lengthy, therefore disabling this code is IMO the best solution.
> 
> I presume starting from version 4.0 everything needs to be patched by
> disabling it?

that code does only exist in VBox 4.3.x, older branches are not affected.

> >CVE-2015-0418: VBox 4.3.x is not affected (only 4.2.x and older)
> >CVE-2015-0377: VBox 4.3.x is not affected (only 4.2.x and older)
> 
> do you have any patch for <= 4.2.x then?

Attached.

> 4.0.10 4.1.12 4.1.18 4.3.10 4.3.14 4.3.18

These patches are against the latest code in the respective branches but
I hope they apply to these old versions. Sorry but it's not possible to
support such old versions, we only support the latest versions of a
specific branch.

> 4.3.20 (not affected at all I presume)

Correct, already contains fixes for all these problems.

Frank
-- 
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Geschäftsführer: Jürgen Kunz

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Astrid Kepper, Val Maher
Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===================================================================
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95343)
@@ -1290,7 +1290,13 @@
     if (rc2 == VERR_SEM_BUSY)
         return (uErrorCode & X86_TRAP_PF_RW) ? VINF_IOM_HC_MMIO_WRITE : VINF_IOM_HC_MMIO_READ;
 #endif
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(&pVM->iom.s, GCPhysFault));
+    PIOMMMIORANGE pRange = iomMMIOGetRange(&pVM->iom.s, GCPhysFault);
+    if (RT_UNLIKELY(!pRange))
+    {
+        iomUnlock(pVM);
+        return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+    }
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, pRange);
     iomUnlock(pVM);
     return VBOXSTRICTRC_VAL(rcStrict);
 }

Index: include/VBox/hwacc_vmx.h
===================================================================
--- include/VBox/hwacc_vmx.h	(revision 96156)
+++ include/VBox/hwacc_vmx.h	(revision 96157)
@@ -519,6 +519,12 @@
 #define VMX_EXIT_WBINVD             54
 /** 55 XSETBV. Guest software attempted to execute XSETBV. */
 #define VMX_EXIT_XSETBV             55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND             57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID            58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC             59
 /** @} */
 
 
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===================================================================
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96157)
@@ -4036,6 +4036,10 @@
     case VMX_EXIT_VMWRITE:              /* 25 Guest software executed VMWRITE. */
     case VMX_EXIT_VMXOFF:               /* 26 Guest software executed VMXOFF. */
     case VMX_EXIT_VMXON:                /* 27 Guest software executed VMXON. */
+    case VMX_EXIT_INVEPT:               /* 50 Guest software executed INVEPT. */
+    case VMX_EXIT_INVVPID:              /* 53 Guest software executed INVVPID. */
+    case VMX_EXIT_INVPCID:              /* 58 Guest software executed INVPCID. */
+    case VMX_EXIT_VMFUNC:               /* 59 Guest software executed VMFUNC. */
         /** @todo inject #UD immediately */
         rc = VERR_EM_INTERPRETER;
         break;

Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===================================================================
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95343)
@@ -1305,7 +1305,13 @@
     if (rc2 == VERR_SEM_BUSY)
         return VINF_IOM_HC_MMIO_READ_WRITE;
 #endif
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(&pVM->iom.s, GCPhysFault));
+    PIOMMMIORANGE pRange = iomMMIOGetRange(&pVM->iom.s, GCPhysFault);
+    if (RT_UNLIKELY(!pRange))
+    {
+        iomUnlock(pVM);
+        return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+    }
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, pRange);
     iomUnlock(pVM);
     return VBOXSTRICTRC_VAL(rcStrict);
 }

Index: include/VBox/vmm/hwacc_vmx.h
===================================================================
--- include/VBox/vmm/hwacc_vmx.h	(revision 96156)
+++ include/VBox/vmm/hwacc_vmx.h	(revision 96157)
@@ -525,6 +525,12 @@
 #define VMX_EXIT_WBINVD             54
 /** 55 XSETBV. Guest software attempted to execute XSETBV. */
 #define VMX_EXIT_XSETBV             55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND             57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID            58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC             59
 /** @} */
 
 
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===================================================================
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96157)
@@ -4108,6 +4108,10 @@
     case VMX_EXIT_VMWRITE:              /* 25 Guest software executed VMWRITE. */
     case VMX_EXIT_VMXOFF:               /* 26 Guest software executed VMXOFF. */
     case VMX_EXIT_VMXON:                /* 27 Guest software executed VMXON. */
+    case VMX_EXIT_INVEPT:               /* 50 Guest software executed INVEPT. */
+    case VMX_EXIT_INVVPID:              /* 53 Guest software executed INVVPID. */
+    case VMX_EXIT_INVPCID:              /* 58 Guest software executed INVPCID. */
+    case VMX_EXIT_VMFUNC:               /* 59 Guest software executed VMFUNC. */
         /** @todo inject #UD immediately */
         rc = VERR_EM_INTERPRETER;
         break;

Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===================================================================
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95343)
@@ -1696,7 +1696,14 @@
     if (rc2 == VERR_SEM_BUSY)
         return VINF_IOM_HC_MMIO_READ_WRITE;
 #endif
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMmioGetRange(pVM, GCPhysFault));
+    PIOMMMIORANGE pRange = iomMmioGetRange(pVM, GCPhysFault);
+    if (RT_UNLIKELY(!pRange))
+    {
+        IOM_UNLOCK(pVM);
+        return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+    }
+
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, pRange);
     IOM_UNLOCK(pVM);
     return VBOXSTRICTRC_VAL(rcStrict);
 }

Index: include/VBox/vmm/hwacc_vmx.h
===================================================================
--- include/VBox/vmm/hwacc_vmx.h	(revision 96156)
+++ include/VBox/vmm/hwacc_vmx.h	(revision 96157)
@@ -525,6 +525,12 @@
 #define VMX_EXIT_WBINVD             54
 /** 55 XSETBV. Guest software attempted to execute XSETBV. */
 #define VMX_EXIT_XSETBV             55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND             57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID            58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC             59
 /** @} */
 
 
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===================================================================
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96156)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96157)
@@ -4112,6 +4112,10 @@
     case VMX_EXIT_VMWRITE:              /* 25 Guest software executed VMWRITE. */
     case VMX_EXIT_VMXOFF:               /* 26 Guest software executed VMXOFF. */
     case VMX_EXIT_VMXON:                /* 27 Guest software executed VMXON. */
+    case VMX_EXIT_INVEPT:               /* 50 Guest software executed INVEPT. */
+    case VMX_EXIT_INVVPID:              /* 53 Guest software executed INVVPID. */
+    case VMX_EXIT_INVPCID:              /* 58 Guest software executed INVPCID. */
+    case VMX_EXIT_VMFUNC:               /* 59 Guest software executed VMFUNC. */
         /** @todo inject #UD immediately */
         rc = VERR_EM_INTERPRETER;
         break;

Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp
===================================================================
--- src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95341)
+++ src/VBox/VMM/VMMAll/IOMAllMMIO.cpp	(revision 95342)
@@ -1705,7 +1705,14 @@
     if (rc2 == VERR_SEM_BUSY)
         return VINF_IOM_R3_MMIO_READ_WRITE;
 #endif
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMmioGetRange(pVM, GCPhysFault));
+    PIOMMMIORANGE pRange = iomMmioGetRange(pVM, GCPhysFault);
+    if (RT_UNLIKELY(!pRange))
+    {
+        IOM_UNLOCK(pVM);
+        return VERR_IOM_MMIO_RANGE_NOT_FOUND;
+    }
+
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, pRange);
     IOM_UNLOCK(pVM);
     return VBOXSTRICTRC_VAL(rcStrict);
 }

Index: include/VBox/vmm/hwacc_vmx.h
===================================================================
--- include/VBox/vmm/hwacc_vmx.h	(revision 96120)
+++ include/VBox/vmm/hwacc_vmx.h	(revision 96121)
@@ -550,6 +550,12 @@
 #define VMX_EXIT_WBINVD             54
 /** 55 XSETBV. Guest software attempted to execute XSETBV. */
 #define VMX_EXIT_XSETBV             55
+/** 57 RDRAND. Guest software attempted to execute RDRAND. */
+#define VMX_EXIT_RDRAND             57
+/** 58 INVPCID. Guest software attempted to execute INVPCID. */
+#define VMX_EXIT_INVPCID            58
+/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */
+#define VMX_EXIT_VMFUNC             59
 /** @} */
 
 
Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp
===================================================================
--- src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96120)
+++ src/VBox/VMM/VMMR0/HWVMXR0.cpp	(revision 96121)
@@ -4799,6 +4799,10 @@
     case VMX_EXIT_VMWRITE:              /* 25 Guest software executed VMWRITE. */
     case VMX_EXIT_VMXOFF:               /* 26 Guest software executed VMXOFF. */
     case VMX_EXIT_VMXON:                /* 27 Guest software executed VMXON. */
+    case VMX_EXIT_INVEPT:               /* 50 Guest software executed INVEPT. */
+    case VMX_EXIT_INVVPID:              /* 53 Guest software executed INVVPID. */
+    case VMX_EXIT_INVPCID:              /* 58 Guest software executed INVPCID. */
+    case VMX_EXIT_VMFUNC:               /* 59 Guest software executed VMFUNC. */
         /** @todo inject #UD immediately */
         rc = VERR_EM_INTERPRETER;
         break;

Reply via email to