This bug was fixed in the package linux - 3.13.0-119.166
---------------
linux (3.13.0-119.166) trusty; urgency=low
* linux: 3.13.0-119.166 -proposed tracker (LP: #1687718)
* CVE-2016-8645: Linux kernel mishandles socket buffer (skb) truncation
(LP: #1687107)
- rose: limit sk_filter trim to payload
- tcp: take care of truncations done by sk_filter()
linux (3.13.0-118.165) trusty; urgency=low
* linux: 3.13.0-118.165 -proposed tracker (LP: #1686154)
* linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
handle_invept() (LP: #1678676)
- SAUCE: KVM has a flaw in INVEPT emulation that could crash the host
* Please backport fix to reference leak in cgroup blkio throttle
(LP: #1683976)
- block: fix module reference leak on put_disk() call for cgroups throttle
-- Thadeu Lima de Souza Cascardo <[email protected]> Tue, 02 May
2017 15:14:50 -0300
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-8645
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1678676
Title:
linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
handle_invept()
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Trusty:
Fix Released
Bug description:
KVM in linux 3.11 - 3.14 (including ubuntu 14.04 linux <= 3.13.0-113.160) has
a
flaw in INVEPT emulation that could crash the host.
[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at
0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP
(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)
The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:
kvm_cpu_vmxon(phys_addr);
ept_sync_context(0);
(requires nested EPT; full linux kernel module code attached)
This code is introduced in upstream commit
bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.
a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)
switch (type) {
case VMX_EPT_EXTENT_CONTEXT:
+ if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+ break;
if ((operand.eptp & eptp_mask) !=
(nested_ept_get_cr3(vcpu) & eptp_mask))
break;
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678676/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
