Hi, Attached is a debdiff of the changes I made for 85+dfsg-4.1 2-day NMU
Cheers, Giuseppe.
reverted: --- kvm-85+dfsg/.gitignore +++ kvm-85+dfsg.orig/.gitignore @@ -15,19 +15,6 @@ qemu/qemu-nbd *.ko *.mod.c -kernel/kvm_main.c -kernel/kvm.h -kernel/kvm_svm.h -kernel/vmx.[ch] -kernel/svm.[ch] -kernel/mmu.c -kernel/paging_tmpl.h -kernel/segment_descriptor.h -kernel/x86_emulate.[ch] -kernel/include/linux/kvm*.h -kernel/Module.symvers -kernel/Modules.symvers -kernel/.tmp_versions bios/*.bin bios/*.sym bios/*.txt @@ -37,27 +24,43 @@ extboot/extboot.bin extboot/extboot.img extboot/signrom +kernel/config.kbuild +kernel/modules.order +kernel/Module.symvers +kernel/Modules.symvers kernel/Module.markers +kernel/.tmp_versions -kernel/i825[49].[ch] kernel/include-compat/asm kernel/include-compat/asm-x86/asm-x86 kernel/include +kernel/x86/modules.order +kernel/x86/i825[49].[ch] +kernel/x86/kvm_main.c +kernel/x86/kvm_svm.h +kernel/x86/vmx.[ch] +kernel/x86/svm.[ch] +kernel/x86/mmu.[ch] +kernel/x86/paging_tmpl.h +kernel/x86/x86_emulate.[ch] +kernel/x86/ioapic.[ch] +kernel/x86/iodev.h +kernel/x86/irq.[ch] +kernel/x86/kvm_trace.c +kernel/x86/lapic.[ch] +kernel/x86/tss.h +kernel/x86/x86.[ch] +kernel/x86/coalesced_mmio.[ch] +kernel/x86/kvm_cache_regs.h +kernel/x86/vtd.c +kernel/x86/irq_comm.c +kernel/x86/timer.c +kernel/x86/kvm_timer.h +kernel/x86/iommu.c -kernel/ioapic.[ch] -kernel/iodev.h -kernel/irq.[ch] -kernel/kvm_trace.c -kernel/lapic.[ch] -kernel/mmu.h -kernel/modules.order -kernel/tss.h -kernel/x86.[ch] -kernel/coalesced_mmio.c -kernel/coalesced_mmio.h -kernel/kvm_cache_regs.h qemu/pc-bios/extboot.bin qemu/qemu-doc.html qemu/*.[18] qemu/*.pod qemu/qemu-tech.html +qemu/qemu-options.texi user/kvmtrace user/test/x86/bootstrap diff -u kvm-85+dfsg/debian/changelog kvm-85+dfsg/debian/changelog --- kvm-85+dfsg/debian/changelog +++ kvm-85+dfsg/debian/changelog @@ -1,3 +1,11 @@ +kvm (85+dfsg-4.1) unstable; urgency=high + + * Non-maintainer upload by the testing Security Team. + * Considers hypercalls valid only if issued from guest ring 0 (CVE-2009-3290) + Thanks to Dann Frazier (Closes: 548975) + + -- Giuseppe Iuculano <iucul...@debian.org> Fri, 09 Oct 2009 19:07:06 +0200 + kvm (85+dfsg-4) unstable; urgency=low * upload to unstanble diff -u kvm-85+dfsg/debian/patches/series kvm-85+dfsg/debian/patches/series --- kvm-85+dfsg/debian/patches/series +++ kvm-85+dfsg/debian/patches/series @@ -10,0 +11 @@ +security/CVE-2009-3290.patch only in patch2: unchanged: --- kvm-85+dfsg.orig/debian/patches/security/CVE-2009-3290.patch +++ kvm-85+dfsg/debian/patches/security/CVE-2009-3290.patch @@ -0,0 +1,32 @@ +--- a/kernel/include/linux/kvm_para.h ++++ b/kernel/include/linux/kvm_para.h +@@ -53,6 +53,7 @@ + #define KVM_ENOSYS 1000 + #define KVM_EFAULT EFAULT + #define KVM_E2BIG E2BIG ++#define KVM_EPERM EPERM + + #define KVM_HC_VAPIC_POLL_IRQ 1 + #define KVM_HC_MMU_OP 2 +--- a/kernel/x86/x86.c ++++ b/kernel/x86/x86.c +@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp + a3 &= 0xFFFFFFFF; + } + ++ if (kvm_x86_ops->get_cpl(vcpu) != 0) { ++ ret = -KVM_EPERM; ++ goto out; ++ } ++ + switch (nr) { + case KVM_HC_VAPIC_POLL_IRQ: + ret = 0; +@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } ++out: + kvm_register_write(vcpu, VCPU_REGS_RAX, ret); + ++vcpu->stat.hypercalls; + return r;
signature.asc
Description: OpenPGP digital signature