[kernel/f19] CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767)

Thu Nov 13 13:24:48 UTC 2014

commit c071a5748cf3bca6e4cdefdb69253664a9344acc
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Nov 13 08:23:19 2014 -0500

    CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767)

 ...-t-report-guest-userspace-emulation-error.patch |   37 ++++++++++++++++++++
 kernel.spec                                        |    9 +++++
 2 files changed, 46 insertions(+), 0 deletions(-)
---

diff --git a/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch b/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
new file mode 100644
index 0000000..3f0270c
--- /dev/null
+++ b/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
@@ -0,0 +1,37 @@
+From eeb55bed9ae80e1e860a1451986ce2ee0e5e52a7 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit at cs.technion.ac.il>
+Date: Wed, 17 Sep 2014 02:50:50 +0300
+Subject: [PATCH] KVM: x86: Don't report guest userspace emulation error to
+ userspace
+
+Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
+user-space") disabled the reporting of L2 (nested guest) emulation failures to
+userspace due to race-condition between a vmexit and the instruction emulator.
+The same rational applies also to userspace applications that are permitted by
+the guest OS to access MMIO area or perform PIO.
+
+This patch extends the current behavior - of injecting a #UD instead of
+reporting it to userspace - also for guest userspace code.
+
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 9d292e8372d6..d6aeccf116fa 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5002,7 +5002,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
+ 
+ 	++vcpu->stat.insn_emulation_fail;
+ 	trace_kvm_emulate_insn_failed(vcpu);
+-	if (!is_guest_mode(vcpu)) {
++	if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
+ 		vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ 		vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ 		vcpu->run->internal.ndata = 0;
+-- 
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 291d56d..132596f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -788,6 +788,9 @@ Patch26085: tracing-syscalls-Ignore-numbers-outside-NR_syscalls-.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 
+#CVE-2014-7842 rhbz 1163762 1163767
+Patch26068: KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1518,6 +1521,9 @@ ApplyPatch tracing-syscalls-Ignore-numbers-outside-NR_syscalls-.patch
 #CVE-2014-7841 rhbz 1163087 1163095
 ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
 
+#CVE-2014-7842 rhbz 1163762 1163767
+ApplyPatch KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2330,6 +2336,9 @@ fi
 # and build.
 
 %changelog
+* Thu Nov 13 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767)
+
 * Wed Nov 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
 - CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)
 
