dann frazier
2009-Sep-29 23:09 UTC
[Secure-testing-team] Bug#548975: kvm-source: allows MMU hypercalls from ring > 0
Package: kvm-source
Version: 85+dfsg-4
Severity: critical
Tags: patch security
Justification: potential privilege escalation
Upstream patch:
http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=07708c4af1346ab1521b26a202f438366b7bcffd
Please mention CVE-2009-3290 in your changelog.
diff -urpN kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch
kvm-85+dfsg/debian/patches/CVE-2009-3290.patch
--- kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch 1969-12-31
17:00:00.000000000 -0700
+++ kvm-85+dfsg/debian/patches/CVE-2009-3290.patch 2009-09-29 17:05:38.000000000
-0600
@@ -0,0 +1,34 @@
+diff -urpN kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h
kvm-85+dfsg/kernel/include/linux/kvm_para.h
+--- kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h 2009-04-21
04:04:03.000000000 -0600
++++ kvm-85+dfsg/kernel/include/linux/kvm_para.h 2009-09-29 17:04:54.000000000
-0600
+@@ -53,6 +53,7 @@
+ #define KVM_ENOSYS 1000
+ #define KVM_EFAULT EFAULT
+ #define KVM_E2BIG E2BIG
++#define KVM_EPERM EPERM
+
+ #define KVM_HC_VAPIC_POLL_IRQ 1
+ #define KVM_HC_MMU_OP 2
+diff -urpN kvm-85+dfsg.orig/kernel/x86/x86.c kvm-85+dfsg/kernel/x86/x86.c
+--- kvm-85+dfsg.orig/kernel/x86/x86.c 2009-04-21 04:04:13.000000000 -0600
++++ kvm-85+dfsg/kernel/x86/x86.c 2009-09-29 17:05:01.000000000 -0600
+@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ a3 &= 0xFFFFFFFF;
+ }
+
++ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++ ret = -KVM_EPERM;
++ goto out;
++ }
++
+ switch (nr) {
+ case KVM_HC_VAPIC_POLL_IRQ:
+ ret = 0;
+@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
++out:
+ kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+ ++vcpu->stat.hypercalls;
+ return r;
diff -urpN kvm-85+dfsg.orig/debian/patches/series
kvm-85+dfsg/debian/patches/series
--- kvm-85+dfsg.orig/debian/patches/series 2009-09-29 17:04:12.000000000 -0600
+++ kvm-85+dfsg/debian/patches/series 2009-09-29 17:05:53.000000000 -0600
@@ -8,3 +8,4 @@ from-debian-qemu/62_linux_boot_nasm.patc
security/leftover.patch
qemu-ifup_head.patch
readd_drive_boot_parameter_help.patch
+CVE-2009-3290.patch