• Paolo Bonzini's avatar
    KVM: x86: fix emulation of "MOV SS, null selector" · 33ab9110
    Paolo Bonzini authored
    This is CVE-2017-2583.  On Intel this causes a failed vmentry because
    SS's type is neither 3 nor 7 (even though the manual says this check is
    only done for usable SS, and the dmesg splat says that SS is unusable!).
    On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
    
    The fix fabricates a data segment descriptor when SS is set to a null
    selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
    Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
    this in turn ensures CPL < 3 because RPL must be equal to CPL.
    
    Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
    the bug and deciphering the manuals.
    Reported-by: default avatarXiaohan Zhang <zhangxiaohan1@huawei.com>
    Fixes: 79d5b4c3
    Cc: stable@nongnu.org
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    33ab9110
emulate.c 146 KB