Commit 3a4cfe96 authored by Peter Shier's avatar Peter Shier Committed by Stefan Bader

KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)

Bugzilla: 1671904

There are multiple code paths where an hrtimer may have been started to
emulate an L1 VMX preemption timer that can result in a call to free_nested
without an intervening L2 exit where the hrtimer is normally
cancelled. Unconditionally cancel in free_nested to cover all cases.

Embargoed until Feb 7th 2019.
Signed-off-by: default avatarPeter Shier <pshier@google.com>
Reported-by: default avatarJim Mattson <jmattson@google.com>
Reviewed-by: default avatarJim Mattson <jmattson@google.com>
Reported-by: default avatarFelix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Message-Id: <20181011184646.154065-1-pshier@google.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>

CVE-2019-7221

(backported from commit ecec7688)
[tyhicks: Backport to 4.4:
 - free_nested() is in arch/x86/kvm/vmx.c
 - Minor contextual changes]
Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
Acked-by: default avatarMarcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent a5ab474f
...@@ -7158,6 +7158,7 @@ static void free_nested(struct vcpu_vmx *vmx) ...@@ -7158,6 +7158,7 @@ static void free_nested(struct vcpu_vmx *vmx)
if (!vmx->nested.vmxon) if (!vmx->nested.vmxon)
return; return;
hrtimer_cancel(&vmx->nested.preemption_timer);
vmx->nested.vmxon = false; vmx->nested.vmxon = false;
free_vpid(vmx->nested.vpid02); free_vpid(vmx->nested.vpid02);
nested_release_vmcs12(vmx); nested_release_vmcs12(vmx);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment