• Andrew Honig's avatar
    KVM: VMX: remove I/O port 0x80 bypass on Intel hosts · d59d51f0
    Andrew Honig authored
    This fixes CVE-2017-1000407.
    
    KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
    the guest floods this port with writes it generates exceptions and
    instability in the host kernel, leading to a crash.  With this change
    guest writes to port 0x80 on Intel will behave the same as they
    currently behave on AMD systems.
    
    Prevent the flooding by removing the code that sets port 0x80 as a
    passthrough port.  This is essentially the same as upstream patch
    99f85a28, except that patch was
    for AMD chipsets and this patch is for Intel.
    Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
    Signed-off-by: default avatarJim Mattson <jmattson@google.com>
    Fixes: fdef3ad1 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    d59d51f0
vmx.c 347 KB