From 2504160e5bd89ad4878a349655e5afc3af6d22f8 Mon Sep 17 00:00:00 2001 From: Gleb Natapov <gleb@redhat.com> Date: Wed, 10 Feb 2010 17:58:23 +0200 Subject: [PATCH 1/3] KVM: Don't check access permission when loading segment descriptors. CPU can load segment descriptor from protected memory event when running in userspace. Message-Id: <1265817504-5121-2-git-send-email-gleb@redhat.com> CVE: CVE-2010-0419 Bugzilla: 563465 Acked-by: Avi Kivity <avi@redhat.com> Acked-by: Marcelo Tosatti <mtosatti@redhat.com> Acked-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Gleb Natapov <gleb@redhat.com> --- arch/x86/kvm/x86.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index e709bc3..24e4bd5 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2564,7 +2564,7 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context) EXPORT_SYMBOL_GPL(kvm_report_emulation_failure); static struct x86_emulate_ops emulate_ops = { - .read_std = kvm_read_guest_virt, + .read_std = kvm_read_guest_virt_system, .fetch = kvm_fetch_guest_virt, .read_emulated = emulator_read_emulated, .write_emulated = emulator_write_emulated, @@ -3764,7 +3764,8 @@ static int load_guest_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector, kvm_queue_exception_e(vcpu, GP_VECTOR, selector & 0xfffc); return 1; } - return kvm_read_guest_virt(dtable.base + index*8, seg_desc, sizeof(*seg_desc), vcpu, NULL); + return kvm_read_guest_virt_system(dtable.base + index*8, seg_desc, + sizeof(*seg_desc), vcpu, NULL); } /* allowed just for 8 bytes segments */ -- 1.6.3.rc4.29.g8146