Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolai Stange <nstange@suse.de>2018-06-15 16:26:39 +0200
committerMiroslav Benes <mbenes@suse.cz>2018-06-21 13:35:06 +0200
commita208a167836d8ec4a009ca75c9da4eab01ff04f1 (patch)
tree613c8518cae26a5a63bb18130fcccfcc5e096388
parent58fddd5116b88802afb88ae66a6cd03998c79595 (diff)
Fix CVE-2018-3665 ("kvm: Lazy FP Save/Restore")
Live patch for CVE-2018-3665. Upstream commit 653f52c316a4 ("kvm,x86: load guest FPU context more eagerly"). KLP: CVE-2018-3665 References: bsc#1096740 CVE-2018-3665 Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
-rw-r--r--bsc1096740/kgr_patch_bsc1096740.c184
-rw-r--r--bsc1096740/kgr_patch_bsc1096740.h26
2 files changed, 210 insertions, 0 deletions
diff --git a/bsc1096740/kgr_patch_bsc1096740.c b/bsc1096740/kgr_patch_bsc1096740.c
new file mode 100644
index 0000000..6a1fc8b
--- /dev/null
+++ b/bsc1096740/kgr_patch_bsc1096740.c
@@ -0,0 +1,184 @@
+/*
+ * kgraft_patch_bsc1096740
+ *
+ * Fix for CVE-2018-3665 (kvm part), bsc#1096740
+ *
+ * Upstream commits:
+ * bd7e5b0899a4 ("KVM: x86: remove code for lazy FPU handling")
+ * 653f52c316a4 ("kvm,x86: load guest FPU context more eagerly")
+ *
+ * SLE12 commit:
+ * none yet
+ *
+ * SLE12-SP1 commit
+ * none yet
+ *
+ * SLE12-SP2 commit:
+ * fb1f44bc78388742a4272d5a9c02e1019d7d43a1
+ *
+ * SLE12-SP3 commit:
+ * a934f503889292cca7abf6732954b2b03b3b8079
+ *
+ * Copyright (c) 2018 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * Based on the original Linux kernel code. Other copyrights apply.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#if IS_ENABLED(CONFIG_X86_64) && IS_ENABLED(CONFIG_KVM)
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/kallsyms.h>
+#include <linux/tracepoint.h>
+#include <linux/kvm_host.h>
+#include <asm/fpu/internal.h>
+#include "kgr_patch_bsc1096740.h"
+
+#if !IS_MODULE(CONFIG_KVM)
+#error "Live patch supports only CONFIG_KVM=m"
+#endif
+
+#define KGR_PATCHED_MODULE "kvm"
+
+
+#define __KGR_DECLARE_TRACE(name, proto, args, cond, data_proto, data_args) \
+ static struct tracepoint *kgr__tracepoint_##name; \
+ static inline void kgr_trace_##name(proto) \
+ { \
+ if (unlikely(static_key_enabled(&kgr__tracepoint_##name->key))) \
+ __DO_TRACE(kgr__tracepoint_##name, \
+ TP_PROTO(data_proto), \
+ TP_ARGS(data_args), \
+ TP_CONDITION(cond),,); \
+ if (IS_ENABLED(CONFIG_LOCKDEP) && (cond)) { \
+ rcu_read_lock_sched_notrace(); \
+ rcu_dereference_sched(kgr__tracepoint_##name->funcs); \
+ rcu_read_unlock_sched_notrace(); \
+ } \
+ } \
+
+#define KGR_DECLARE_TRACE(name, proto, args) \
+ __KGR_DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \
+ cpu_online(raw_smp_processor_id()), \
+ PARAMS(void *__data, proto), \
+ PARAMS(__data, args))
+
+#define KGR_TRACE_EVENT(name, proto, args) \
+ KGR_DECLARE_TRACE(name, PARAMS(proto), PARAMS(args))
+
+
+/* see include/trace/events/kvm.h */
+KGR_TRACE_EVENT(kvm_fpu,
+ TP_PROTO(int load),
+ TP_ARGS(load)
+);
+
+
+static struct {
+ char *name;
+ void **addr;
+} kgr_funcs[] = {
+ { "kvm:__tracepoint_kvm_fpu", (void *)&kgr__tracepoint_kvm_fpu },
+};
+
+
+
+/* patched */
+void kgr_kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
+{
+ if (!vcpu->guest_fpu_loaded) {
+ vcpu->fpu_counter = 0;
+ return;
+ }
+
+ vcpu->guest_fpu_loaded = 0;
+ copy_fpregs_to_fpstate(&vcpu->arch.guest_fpu);
+ __kernel_fpu_end();
+ ++vcpu->stat.fpu_reload;
+ /*
+ * Fix CVE-2018-3665
+ * -10 lines
+ */
+ kgr_trace_kvm_fpu(0);
+}
+
+
+
+static int kgr_patch_bsc1096740_kallsyms(void)
+{
+ unsigned long addr;
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(kgr_funcs); i++) {
+ /* mod_find_symname would be nice, but it is not exported */
+ addr = kallsyms_lookup_name(kgr_funcs[i].name);
+ if (!addr) {
+ pr_err("kgraft-patch: symbol %s not resolved\n",
+ kgr_funcs[i].name);
+ return -ENOENT;
+ }
+
+ *(kgr_funcs[i].addr) = (void *)addr;
+ }
+
+ return 0;
+}
+
+static int kgr_patch_bsc1096740_module_notify(struct notifier_block *nb,
+ unsigned long action, void *data)
+{
+ struct module *mod = data;
+ int ret;
+
+ if (action != MODULE_STATE_COMING || strcmp(mod->name, KGR_PATCHED_MODULE))
+ return 0;
+
+ ret = kgr_patch_bsc1096740_kallsyms();
+ WARN(ret, "kgraft-patch: delayed kallsyms lookup failed. System is broken and can crash.\n");
+
+ return ret;
+ }
+
+static struct notifier_block kgr_patch_bsc1096740_module_nb = {
+ .notifier_call = kgr_patch_bsc1096740_module_notify,
+ .priority = INT_MIN+1,
+};
+
+int kgr_patch_bsc1096740_init(void)
+{
+ int ret;
+
+ mutex_lock(&module_mutex);
+ if (find_module(KGR_PATCHED_MODULE)) {
+ ret = kgr_patch_bsc1096740_kallsyms();
+ if (ret)
+ goto out;
+ }
+
+ ret = register_module_notifier(&kgr_patch_bsc1096740_module_nb);
+out:
+ mutex_unlock(&module_mutex);
+ return ret;
+}
+
+void kgr_patch_bsc1096740_cleanup(void)
+{
+ unregister_module_notifier(&kgr_patch_bsc1096740_module_nb);
+}
+
+#endif /* IS_ENABLED(CONFIG_X86_64) && IS_ENABLED(CONFIG_KVM) */
diff --git a/bsc1096740/kgr_patch_bsc1096740.h b/bsc1096740/kgr_patch_bsc1096740.h
new file mode 100644
index 0000000..b9ec708
--- /dev/null
+++ b/bsc1096740/kgr_patch_bsc1096740.h
@@ -0,0 +1,26 @@
+#ifndef _KGR_PATCH_BSC1096740_H
+#define _KGR_PATCH_BSC1096740_H
+
+#if IS_ENABLED(CONFIG_X86_64) && IS_ENABLED(CONFIG_KVM)
+
+int kgr_patch_bsc1096740_init(void);
+void kgr_patch_bsc1096740_cleanup(void);
+
+struct kvm_vcpu;
+void kgr_kvm_put_guest_fpu(struct kvm_vcpu *vcpu);
+
+#define KGR_PATCH_BSC1096740_FUNCS \
+ KGR_PATCH_OBJ(kvm_put_guest_fpu, kgr_kvm_put_guest_fpu, \
+ "kvm"), \
+
+
+#else /* !(IS_ENABLED(CONFIG_X86_64) && IS_ENABLED(CONFIG_KVM)) */
+
+static inline int kgr_patch_bsc1096740_init(void) { return 0; }
+static inline void kgr_patch_bsc1096740_cleanup(void) {}
+
+#define KGR_PATCH_BSC1096740_FUNCS
+
+#endif /* IS_ENABLED(CONFIG_X86_64) && IS_ENABLED(CONFIG_KVM) */
+
+#endif