2017-12-01 10:21-0800, Jim Mattson:
> From: Andrew Honig <ahonig@xxxxxxxxxx>
>
> This fixes CVE-2017-1000407.
>
> KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
> the guest floods this port with writes it generates exceptions and
> instability in the host kernel, leading to a crash. With this change
> guest writes to port 0x80 on Intel will behave the same as they
> currently behave on AMD systems.
>
> Prevent the flooding by removing the code that sets port 0x80 as a
> passthrough port. This is essentially the same as upstream patch
> 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
> for AMD chipsets and this patch is for Intel.
>
> Signed-off-by: Andrew Honig <ahonig@xxxxxxxxxx>
> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
Cc: <stable@xxxxxxxxxxxxxxx>
Applied, thanks. The commit that introduced it boasted 3-5% performance
improvements when compiling the kernel -- have you noticed regressions?
