On 16/10/2017 18:07, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > This is a note to let you know that I've just added the patch titled > > KVM: nVMX: update last_nonleaf_level when initializing nested EPT > > to the 4.9-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > kvm-nvmx-update-last_nonleaf_level-when-initializing-nested-ept.patch > and it can be found in the queue-4.9 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@xxxxxxxxxxxxxxx> know about it. > > > From fd19d3b45164466a4adce7cbff448ba9189e1427 Mon Sep 17 00:00:00 2001 > From: Ladi Prosek <lprosek@xxxxxxxxxx> > Date: Thu, 5 Oct 2017 11:10:22 +0200 > Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT > > From: Ladi Prosek <lprosek@xxxxxxxxxx> > > commit fd19d3b45164466a4adce7cbff448ba9189e1427 upstream. > > The function updates context->root_level but didn't call > update_last_nonleaf_level so the previous and potentially wrong value > was used for page walks. For example, a zero value of last_nonleaf_level > would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's > walk_addr_generic function (CVE-2017-12188). > > Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb > Signed-off-by: Ladi Prosek <lprosek@xxxxxxxxxx> > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > arch/x86/kvm/mmu.c | 1 + > 1 file changed, 1 insertion(+) > > --- a/arch/x86/kvm/mmu.c > +++ b/arch/x86/kvm/mmu.c > @@ -4169,6 +4169,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_ > > update_permission_bitmask(vcpu, context, true); > update_pkru_bitmask(vcpu, context, true); > + update_last_nonleaf_level(vcpu, context); > reset_rsvds_bits_mask_ept(vcpu, context, execonly); > reset_ept_shadow_zero_bits_mask(vcpu, context, execonly); > } > > > Patches currently in stable-queue which might be from lprosek@xxxxxxxxxx are > > queue-4.9/kvm-nvmx-update-last_nonleaf_level-when-initializing-nested-ept.patch > queue-4.9/kvm-mmu-always-terminate-page-walks-at-level-1.patch The latter was enough to fix the bug (so it was the only one CCed stable), but it's safe to apply this one too to kernel where there are no conflicts. Paolo