On 13/12/2014 02:13, Vinson Lee wrote: > Please consider upstream 3.12 commit > bfd0a56b90005f8c8a004baf407ad90045c2b11e "nEPT: Nested INVEPT" for > stable trees 3.4 and 3.10. This patch addresses CVE-2014-3645. It has > already been backported to 3.2 in 3.2.64. Note that the patch for 3.4 and 3.10 can be much simpler: https://lkml.org/lkml/2014/11/2/48 Paolo > commit bfd0a56b90005f8c8a004baf407ad90045c2b11e > Author: Nadav Har'El <nyh@xxxxxxxxxx> > Date: Mon Aug 5 11:07:17 2013 +0300 > > nEPT: Nested INVEPT > > If we let L1 use EPT, we should probably also support the INVEPT > instruction. > > In our current nested EPT implementation, when L1 changes its EPT table > for L2 (i.e., EPT12), L0 modifies the shadow EPT table (EPT02), and in > the course of this modification already calls INVEPT. But if last level > of shadow page is unsync not all L1's changes to EPT12 are intercepted, > which means roots need to be synced when L1 calls INVEPT. Global INVEPT > should not be different since roots are synced by kvm_mmu_load() each > time EPTP02 changes. > > Reviewed-by: Xiao Guangrong <xiaoguangrong@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Nadav Har'El <nyh@xxxxxxxxxx> > Signed-off-by: Jun Nakajima <jun.nakajima@xxxxxxxxx> > Signed-off-by: Xinhao Xu <xinhao.xu@xxxxxxxxx> > Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx> > Signed-off-by: Gleb Natapov <gleb@xxxxxxxxxx> > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > > > Cheers, > Vinson > -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html