From patchwork Fri Dec  1 18:21:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jim Mattson <jmattson@google.com>
X-Patchwork-Id: 10087713
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6E04E6035E for <patchwork-kvm@patchwork.kernel.org>;
	Fri,  1 Dec 2017 18:21:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6614E2A654
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri,  1 Dec 2017 18:21:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 648132A659; Fri,  1 Dec 2017 18:21:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 14B422A654
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri,  1 Dec 2017 18:21:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752062AbdLASVf (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Fri, 1 Dec 2017 13:21:35 -0500
Received: from mail-io0-f196.google.com ([209.85.223.196]:43636 "EHLO
	mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751989AbdLASVc (ORCPT <rfc822; kvm@vger.kernel.org>);
	Fri, 1 Dec 2017 13:21:32 -0500
Received: by mail-io0-f196.google.com with SMTP id s37so12167238ioe.10
	for <kvm@vger.kernel.org>; Fri, 01 Dec 2017 10:21:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=uL1fIBSq15+fnIAaSoDiIBdckpj+5fb31jgKs5mNFPI=;
	b=A6Z1kk7x+t2QZp5r5nVbZvQoAb4NPz4UIez3fD/g5vad7hB+g2JBkITPCHwLTXhJkH
	JPXCxkd8V4IiE9zF3/+9vCmHbdcE9DY2t2iu4O5KS0VY9Q5lAXLI4n7dLbSAplOHJDkB
	2Wstj7qE4qWq042nkCKckp/VKOkEvp7H+ymufh+h0F1TgWIwjHUaGuvSx+IohHPcqVyw
	QrKVwvPEUnF/xcMz9wngxwNGyKBiD41S4Nt1GGUwNcg0bsMH+OpQSTMEuVwRWkdBf2Eb
	3AIMMNVIzqIG3MI/82+RVTyrCNkPSod8FEeKHSHW3ToV/RrppgtaeUDEI2g/saQkERRU
	fBew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=uL1fIBSq15+fnIAaSoDiIBdckpj+5fb31jgKs5mNFPI=;
	b=IE1ZOm8t7tW7WbwWTPao7dMnGZeFpHR2OX2hDjIY8HC5APCu4TeB4qS648LZDlJVRR
	FCyleGlVpUZKOcChftQeCNKNgcm4XmgFar1xO0PT/1EbaWpUT8Cy5S5Cj71q/4GhI9wB
	qKvvpPEmM0tx32H2Z8NSv7nD7aR6Vm/SuqJ2NUPxKGjXhrtlXKpqkthsUotLbeYiItzX
	368grSlAfzOW1rtjaUogqtn4q9o71NtRUpHJ4/jPS0rGjbni9JIDBZDfMJ8SSU6XuaL0
	2f3bEFAVJtyQFNWBoGGwmHPRH7DDUdktIiZMGxgAwwRpKMDDoYWtaT32J12fYgZd0JWf
	H+XA==
X-Gm-Message-State: AJaThX6qGF9G3VcmgG4Dm58WVW+pTh+iwhxv4oEiKrsTNohoSrbcw6KR
	FxCUUuWD8Pwl5Yxukq3pNGi8ifJCy09MtQ==
X-Google-Smtp-Source: 
 AGs4zMaEEQDaiIcKkvO/zqU6yO6S7+6t1DnwdKwD7DC6Ps5aSNh7C4z9er+oMQEvAhR6G0telejpHg==
X-Received: by 10.107.83.2 with SMTP id h2mr14545924iob.77.1512152490739;
	Fri, 01 Dec 2017 10:21:30 -0800 (PST)
Received: from turtle.sea.corp.google.com ([100.100.207.61])
	by smtp.gmail.com with ESMTPSA id
	n132sm822018itn.25.2017.12.01.10.21.29
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 01 Dec 2017 10:21:30 -0800 (PST)
From: Jim Mattson <jmattson@google.com>
To: kvm@vger.kernel.org, P J P <ppandit@redhat.com>
Cc: Andrew Honig <ahonig@google.com>, Jim Mattson <jmattson@google.com>
Subject: [PATCH 1/2] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
Date: Fri,  1 Dec 2017 10:21:09 -0800
Message-Id: <20171201182110.7143-1-jmattson@google.com>
X-Mailer: git-send-email 2.15.0.531.g2ccb3012c9-goog
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Andrew Honig <ahonig@google.com>

This fixes CVE-2017-1000407.

KVM allows guests to directly access I/O port 0x80 on Intel hosts.  If
the guest floods this port with writes it generates exceptions and
instability in the host kernel, leading to a crash.  With this change
guest writes to port 0x80 on Intel will behave the same as they
currently behave on AMD systems.

Prevent the flooding by removing the code that sets port 0x80 as a
passthrough port.  This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
for AMD chipsets and this patch is for Intel.

Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Quan Xu <quan.xu0@gmail.com>
---
 arch/x86/kvm/vmx.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d2b452d66363..d16abd1808eb 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6753,12 +6753,7 @@ static __init int hardware_setup(void)
 	memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
 	memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
 
-	/*
-	 * Allow direct access to the PC debug port (it is often used for I/O
-	 * delays, but the vmexits simply slow things down).
-	 */
 	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
-	clear_bit(0x80, vmx_io_bitmap_a);
 
 	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);