UPSTREAM: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
This fixes CVE-2017-1000407.
KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
the guest floods this port with writes it generates exceptions and
instability in the host kernel, leading to a crash. With this change
guest writes to port 0x80 on Intel will behave the same as they
currently behave on AMD systems.
Prevent the flooding by removing the code that sets port 0x80 as a
passthrough port. This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
for AMD chipsets and this patch is for Intel.
BUG=chromium:797482
TEST=Flood port 0x80 from KVM client
Signed-off-by: Andrew Honig <[email protected]>
Signed-off-by: Jim Mattson <[email protected]>
Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
Signed-off-by: Radim Krčmář <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit a52c2829cd60492fc75bafc323145cab1af915f5)
Signed-off-by: Guenter Roeck <[email protected]>
Change-Id: I0b2001863e3a76d35a00169b0f842b7e59119673
Reviewed-on: https://chromium-review.googlesource.com/845782
Reviewed-by: Guenter Roeck <[email protected]>
Commit-Queue: Guenter Roeck <[email protected]>
Tested-by: Guenter Roeck <[email protected]>
1 file changed
