• Andy Honig's avatar
    KVM: MTRR: remove MSR 0x2f8 · 62ab3693
    Andy Honig authored
    commit 9842df62 upstream.
    
    MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
    was introduced by 9ba075a6 ("KVM: MTRR support").
    
    0x2f8 became harmful when 910a6aae ("KVM: MTRR: exactly define the
    size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
    which made access to index 124 out of bounds.  The surrounding code only
    WARNs in this situation, thus the guest gained a limited read/write
    access to struct kvm_arch_vcpu.
    
    0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
    MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
    was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
    not implemented in KVM, therefore 0x2f8 could never do anything useful
    and getting rid of it is safe.
    
    This fixes CVE-2016-3713.
    
    Fixes: 910a6aae ("KVM: MTRR: exactly define the size of variable MTRRs")
    Reported-by: default avatarDavid Matlack <dmatlack@google.com>
    Signed-off-by: default avatarAndy Honig <ahonig@google.com>
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    62ab3693
mtrr.c 16.1 KB