From 41c1864a9cd778033d2b8166fe58b65058781425 Mon Sep 17 00:00:00 2001
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 6 Sep 2010 14:13:05 +0000
Subject: add a directory for patches, which are not easily available (e.g.
 digged out of a RHEL update)

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1950 e094ebfe-e918-0410-adfb-c712417f3574
---
 ...5-kvm-kernel-fix-null-pointer-dereference.patch | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 patches/CVE-2010-0435-kvm-kernel-fix-null-pointer-dereference.patch

(limited to 'patches')

diff --git a/patches/CVE-2010-0435-kvm-kernel-fix-null-pointer-dereference.patch b/patches/CVE-2010-0435-kvm-kernel-fix-null-pointer-dereference.patch
new file mode 100644
index 00000000..b307723b
--- /dev/null
+++ b/patches/CVE-2010-0435-kvm-kernel-fix-null-pointer-dereference.patch
@@ -0,0 +1,55 @@
+From 452e7a083f09b2fb2a0e75df34f77fd290f12c26 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Thu, 11 Mar 2010 10:24:46 +0200
+Subject: [PATCH] fix null pointer dereference
+
+There is a bug in KVM that can be used to crash a host on Intel
+machines. If emulator is tricked into emulating mov to/from DR instruction
+it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
+are not initialized. Recently this is not exploitable from guest
+userspace, but malicious guest kernel can trigger it easily.
+
+rhev-h-2.2 BZ: 570533
+RHEL5.5 BZ: 570531
+RHEL5.6 BZ: 570532
+
+Bugzilla: 570531
+Acked-by: Zachary Amsden <zamsden@redhat.com>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Juan Quintela <quintela@redhat.com>
+
+Upstream status: embargoed.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+---
+ arch/x86/kvm/x86.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 9a613cb..8477c11 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2543,6 +2543,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest)
+ {
+ 	struct kvm_vcpu *vcpu = ctxt->vcpu;
+ 
++	if (!kvm_x86_ops->get_dr)
++		return X86EMUL_UNHANDLEABLE;
++
+ 	switch (dr) {
+ 	case 0 ... 3:
+ 		*dest = kvm_x86_ops->get_dr(vcpu, dr);
+@@ -2558,6 +2561,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value)
+ 	unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
+ 	int exception;
+ 
++	if (!kvm_x86_ops->set_dr)
++		return X86EMUL_UNHANDLEABLE;
++
+ 	kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
+ 	if (exception) {
+ 		/* FIXME: better handling */
+-- 
+1.7.0.3
+
-- 
cgit v1.2.3