diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch new file mode 100644 index 000000000..2c417d22e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch @@ -0,0 +1,68 @@ +From 0671f42a9c1084db10d68ac347d08dbf6689ecb3 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens <hca@linux.ibm.com> +Date: Thu, 30 Nov 2023 18:56:00 +0100 +Subject: KVM: s390: fix setting of fpc register + +[ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ] + +kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control +(fpc) register of a guest cpu. The new value is tested for validity by +temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the host process: +if an interrupt happens while the value is temporarily loaded into the fpc +register, and within interrupt context floating point or vector registers +are used, the current fp/vx registers are saved with save_fpu_regs() +assuming they belong to user space and will be loaded into fp/vx registers +when returning to user space. + +test_fp_ctl() restores the original user space / host process fpc register +value, however it will be discarded, when returning to user space. + +In result the host process will incorrectly continue to run with the value +that was supposed to be used for a guest cpu. + +Fix this by simply removing the test. There is another test right before +the SIE context is entered which will handles invalid values. + +This results in a change of behaviour: invalid values will now be accepted +instead of that the ioctl fails with -EINVAL. This seems to be acceptable, +given that this interface is most likely not used anymore, and this is in +addition the same behaviour implemented with the memory mapped interface +(replace invalid values with zero) - see sync_regs() in kvm-s390.c. + +Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com> +Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> +Signed-off-by: Heiko Carstens <hca@linux.ibm.com> +Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/s390/kvm/kvm-s390.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 3775363471f0c6..f604946ab2c85e 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4138,10 +4138,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + + vcpu_load(vcpu); + +- if (test_fp_ctl(fpu->fpc)) { +- ret = -EINVAL; +- goto out; +- } + vcpu->run->s.regs.fpc = fpu->fpc; + if (MACHINE_HAS_VX) + convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs, +@@ -4149,7 +4145,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + else + memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs)); + +-out: + vcpu_put(vcpu); + return ret; + } +-- +cgit 1.2.3-korg + |