KVM / Partial Mitigation for CVE-2017-5715

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

KVM / Partial Mitigation for CVE-2017-5715

Peter Lieven-2

Hi Kernel Team,

I found that there is a partial fix for CVE-2017-5715 upstream since yesterday:

    kvm: vmx: Scrub hardware GPRs at VM-exit

    Guest GPR values are live in the hardware GPRs at VM-exit.  Do not
    leave any guest values in hardware GPRs after the guest GPR values are
    saved to the vcpu_vmx structure.

    This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
    Specifically, it defeats the Project Zero PoC for CVE 2017-5715.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788

Is it possible that you cherry-pick this patch for your first round of mitigation patches? It looks quite minimal and would
help to save hosts running different VMs. It seems that this is part of what Google came up with for their cloud platform.

Thanks,
Peter

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team