KVM / Partial Mitigation for CVE-2017-5715

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

KVM / Partial Mitigation for CVE-2017-5715

Peter Lieven-2

Hi Kernel Team,

I found that there is a partial fix for CVE-2017-5715 upstream since yesterday:

    kvm: vmx: Scrub hardware GPRs at VM-exit

    Guest GPR values are live in the hardware GPRs at VM-exit.  Do not
    leave any guest values in hardware GPRs after the guest GPR values are
    saved to the vcpu_vmx structure.

    This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
    Specifically, it defeats the Project Zero PoC for CVE 2017-5715.


Is it possible that you cherry-pick this patch for your first round of mitigation patches? It looks quite minimal and would
help to save hosts running different VMs. It seems that this is part of what Google came up with for their cloud platform.


kernel-team mailing list
[hidden email]