groeck@, can you please triage for security severity, impact and milestone labels here.

Upstream 51aa68e7d57e321 ("kvm: nVMX: Don't allow L2 to access the hardware CR8"). Only relevant if KVM is enabled which is true for Lakitu. It also can be enabled with a USE flag. All kernel versions up to and including chromeos-4.12 are affected.

Cherry-pick to chromeos-3.14 and earlier causes substantial conflicts; access control is much less specific in those releases. Will only fix in chromeos-3.18 and later.

Thanks for looking at Lakitu Guenter. If it affects Lakitu we'll want the fix in all branches including 60 (still supported by Lakitu). We are only using the 4.4 kernel though.

Let me know if you need any help on doing the cherrypicks.

Hmm, I took a look too. Lakitu has CONFIG_KVM_GUEST enabled but not CONFIG_KVM, which is what this bug is about. So at least this doesn't impact Lakitu stable or beta.

I don't think we'll ever intend Lakitu to run as a KVM host, but having the fix in master doesn't hurt.

#6: Excellent. I'll modify priorities accordingly and drop stable requests.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/77242038299782d63c49d1173bf268fa87fd1049

commit 77242038299782d63c49d1173bf268fa87fd1049
Author: Jim Mattson <jmattson@google.com>
Date: Fri Sep 29 21:35:35 2017

UPSTREAM: kvm: nVMX: Don't allow L2 to access the hardware CR8

If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.

This fixes CVE-2017-12154.

BUG= chromium:770155 
TEST=Build and run

Change-Id: Iff30767e0f89277022db25e52d39a6e151e59920
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 51aa68e7d57e321)
Reviewed-on: https://chromium-review.googlesource.com/692738
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/77242038299782d63c49d1173bf268fa87fd1049/arch/x86/kvm/vmx.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/35d2950bd457e45050b3c74f7c0b4759f4d8b8ac

commit 35d2950bd457e45050b3c74f7c0b4759f4d8b8ac
Author: Jim Mattson <jmattson@google.com>
Date: Sat Sep 30 00:42:52 2017

UPSTREAM: kvm: nVMX: Don't allow L2 to access the hardware CR8

If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.

This fixes CVE-2017-12154.

BUG= chromium:770155 
TEST=Build and run

Change-Id: Iff30767e0f89277022db25e52d39a6e151e59920
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 51aa68e7d57e321)
Reviewed-on: https://chromium-review.googlesource.com/692838

[modify] https://crrev.com/35d2950bd457e45050b3c74f7c0b4759f4d8b8ac/arch/x86/kvm/vmx.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot