ngompa/kernel-rpm
1
0
Fork 0
forked from rpms/kernel
Code Pull Requests Activity

Linux v3.13-rc3-302-g8d27637

Browse Source
This commit is contained in:
Josh Boyer 2013-12-13 07:05:00 -05:00
parent 00361ff6dc
commit d9d571f6b2
6 changed files with 5 additions and 577 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
KVM-Improve-create-VCPU-parameter.patch
View File

@ -1,93 +0,0 @@
Bugzilla: 1042071
Upstream-status: 3.13 and sent to stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361298oab;
Thu, 12 Dec 2013 12:41:21 -0800 (PST)
X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893;
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57
for <multiple recipients>;
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1752041Ab3LLUhR (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:37:17 -0500
Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO
mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751761Ab3LLUhN (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:13 -0500
Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24
for <multiple recipients>; Thu, 12 Dec 2013 12:37:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=;
b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs
NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK
HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d
PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p
79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB
XTeA==
X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657;
Thu, 12 Dec 2013 12:37:11 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:01 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: Improve create VCPU parameter
Date: Thu, 12 Dec 2013 21:36:51 +0100
Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Andy Honig <ahonig@google.com>
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
malicious user could specify a vcpu_id greater than 255 in order to set or
clear bits in kernel memory. This could be used to elevate priveges in the
kernel. This patch verifies that the vcpu_id provided is less than 255.
The api documentation already specifies that the vcpu_id must be less than
max_vcpus, but this is currently not checked.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
virt/kvm/kvm_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index a0aa84b5941a..4f588bc94186 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
int r;
struct kvm_vcpu *vcpu, *v;
+ if (id >= KVM_MAX_VCPUS)
+ return -EINVAL;
+
vcpu = kvm_arch_vcpu_create(kvm, id);
if (IS_ERR(vcpu))
return PTR_ERR(vcpu);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

247
KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
View File

@ -1,247 +0,0 @@
Bugzilla: 1042090
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361293oab;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
X-Received: by 10.68.244.2 with SMTP id xc2mr15600217pbc.58.1386880872483;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id 5si8126292pbj.245.2013.12.12.12.40.49
for <multiple recipients>;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1751901Ab3LLUiK (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:38:10 -0500
Received: from mail-ea0-f169.google.com ([209.85.215.169]:43997 "EHLO
mail-ea0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751940Ab3LLUhR (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:17 -0500
Received: by mail-ea0-f169.google.com with SMTP id l9so411843eaj.0
for <multiple recipients>; Thu, 12 Dec 2013 12:37:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=2MLmYgVGbv9FpnyP90yrPKk21SJoXFj93yQcaRn4G8Y=;
b=ouBadI22VTf1UuezbySC80FWJYdpF/8Ks6I8f5rq1/7SDQPTpScjOYjZX0UtIf1ihj
aeQ7IHqpmIYGKWadUbH2l88ZP1+rP7T+f2dZQeCb3HLNsPum0Ix8dzm/koeDnuS3dx75
50E9ZcFXO13Hx24tM8p0SAuYZ1DvbCNnPRK0yxHOmCtCWe+mQLBIgig1rg8TzSAazWm7
8LhpztDlIzNyZcfzKQvtdqTOBdnhadx5x39fxOe54Yw4JbppDa7R+BY5Jz6GOd3U0Op1
Nf97rU0pe/jeyOtjF0LVs/d9iyPPeRoSE+VAr91iT8qj9S2PFEN1QxxWL8sdvsDPZK6B
ZCmw==
X-Received: by 10.14.182.199 with SMTP id o47mr10030582eem.7.1386880635352;
Thu, 12 Dec 2013 12:37:15 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.13
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:14 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
Date: Thu, 12 Dec 2013 21:36:53 +0100
Message-Id: <1386880614-23300-3-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Andy Honig <ahonig@google.com>
In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
potential to corrupt kernel memory if userspace provides an address that
is at the end of a page. This patches concerts those functions to use
kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
vapic_address specified by userspace during ioctl processing and returns
an error to userspace if the address is not a valid GPA.
This is generally not guest triggerable, because the required write is
done by firmware that runs before the guest. Also, it only affects AMD
processors and oldish Intel that do not have the FlexPriority feature
(unless you disable FlexPriority, of course; then newer processors are
also affected).
Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
arch/x86/kvm/lapic.h | 4 ++--
arch/x86/kvm/x86.c | 40 +---------------------------------------
3 files changed, 18 insertions(+), 53 deletions(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 89b52ec7d09c..b8bec45c1610 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(struct kvm_vcpu *vcpu,
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
{
u32 data;
- void *vapic;
if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
return;
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
- kunmap_atomic(vapic);
+ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
+ sizeof(u32));
apic_set_tpr(vcpu->arch.apic, data & 0xff);
}
@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
u32 data, tpr;
int max_irr, max_isr;
struct kvm_lapic *apic = vcpu->arch.apic;
- void *vapic;
apic_sync_pv_eoi_to_guest(vcpu, apic);
@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
max_isr = 0;
data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
- kunmap_atomic(vapic);
+ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
+ sizeof(u32));
}
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
{
- vcpu->arch.apic->vapic_addr = vapic_addr;
- if (vapic_addr)
+ if (vapic_addr) {
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+ &vcpu->arch.apic->vapic_cache,
+ vapic_addr, sizeof(u32)))
+ return -EINVAL;
__set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
- else
+ } else {
__clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
+ }
+
+ vcpu->arch.apic->vapic_addr = vapic_addr;
+ return 0;
}
int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index c730ac9fe801..c8b0d0d2da5c 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -34,7 +34,7 @@ struct kvm_lapic {
*/
void *regs;
gpa_t vapic_addr;
- struct page *vapic_page;
+ struct gfn_to_hva_cache vapic_cache;
unsigned long pending_events;
unsigned int sipi_vector;
};
@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data);
void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 21ef1ba184ae..5d004da1e35d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3214,8 +3214,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
r = -EFAULT;
if (copy_from_user(&va, argp, sizeof va))
goto out;
- r = 0;
- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
break;
}
case KVM_X86_SETUP_MCE: {
@@ -5739,36 +5738,6 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu)
!kvm_event_needs_reinjection(vcpu);
}
-static int vapic_enter(struct kvm_vcpu *vcpu)
-{
- struct kvm_lapic *apic = vcpu->arch.apic;
- struct page *page;
-
- if (!apic || !apic->vapic_addr)
- return 0;
-
- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
- if (is_error_page(page))
- return -EFAULT;
-
- vcpu->arch.apic->vapic_page = page;
- return 0;
-}
-
-static void vapic_exit(struct kvm_vcpu *vcpu)
-{
- struct kvm_lapic *apic = vcpu->arch.apic;
- int idx;
-
- if (!apic || !apic->vapic_addr)
- return;
-
- idx = srcu_read_lock(&vcpu->kvm->srcu);
- kvm_release_page_dirty(apic->vapic_page);
- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
- srcu_read_unlock(&vcpu->kvm->srcu, idx);
-}
-
static void update_cr8_intercept(struct kvm_vcpu *vcpu)
{
int max_irr, tpr;
@@ -6069,11 +6038,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
struct kvm *kvm = vcpu->kvm;
vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
- r = vapic_enter(vcpu);
- if (r) {
- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
- return r;
- }
r = 1;
while (r > 0) {
@@ -6132,8 +6096,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
- vapic_exit(vcpu);
-
return r;
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

102
KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
View File

@ -1,102 +0,0 @@
Bugzilla: 1042081
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361402oab;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07
for <multiple recipients>;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1752145Ab3LLUiu (ORCPT <rfc822;multinymous@gmail.com>
+ 99 others); Thu, 12 Dec 2013 15:38:50 -0500
Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO
mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751902Ab3LLUhP (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 12 Dec 2013 15:37:15 -0500
Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32
for <multiple recipients>; Thu, 12 Dec 2013 12:37:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=;
b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O
P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple
n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3
t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O
3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP
H86Q==
X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625;
Thu, 12 Dec 2013 12:37:13 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:12 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Date: Thu, 12 Dec 2013 21:36:52 +0100
Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
From: Andy Honig <ahonig@google.com>
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 5439117d5c4c..89b52ec7d09c 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
ASSERT(apic != NULL);
/* if initial count is 0, current count should also be 0 */
- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
+ apic->lapic_timer.period == 0)
return 0;
remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

109
KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
View File

@ -1,109 +0,0 @@
Bugzilla: 1042099
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361370oab;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31
for <multiple recipients>;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1751853Ab3LLUiJ (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:38:09 -0500
Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO
mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751884Ab3LLUhS (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:18 -0500
Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13
for <multiple recipients>; Thu, 12 Dec 2013 12:37:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=;
b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao
ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N
+Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx
UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6
dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1
Edug==
X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981;
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
stable@vger.kernel.org
Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
Date: Thu, 12 Dec 2013 21:36:54 +0100
Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Gleb Natapov <gleb@redhat.com>
A guest can cause a BUG_ON() leading to a host kernel crash.
When the guest writes to the ICR to request an IPI, while in x2apic
mode the following things happen, the destination is read from
ICR2, which is a register that the guest can control.
kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
cluster id. A BUG_ON is triggered, which is a protection against
accessing map->logical_map with an out-of-bounds access and manages
to avoid that anything really unsafe occurs.
The logic in the code is correct from real HW point of view. The problem
is that KVM supports only one cluster with ID 0 in clustered mode, but
the code that has the bug does not take this into account.
Reported-by: Lars Bull <larsbull@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index b8bec45c1610..801dc3fd66e1 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
}
+#define KMV_X2APIC_CID_BITS 0
+
static void recalculate_apic_map(struct kvm *kvm)
{
struct kvm_apic_map *new, *old = NULL;
@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm)
if (apic_x2apic_mode(apic)) {
new->ldr_bits = 32;
new->cid_shift = 16;
- new->cid_mask = new->lid_mask = 0xffff;
+ new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1;
+ new->lid_mask = 0xffff;
} else if (kvm_apic_sw_enabled(apic) &&
!new->cid_mask /* flat mode */ &&
kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

29
kernel.spec
View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 3
# The git snapshot level
%define gitrev 3
%define gitrev 4
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -711,18 +711,6 @@ Patch25170: 0001-drm-radeon-dpm-Fix-hwmon-crash.patch
#rhbz 1030802
Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch
#CVE-2013-6367 rhbz 1032207 1042081
Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
#CVE-2013-6368 rhbz 1032210 1042090
Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
#CVE-2013-6376 rhbz 1033106 1042099
Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
#CVE-2013-4587 rhbz 1030986 1042071
Patch25175: KVM-Improve-create-VCPU-parameter.patch
# END OF PATCH DEFINITIONS
%endif
@ -1400,18 +1388,6 @@ ApplyPatch 0001-drm-radeon-dpm-Fix-hwmon-crash.patch
#rhbz 1030802
ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch
#CVE-2013-6367 rhbz 1032207 1042081
ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
#CVE-2013-6368 rhbz 1032210 1042090
ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
#CVE-2013-6376 rhbz 1033106 1042099
ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
#CVE-2013-4587 rhbz 1030986 1042071
ApplyPatch KVM-Improve-create-VCPU-parameter.patch
# END OF PATCH APPLICATIONS
%endif
@ -2224,6 +2200,9 @@ fi
# ||----w |
# || ||
%changelog
* Fri Dec 13 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git4.1
- Linux v3.13-rc3-302-g8d27637
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git3.1
- Linux v3.13-rc3-249-g2208f65

2
sources
View File

@ -1,3 +1,3 @@
cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz
be2604350d32ab4967f9773920de1ec8 patch-3.13-rc3.xz
e730cb827aaf252cf2a016ebafe4f6ef patch-3.13-rc3-git3.xz
9455f561b79edc6ae7487ebabb456b87 patch-3.13-rc3-git4.xz