CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071)
This commit is contained in:
parent
d856aba78d
commit
211cf9eef9
93
KVM-Improve-create-VCPU-parameter.patch
Normal file
93
KVM-Improve-create-VCPU-parameter.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
Bugzilla: 1042071
|
||||||
|
Upstream-status: 3.13 and sent to stable
|
||||||
|
Delivered-To: jwboyer@gmail.com
|
||||||
|
Received: by 10.76.104.107 with SMTP id gd11csp361298oab;
|
||||||
|
Thu, 12 Dec 2013 12:41:21 -0800 (PST)
|
||||||
|
X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893;
|
||||||
|
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
|
||||||
|
Return-Path: <stable-owner@vger.kernel.org>
|
||||||
|
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||||
|
by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57
|
||||||
|
for <multiple recipients>;
|
||||||
|
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
|
||||||
|
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||||
|
Authentication-Results: mx.google.com;
|
||||||
|
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
||||||
|
dkim=neutral (bad format) header.i=@gmail.com
|
||||||
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1752041Ab3LLUhR (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
|
||||||
|
Thu, 12 Dec 2013 15:37:17 -0500
|
||||||
|
Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO
|
||||||
|
mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||||
|
with ESMTP id S1751761Ab3LLUhN (ORCPT
|
||||||
|
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:13 -0500
|
||||||
|
Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24
|
||||||
|
for <multiple recipients>; Thu, 12 Dec 2013 12:37:11 -0800 (PST)
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=gmail.com; s=20120113;
|
||||||
|
h=sender:from:to:cc:subject:date:message-id;
|
||||||
|
bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=;
|
||||||
|
b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs
|
||||||
|
NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK
|
||||||
|
HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d
|
||||||
|
PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p
|
||||||
|
79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB
|
||||||
|
XTeA==
|
||||||
|
X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657;
|
||||||
|
Thu, 12 Dec 2013 12:37:11 -0800 (PST)
|
||||||
|
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||||
|
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00
|
||||||
|
for <multiple recipients>
|
||||||
|
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||||
|
Thu, 12 Dec 2013 12:37:01 -0800 (PST)
|
||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
To: linux-kernel@vger.kernel.org
|
||||||
|
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||||
|
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
|
||||||
|
Subject: [PATCH] KVM: Improve create VCPU parameter
|
||||||
|
Date: Thu, 12 Dec 2013 21:36:51 +0100
|
||||||
|
Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com>
|
||||||
|
X-Mailer: git-send-email 1.8.3.1
|
||||||
|
Sender: stable-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <stable.vger.kernel.org>
|
||||||
|
X-Mailing-List: stable@vger.kernel.org
|
||||||
|
|
||||||
|
From: Andy Honig <ahonig@google.com>
|
||||||
|
|
||||||
|
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
|
||||||
|
malicious user could specify a vcpu_id greater than 255 in order to set or
|
||||||
|
clear bits in kernel memory. This could be used to elevate priveges in the
|
||||||
|
kernel. This patch verifies that the vcpu_id provided is less than 255.
|
||||||
|
The api documentation already specifies that the vcpu_id must be less than
|
||||||
|
max_vcpus, but this is currently not checked.
|
||||||
|
|
||||||
|
Reported-by: Andrew Honig <ahonig@google.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
virt/kvm/kvm_main.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
|
||||||
|
index a0aa84b5941a..4f588bc94186 100644
|
||||||
|
--- a/virt/kvm/kvm_main.c
|
||||||
|
+++ b/virt/kvm/kvm_main.c
|
||||||
|
@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
|
||||||
|
int r;
|
||||||
|
struct kvm_vcpu *vcpu, *v;
|
||||||
|
|
||||||
|
+ if (id >= KVM_MAX_VCPUS)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
vcpu = kvm_arch_vcpu_create(kvm, id);
|
||||||
|
if (IS_ERR(vcpu))
|
||||||
|
return PTR_ERR(vcpu);
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
||||||
|
--
|
||||||
|
To unsubscribe from this list: send the line "unsubscribe stable" in
|
||||||
|
the body of a message to majordomo@vger.kernel.org
|
||||||
|
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
@ -723,6 +723,9 @@ Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
|
|||||||
#CVE-2013-6376 rhbz 1033106 1042099
|
#CVE-2013-6376 rhbz 1033106 1042099
|
||||||
Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
||||||
|
|
||||||
|
#CVE-2013-4587 rhbz 1030986 1042071
|
||||||
|
Patch25175: KVM-Improve-create-VCPU-parameter.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1412,6 +1415,9 @@ ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
|
|||||||
#CVE-2013-6376 rhbz 1033106 1042099
|
#CVE-2013-6376 rhbz 1033106 1042099
|
||||||
ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
||||||
|
|
||||||
|
#CVE-2013-4587 rhbz 1030986 1042071
|
||||||
|
ApplyPatch KVM-Improve-create-VCPU-parameter.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2225,6 +2231,7 @@ fi
|
|||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071)
|
||||||
- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)
|
- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)
|
||||||
- CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090)
|
- CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090)
|
||||||
- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)
|
- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)
|
||||||
|
Loading…
Reference in New Issue
Block a user