CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)
This commit is contained in:
parent
04739196f3
commit
69ee1b7392
102
KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
Normal file
102
KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
Normal file
@ -0,0 +1,102 @@
|
||||
Bugzilla: 1042081
|
||||
Upstream-status: 3.13 and sent for stable
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.104.107 with SMTP id gd11csp361402oab;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
Return-Path: <linux-kernel-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07
|
||||
for <multiple recipients>;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1752145Ab3LLUiu (ORCPT <rfc822;multinymous@gmail.com>
|
||||
+ 99 others); Thu, 12 Dec 2013 15:38:50 -0500
|
||||
Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO
|
||||
mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751902Ab3LLUhP (ORCPT
|
||||
<rfc822;linux-kernel@vger.kernel.org>);
|
||||
Thu, 12 Dec 2013 15:37:15 -0500
|
||||
Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32
|
||||
for <multiple recipients>; Thu, 12 Dec 2013 12:37:13 -0800 (PST)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=sender:from:to:cc:subject:date:message-id;
|
||||
bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=;
|
||||
b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O
|
||||
P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple
|
||||
n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3
|
||||
t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O
|
||||
3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP
|
||||
H86Q==
|
||||
X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625;
|
||||
Thu, 12 Dec 2013 12:37:13 -0800 (PST)
|
||||
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11
|
||||
for <multiple recipients>
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||
Thu, 12 Dec 2013 12:37:12 -0800 (PST)
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
|
||||
Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
|
||||
Date: Thu, 12 Dec 2013 21:36:52 +0100
|
||||
Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com>
|
||||
X-Mailer: git-send-email 1.8.3.1
|
||||
Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
|
||||
From: Andy Honig <ahonig@google.com>
|
||||
|
||||
Under guest controllable circumstances apic_get_tmcct will execute a
|
||||
divide by zero and cause a crash. If the guest cpuid support
|
||||
tsc deadline timers and performs the following sequence of requests
|
||||
the host will crash.
|
||||
- Set the mode to periodic
|
||||
- Set the TMICT to 0
|
||||
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
|
||||
- Set the TMICT to non-zero.
|
||||
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
|
||||
guest then reads from the TMCCT then the host will perform a divide by 0.
|
||||
|
||||
This patch ensures that if the lapic_timer.period is 0, then the division
|
||||
does not occur.
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index 5439117d5c4c..89b52ec7d09c 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
|
||||
ASSERT(apic != NULL);
|
||||
|
||||
/* if initial count is 0, current count should also be 0 */
|
||||
- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
|
||||
+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
|
||||
+ apic->lapic_timer.period == 0)
|
||||
return 0;
|
||||
|
||||
remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -714,6 +714,9 @@ Patch25170: 0001-drm-radeon-dpm-Fix-hwmon-crash.patch
|
||||
#rhbz 1030802
|
||||
Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch
|
||||
|
||||
#CVE-2013-6367 rhbz 1032207 1042081
|
||||
Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1394,6 +1397,9 @@ ApplyPatch 0001-drm-radeon-dpm-Fix-hwmon-crash.patch
|
||||
#rhbz 1030802
|
||||
ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch
|
||||
|
||||
#CVE-2013-6367 rhbz 1032207 1042081
|
||||
ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -2206,6 +2212,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)
|
||||
|
||||
* Wed Dec 11 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git2.1
|
||||
- Linux v3.13-rc3-174-g9538e10
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user