From d856aba78dd0eb51ace65fb0f6f5db9f62d16c78 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Dec 2013 16:19:51 -0500 Subject: [PATCH] CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) --- ...ix-guest-initiated-crash-with-x2apic.patch | 109 ++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 116 insertions(+) create mode 100644 KVM-x86-fix-guest-initiated-crash-with-x2apic.patch diff --git a/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch new file mode 100644 index 000000000..c84fc61b9 --- /dev/null +++ b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch @@ -0,0 +1,109 @@ +Bugzilla: 1042099 +Upstream-status: 3.13 and sent for stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361370oab; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31 + for ; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1751853Ab3LLUiJ (ORCPT + 64 others); + Thu, 12 Dec 2013 15:38:09 -0500 +Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO + mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751884Ab3LLUhS (ORCPT + ); Thu, 12 Dec 2013 15:37:18 -0500 +Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13 + for ; Thu, 12 Dec 2013 12:37:17 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=; + b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao + ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N + +Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx + UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6 + dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1 + Edug== +X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981; + Thu, 12 Dec 2013 12:37:16 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:16 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + stable@vger.kernel.org +Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) +Date: Thu, 12 Dec 2013 21:36:54 +0100 +Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Gleb Natapov + +A guest can cause a BUG_ON() leading to a host kernel crash. +When the guest writes to the ICR to request an IPI, while in x2apic +mode the following things happen, the destination is read from +ICR2, which is a register that the guest can control. + +kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the +cluster id. A BUG_ON is triggered, which is a protection against +accessing map->logical_map with an out-of-bounds access and manages +to avoid that anything really unsafe occurs. + +The logic in the code is correct from real HW point of view. The problem +is that KVM supports only one cluster with ID 0 in clustered mode, but +the code that has the bug does not take this into account. + +Reported-by: Lars Bull +Cc: stable@vger.kernel.org +Signed-off-by: Gleb Natapov +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index b8bec45c1610..801dc3fd66e1 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic) + return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff; + } + ++#define KMV_X2APIC_CID_BITS 0 ++ + static void recalculate_apic_map(struct kvm *kvm) + { + struct kvm_apic_map *new, *old = NULL; +@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm) + if (apic_x2apic_mode(apic)) { + new->ldr_bits = 32; + new->cid_shift = 16; +- new->cid_mask = new->lid_mask = 0xffff; ++ new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1; ++ new->lid_mask = 0xffff; + } else if (kvm_apic_sw_enabled(apic) && + !new->cid_mask /* flat mode */ && + kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) { +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 1914f41d2..34f64718c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -720,6 +720,9 @@ Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch #CVE-2013-6368 rhbz 1032210 1042090 Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch +#CVE-2013-6376 rhbz 1033106 1042099 +Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch + # END OF PATCH DEFINITIONS %endif @@ -1406,6 +1409,9 @@ ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch #CVE-2013-6368 rhbz 1032210 1042090 ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch +#CVE-2013-6376 rhbz 1033106 1042099 +ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch + # END OF PATCH APPLICATIONS %endif @@ -2219,6 +2225,7 @@ fi # || || %changelog * Thu Dec 12 2013 Josh Boyer +- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) - CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)