- patches.arch/kvm-convert-msr_kvm_system_time-to-use-gfn_to_hva_cache_init.patch:
[opensuse:kernel-source.git] / patches.arch / kvm-fix-bounds-checking-in-ioapic-indirect-register-read.patch
1 From 529f623f46e74f732f0e76671aa0dc6bb6ff8f0b Mon Sep 17 00:00:00 2001
2 From: Andrew Honig <ahonig@google.com>
3 Date: Mon, 11 Mar 2013 15:10:26 -0600
4 Subject: KVM: Fix bounds checking in ioapic indirect register read
5 Patch-mainline: Not yet, Embargo lifted 2013-03-18
6 References: bnc#806980 CVE-2013-1798
7
8 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
9 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
10 that request.  ioapic_read_indirect contains an
11 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
12 non-debug builds.  In recent kernels this allows a guest to cause a kernel
13 oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
14 guest to read from large ranges of host memory.
15
16 Tested: tested against apic unit tests.
17
18 Signed-off-by: Andrew Honig <ahonig@google.com>
19 Acked-by: Bruce Rogers <brogers@suse.com>
20 ---
21  virt/kvm/ioapic.c |    7 +++++--
22  1 files changed, 5 insertions(+), 2 deletions(-)
23
24 diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
25 index d75c1ee0..4ffad35 100644
26 --- a/virt/kvm/ioapic.c
27 +++ b/virt/kvm/ioapic.c
28 @@ -73,9 +73,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
29                         u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
30                         u64 redir_content;
31  
32 -                       ASSERT(redir_index < IOAPIC_NUM_PINS);
33 +                       if (redir_index < IOAPIC_NUM_PINS)
34 +                               redir_content =
35 +                                       ioapic->redirtbl[redir_index].bits;
36 +                       else
37 +                               redir_content = ~0ULL;
38  
39 -                       redir_content = ioapic->redirtbl[redir_index].bits;
40                         result = (ioapic->ioregsel & 0x1) ?
41                             (redir_content >> 32) & 0xffffffff :
42                             redir_content & 0xffffffff;
43