diff options
| author | Andy Honig <ahonig@google.com> | 2013-11-19 14:12:18 -0800 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2014-05-19 07:54:34 +0200 |
| commit | e3123670efb2e10e536fa7fe752d72a4ca5bce9a (patch) | |
| tree | 8d6fee562cb22b2805fafef3ecf578902b1d2ec6 | |
| parent | ba6e9bbbd6e3e28d92ff43981c2354307c095b7c (diff) | |
| download | lwn-e3123670efb2e10e536fa7fe752d72a4ca5bce9a.tar.gz lwn-e3123670efb2e10e536fa7fe752d72a4ca5bce9a.zip | |
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[dannf: backported to Debian's 2.6.32]
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | arch/x86/kvm/lapic.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 8dfeaaa70795..b77857fe037c 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -519,7 +519,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) ASSERT(apic != NULL); /* if initial count is 0, current count should also be 0 */ - if (apic_get_reg(apic, APIC_TMICT) == 0) + if (apic_get_reg(apic, APIC_TMICT) == 0 || + apic->lapic_timer.period == 0) return 0; remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); |