summaryrefslogtreecommitdiff
path: root/lib/compat_audit.c
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-08-19 19:14:50 +0800
committerPaolo Bonzini <pbonzini@redhat.com>2014-08-19 15:04:45 +0200
commit350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 (patch)
tree00f9822472c91756bf1d4c6577972e1d7d582823 /lib/compat_audit.c
parent7d1311b93e58ed55f3a31cc8f94c4b8fe988a2b9 (diff)
downloadlwn-350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7.tar.gz
lwn-350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7.zip
kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)
The third parameter of kvm_iommu_put_pages is wrong, It should be 'gfn - slot->base_gfn'. By making gfn very large, malicious guest or userspace can cause kvm to go to this error path, and subsequently to pass a huge value as size. Alternatively if gfn is small, then pages would be pinned but never unpinned, causing host memory leak and local DOS. Passing a reasonable but large value could be the most dangerous case, because it would unpin a page that should have stayed pinned, and thus allow the device to DMA into arbitrary memory. However, this cannot happen because of the condition that can trigger the error: - out of memory (where you can't allocate even a single page) should not be possible for the attacker to trigger - when exceeding the iommu's address space, guest pages after gfn will also exceed the iommu's address space, and inside kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The page thus would not be unpinned at all. Reported-by: Jack Morgenstein <jackm@mellanox.com> Cc: stable@vger.kernel.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'lib/compat_audit.c')
0 files changed, 0 insertions, 0 deletions