ACK: [PATCH 2/2 Lucid CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()
Stefan Bader
stefan.bader at canonical.com
Fri Sep 7 10:11:14 UTC 2012
On 06.09.2012 23:06, Tim Gardner wrote:
> From: Avi Kivity <avi at redhat.com>
>
> CVE-2012-2137
>
> BugLink: http://bugs.launchpad.net/bugs/1016298
>
> kvm_set_irq() has an internal buffer of three irq routing entries, allowing
> connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry()
> does not properly enforce this, allowing three irqchip routes followed by
> an MSI route to overflow the buffer.
>
> Fix by ensuring that an MSI entry is added to an empty list.
>
> Signed-off-by: Avi Kivity <avi at redhat.com>
> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> virt/kvm/irq_comm.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
> index 40935be..5494097 100644
> --- a/virt/kvm/irq_comm.c
> +++ b/virt/kvm/irq_comm.c
> @@ -300,6 +300,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
> */
> hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
> if (ei->type == KVM_IRQ_ROUTING_MSI ||
> + ue->type == KVM_IRQ_ROUTING_MSI ||
> ue->u.irqchip.irqchip == ei->irqchip.irqchip)
> return r;
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20120907/a09eda9a/attachment.sig>
More information about the kernel-team
mailing list