Ack: [PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

Leann Ogasawara leann.ogasawara at canonical.com
Fri Sep 7 20:24:54 UTC 2012


On 09/07/2012 08:33 AM, Tim Gardner wrote:
> From: Avi Kivity <avi at redhat.com>
>
> CVE-2012-2137
>
> BugLink: http://bugs.launchpad.net/bugs/1016298
>
> kvm_set_irq() has an internal buffer of three irq routing entries, allowing
> connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
> does not properly enforce this, allowing three irqchip routes followed by
> an MSI route to overflow the buffer.
>
> Fix by ensuring that an MSI entry is added to an empty list.
>
> Signed-off-by: Avi Kivity <avi at redhat.com>
> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara at canonical.com>

> ---
>  virt/kvm/irq_comm.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
> index 9f614b4..272407c 100644
> --- a/virt/kvm/irq_comm.c
> +++ b/virt/kvm/irq_comm.c
> @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
>  	 */
>  	hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
>  		if (ei->type == KVM_IRQ_ROUTING_MSI ||
> +		    ue->type == KVM_IRQ_ROUTING_MSI ||
>  		    ue->u.irqchip.irqchip == ei->irqchip.irqchip)
>  			return r;
>  





More information about the kernel-team mailing list