ACK: [PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()
Colin Ian King
colin.king at canonical.com
Mon Sep 10 07:51:35 UTC 2012
On 07/09/12 16:33, Tim Gardner wrote:
> From: Avi Kivity <avi at redhat.com>
>
> CVE-2012-2137
>
> BugLink: http://bugs.launchpad.net/bugs/1016298
>
> kvm_set_irq() has an internal buffer of three irq routing entries, allowing
> connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry()
> does not properly enforce this, allowing three irqchip routes followed by
> an MSI route to overflow the buffer.
>
> Fix by ensuring that an MSI entry is added to an empty list.
>
> Signed-off-by: Avi Kivity <avi at redhat.com>
> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)
>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> virt/kvm/irq_comm.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
> index 9f614b4..272407c 100644
> --- a/virt/kvm/irq_comm.c
> +++ b/virt/kvm/irq_comm.c
> @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
> */
> hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
> if (ei->type == KVM_IRQ_ROUTING_MSI ||
> + ue->type == KVM_IRQ_ROUTING_MSI ||
> ue->u.irqchip.irqchip == ei->irqchip.irqchip)
> return r;
>
>
Looks OK to me.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list