[Lucid][CVE-2014-3611] KVM: x86: Improve thread safety in pit
Luis Henriques
luis.henriques at canonical.com
Tue Dec 2 10:16:51 UTC 2014
From: Andy Honig <ahonig at google.com>
There's a race condition in the PIT emulation code in KVM. In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization. If the race condition occurs at the wrong time this
can crash the host kernel.
This fixes CVE-2014-3611.
Cc: stable at vger.kernel.org
Signed-off-by: Andrew Honig <ahonig at google.com>
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
(backported from commit 2febc839133280d5a5e8e1179c94ea674489dae2)
CVE-2014-3611
BugLink: http://bugs.launchpad.net/bugs/1384540
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
arch/x86/kvm/i8254.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 7e361b4d2a8c..3fae9cd67a1b 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -256,8 +256,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
return;
timer = &pit->pit_state.pit_timer.timer;
+ mutex_lock(&pit->pit_state.lock);
if (hrtimer_cancel(timer))
hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
+ mutex_unlock(&pit->pit_state.lock);
}
static void destroy_pit_timer(struct kvm_timer *pt)
--
2.1.0
More information about the kernel-team
mailing list