ACK: [Lucid][CVE-2013-4587] KVM: Improve create VCPU parameter (CVE-2013-4587)
Brad Figg
brad.figg at canonical.com
Thu Jan 9 18:05:06 UTC 2014
On 01/09/2014 09:10 AM, Luis Henriques wrote:
> From: Andy Honig <ahonig at google.com>
>
> CVE-2013-4587
>
> BugLink: http://bugs.launchpad.net/bugs/1261564
>
> In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
> malicious user could specify a vcpu_id greater than 255 in order to set or
> clear bits in kernel memory. This could be used to elevate priveges in the
> kernel. This patch verifies that the vcpu_id provided is less than 255.
> The api documentation already specifies that the vcpu_id must be less than
> max_vcpus, but this is currently not checked.
>
> Reported-by: Andrew Honig <ahonig at google.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Andrew Honig <ahonig at google.com>
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> (cherry picked from commit 338c7dbadd2671189cec7faf64c84d01071b3f96)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> virt/kvm/kvm_main.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 16d02a6..d33b66b 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -1871,6 +1871,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
> int r;
> struct kvm_vcpu *vcpu, *v;
>
> + if (id >= KVM_MAX_VCPUS)
> + return -EINVAL;
> +
> vcpu = kvm_arch_vcpu_create(kvm, id);
> if (IS_ERR(vcpu))
> return PTR_ERR(vcpu);
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list