ACK: [Lucid][CVE-2013-4587] KVM: Improve create VCPU parameter (CVE-2013-4587)

Brad Figg brad.figg at canonical.com
Thu Jan 9 18:05:06 UTC 2014


On 01/09/2014 09:10 AM, Luis Henriques wrote:
> From: Andy Honig <ahonig at google.com>
> 
> CVE-2013-4587
> 
> BugLink: http://bugs.launchpad.net/bugs/1261564
> 
> In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
> malicious user could specify a vcpu_id greater than 255 in order to set or
> clear bits in kernel memory.  This could be used to elevate priveges in the
> kernel.  This patch verifies that the vcpu_id provided is less than 255.
> The api documentation already specifies that the vcpu_id must be less than
> max_vcpus, but this is currently not checked.
> 
> Reported-by: Andrew Honig <ahonig at google.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Andrew Honig <ahonig at google.com>
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> (cherry picked from commit 338c7dbadd2671189cec7faf64c84d01071b3f96)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  virt/kvm/kvm_main.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 16d02a6..d33b66b 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -1871,6 +1871,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
>  	int r;
>  	struct kvm_vcpu *vcpu, *v;
>  
> +	if (id >= KVM_MAX_VCPUS)
> +		return -EINVAL;
> +
>  	vcpu = kvm_arch_vcpu_create(kvm, id);
>  	if (IS_ERR(vcpu))
>  		return PTR_ERR(vcpu);
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list