ACK: [Lucid][CVE-2013-6367] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Brad Figg
brad.figg at canonical.com
Thu Jan 9 19:32:55 UTC 2014
On 01/09/2014 09:10 AM, Luis Henriques wrote:
> From: Andy Honig <ahonig at google.com>
>
> CVE-2013-6367
>
> BugLink: http://bugs.launchpad.net/bugs/1261566
>
> Under guest controllable circumstances apic_get_tmcct will execute a
> divide by zero and cause a crash. If the guest cpuid support
> tsc deadline timers and performs the following sequence of requests
> the host will crash.
> - Set the mode to periodic
> - Set the TMICT to 0
> - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
> - Set the TMICT to non-zero.
> Then the lapic_timer.period will be 0, but the TMICT will not be. If the
> guest then reads from the TMCCT then the host will perform a divide by 0.
>
> This patch ensures that if the lapic_timer.period is 0, then the division
> does not occur.
>
> Reported-by: Andrew Honig <ahonig at google.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Andrew Honig <ahonig at google.com>
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> (back ported from commit b963a22e6d1a266a67e9eecc88134713fd54775c)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> arch/x86/kvm/lapic.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 8dfeaaa..b77857f 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -519,7 +519,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
> ASSERT(apic != NULL);
>
> /* if initial count is 0, current count should also be 0 */
> - if (apic_get_reg(apic, APIC_TMICT) == 0)
> + if (apic_get_reg(apic, APIC_TMICT) == 0 ||
> + apic->lapic_timer.period == 0)
> return 0;
>
> remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list