| From: Andy Honig <ahonig@google.com> |
| Date: Tue, 19 Nov 2013 14:12:18 -0800 |
| Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) |
| |
| commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream. |
| |
| Under guest controllable circumstances apic_get_tmcct will execute a |
| divide by zero and cause a crash. If the guest cpuid support |
| tsc deadline timers and performs the following sequence of requests |
| the host will crash. |
| - Set the mode to periodic |
| - Set the TMICT to 0 |
| - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) |
| - Set the TMICT to non-zero. |
| Then the lapic_timer.period will be 0, but the TMICT will not be. If the |
| guest then reads from the TMCCT then the host will perform a divide by 0. |
| |
| This patch ensures that if the lapic_timer.period is 0, then the division |
| does not occur. |
| |
| Reported-by: Andrew Honig <ahonig@google.com> |
| Signed-off-by: Andrew Honig <ahonig@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| [bwh: Backported to 3.2: s/kvm_apic_get_reg/apic_get_reg/] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| arch/x86/kvm/lapic.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/arch/x86/kvm/lapic.c |
| +++ b/arch/x86/kvm/lapic.c |
| @@ -537,7 +537,8 @@ static u32 apic_get_tmcct(struct kvm_lap |
| ASSERT(apic != NULL); |
| |
| /* if initial count is 0, current count should also be 0 */ |
| - if (apic_get_reg(apic, APIC_TMICT) == 0) |
| + if (apic_get_reg(apic, APIC_TMICT) == 0 || |
| + apic->lapic_timer.period == 0) |
| return 0; |
| |
| remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); |
