| From e46c002f08723503391c58b69d84f783121050dc Mon Sep 17 00:00:00 2001 |
| From: Andy Honig <ahonig@google.com> |
| Date: Wed, 20 Feb 2013 14:49:16 -0800 |
| Subject: [PATCH] KVM: Fix bounds checking in ioapic indirect register reads |
| (CVE-2013-1798) |
| |
| commit a2c118bfab8bc6b8bb213abfc35201e441693d55 upstream. |
| |
| If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows |
| that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate |
| that request. ioapic_read_indirect contains an |
| ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in |
| non-debug builds. In recent kernels this allows a guest to cause a kernel |
| oops by reading invalid memory. In older kernels (pre-3.3) this allows a |
| guest to read from large ranges of host memory. |
| |
| Tested: tested against apic unit tests. |
| |
| Signed-off-by: Andrew Honig <ahonig@google.com> |
| Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| virt/kvm/ioapic.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c |
| index 3500dee9cf2b..57afcdaa2863 100644 |
| --- a/virt/kvm/ioapic.c |
| +++ b/virt/kvm/ioapic.c |
| @@ -72,9 +72,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, |
| u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; |
| u64 redir_content; |
| |
| - ASSERT(redir_index < IOAPIC_NUM_PINS); |
| + if (redir_index < IOAPIC_NUM_PINS) |
| + redir_content = |
| + ioapic->redirtbl[redir_index].bits; |
| + else |
| + redir_content = ~0ULL; |
| |
| - redir_content = ioapic->redirtbl[redir_index].bits; |
| result = (ioapic->ioregsel & 0x1) ? |
| (redir_content >> 32) & 0xffffffff : |
| redir_content & 0xffffffff; |
| -- |
| 1.8.5.2 |
| |