| From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001 |
| From: Andy Honig <ahonig@google.com> |
| Date: Wed, 27 Aug 2014 14:42:54 -0700 |
| Subject: KVM: x86: Improve thread safety in pit |
| |
| From: Andy Honig <ahonig@google.com> |
| |
| commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. |
| |
| There's a race condition in the PIT emulation code in KVM. In |
| __kvm_migrate_pit_timer the pit_timer object is accessed without |
| synchronization. If the race condition occurs at the wrong time this |
| can crash the host kernel. |
| |
| This fixes CVE-2014-3611. |
| |
| Signed-off-by: Andrew Honig <ahonig@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/i8254.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/arch/x86/kvm/i8254.c |
| +++ b/arch/x86/kvm/i8254.c |
| @@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_ |
| return; |
| |
| timer = &pit->pit_state.timer; |
| + mutex_lock(&pit->pit_state.lock); |
| if (hrtimer_cancel(timer)) |
| hrtimer_start_expires(timer, HRTIMER_MODE_ABS); |
| + mutex_unlock(&pit->pit_state.lock); |
| } |
| |
| static void destroy_pit_timer(struct kvm_pit *pit) |
