Google Git
Sign in
kernel / pub / scm / linux / kernel / git / tfiga / samsung-clk / b963a22e6d1a266a67e9eecc88134713fd54775c
commitb963a22e6d1a266a67e9eecc88134713fd54775c[log] [tgz]
authorAndy Honig <ahonig@google.com>Tue Nov 19 14:12:18 2013 -0800
committerPaolo Bonzini <pbonzini@redhat.com>Thu Dec 12 22:39:45 2013 +0100
treeb378e97caf7869445b6168e87b7c6b36d7e87674
parent338c7dbadd2671189cec7faf64c84d01071b3f96 [diff]
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)

Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash.  If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
guest then reads from the TMCCT then the host will perform a divide by 0.

This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.

Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed
tree: b378e97caf7869445b6168e87b7c6b36d7e87674
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS