git.baikalelectronics.ru Git - kernel.git/commit

author	Andy Honig <ahonig@google.com>
	Wed, 20 Nov 2013 18:23:22 +0000 (10:23 -0800)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Thu, 12 Dec 2013 21:39:46 +0000 (22:39 +0100)
commit	7a620730008edb6d9776c68c1f0f44fd99c0531f
tree	68cfbeb6ea9d06ffd164bcc8b692993a90367333	tree \| snapshot
parent	4ab9c37805c1b1398ec3579149fb54fb7eebc2a2	commit \| diff

KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)

In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
potential to corrupt kernel memory if userspace provides an address that
is at the end of a page.  This patches concerts those functions to use
kvm_write_guest_cached and kvm_read_guest_cached.  It also checks the
vapic_address specified by userspace during ioctl processing and returns
an error to userspace if the address is not a valid GPA.

This is generally not guest triggerable, because the required write is
done by firmware that runs before the guest.  Also, it only affects AMD
processors and oldish Intel that do not have the FlexPriority feature
(unless you disable FlexPriority, of course; then newer processors are
also affected).

Fixes: 3791753643af ('KVM: Accelerated apic support')
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

arch/x86/kvm/lapic.c		diff \| blob \| history
arch/x86/kvm/lapic.h		diff \| blob \| history
arch/x86/kvm/x86.c		diff \| blob \| history