From 76f48f7faa6ca5742e3972153b490d00e74d5a93 Mon Sep 17 00:00:00 2001
Message-Id: <76f48f7faa6ca5742e3972153b490d00e74d5a93.1363792519.git.minovotn@redhat.com>
From: Gleb Natapov <gleb@redhat.com>
Date: Sun, 10 Mar 2013 14:46:28 +0200
Subject: [PATCH 1/4] KVM: Fix for buffer overflow in handling of
 MSR_KVM_SYSTEM_TIME (CVE-2013-1796)

If the guest sets the GPA of the time_page so that the request to update
the time straddles a page then KVM will write onto an incorrect page.
The write is done byusing kmap atomic to get a pointer to the page for
the time structure and then performing a memcpy to that page starting at
an offset that the guest controls.  Well behaved guests always provide
a 32-byte aligned address, however a malicious guest could use this to
corrupt host kernel memory.

Tested: Tested against kvmclock unit test.

Upstream status: embargoed
BZ: 917019

Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 arch/x86/kvm/x86.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fe0b2dc..5879f4b 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -855,6 +855,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 		/* ...but clean it before doing the actual write */
 		vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
 
+		/* Check that the address is 32-byte aligned. */
+		if (vcpu->arch.time_offset &
+				(sizeof(struct pvclock_vcpu_time_info) - 1))
+			return 1;
+
 		vcpu->arch.time_page =
 				gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
 
-- 
1.7.11.7