Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 340e01248478ba8b78a6d4d1809b1eff > files > 813

kvm-83-270.el5_11.src.rpm

Return-Path: rhkernel-list-bounces@redhat.com
Received: from zmta05.collab.prod.int.phx2.redhat.com (LHLO
 zmta05.collab.prod.int.phx2.redhat.com) (10.5.81.12) by
 zmail17.collab.prod.int.phx2.redhat.com with LMTP; Fri, 24 Jan 2014
 03:57:38 -0500 (EST)
Received: from zmta05.collab.prod.int.phx2.redhat.com (localhost [127.0.0.1])
	by zmta05.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 016A417C106;
	Fri, 24 Jan 2014 03:57:37 -0500 (EST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
	by zmta05.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 7469117C0DA;
	Fri, 24 Jan 2014 03:57:37 -0500 (EST)
Received: from lists01.intranet.prod.int.phx2.redhat.com (lists01.intranet.prod.int.phx2.redhat.com [10.5.30.73])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s0O8vajr009668;
	Fri, 24 Jan 2014 03:57:36 -0500
Received: from lists01.intranet.prod.int.phx2.redhat.com (localhost.localdomain [127.0.0.1])
	by lists01.intranet.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0O8vaLA022410;
	Fri, 24 Jan 2014 03:57:36 -0500
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by lists01.intranet.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id s0O8vZ8u022399 for <rhkernel-list@post-office.corp.redhat.com>;
	Fri, 24 Jan 2014 03:57:35 -0500
Received: from localhost.localdomain (dhcp-1-120.brq.redhat.com [10.34.1.120])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id s0O8vY8m016331; Fri, 24 Jan 2014 03:57:34 -0500
From: Denys Vlasenko <dvlasenk@redhat.com>
To: rhkernel-list@redhat.com
Subject: [RHEL5 PATCH BZ 1032217] KVM: x86: Fix potential divide by 0 in lapic
	(CVE-2013-6367)
Date: Fri, 24 Jan 2014 09:57:28 +0100
Message-Id: <1390553848-2404-1-git-send-email-dvlasenk@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-loop: rhkernel-list@redhat.com
X-BeenThere: rhkernel-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
Reply-To: Red Hat INTERNAL-ONLY kernel discussion list
	<rhkernel-list@redhat.com>
List-Id: Red Hat INTERNAL-ONLY kernel discussion list
	<rhkernel-list.redhat.com>
List-Unsubscribe: <https://post-office.corp.redhat.com/mailman/options/rhkernel-list>,
	<mailto:rhkernel-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://post-office.corp.redhat.com/archives/rhkernel-list>
List-Post: <mailto:rhkernel-list@redhat.com>
List-Help: <mailto:rhkernel-list-request@redhat.com?subject=help>
List-Subscribe: <https://post-office.corp.redhat.com/mailman/listinfo/rhkernel-list>,
	<mailto:rhkernel-list-request@redhat.com?subject=subscribe>
Sender: rhkernel-list-bounces@redhat.com
Errors-To: rhkernel-list-bounces@redhat.com

CVE-2013-6367:
BZ:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1032217

Brew build:
https://brewweb.devel.redhat.com/taskinfo?taskID=6924330

Upstream status of the patch:
upstream commit b963a22e6d1a266a67e9eecc88134713fd54775c
Author: Andy Honig <ahonig@google.com>
Date:   Tue Nov 19 14:12:18 2013 -0800

    KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)

    Under guest controllable circumstances apic_get_tmcct will execute a
    divide by zero and cause a crash.  If the guest cpuid support
    tsc deadline timers and performs the following sequence of requests
    the host will crash.
    - Set the mode to periodic
    - Set the TMICT to 0
    - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
    - Set the TMICT to non-zero.
    Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
    guest then reads from the TMCCT then the host will perform a divide by 0.

    This patch ensures that if the lapic_timer.period is 0, then the division
    does not occur.

Test Status:
Only compile-tested.

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 arch/x86/kvm/lapic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index ade469c..f3131c0 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -525,7 +525,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
 	ASSERT(apic != NULL);
 
 	/* if initial count is 0, current count should also be 0 */
-	if (apic_get_reg(apic, APIC_TMICT) == 0)
+	if (apic_get_reg(apic, APIC_TMICT) == 0 ||
+		apic->timer.period == 0)
 		return 0;
 
 	remaining = hrtimer_expires_remaining(&apic->timer.dev);
-- 
1.8.1.4

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional