Return-Path: rhkernel-list-bounces@redhat.com Received: from zmta05.collab.prod.int.phx2.redhat.com (LHLO zmta05.collab.prod.int.phx2.redhat.com) (10.5.81.12) by zmail17.collab.prod.int.phx2.redhat.com with LMTP; Fri, 24 Jan 2014 03:57:38 -0500 (EST) Received: from zmta05.collab.prod.int.phx2.redhat.com (localhost [127.0.0.1]) by zmta05.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 016A417C106; Fri, 24 Jan 2014 03:57:37 -0500 (EST) Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by zmta05.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 7469117C0DA; Fri, 24 Jan 2014 03:57:37 -0500 (EST) Received: from lists01.intranet.prod.int.phx2.redhat.com (lists01.intranet.prod.int.phx2.redhat.com [10.5.30.73]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s0O8vajr009668; Fri, 24 Jan 2014 03:57:36 -0500 Received: from lists01.intranet.prod.int.phx2.redhat.com (localhost.localdomain [127.0.0.1]) by lists01.intranet.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0O8vaLA022410; Fri, 24 Jan 2014 03:57:36 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.intranet.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s0O8vZ8u022399 for <rhkernel-list@post-office.corp.redhat.com>; Fri, 24 Jan 2014 03:57:35 -0500 Received: from localhost.localdomain (dhcp-1-120.brq.redhat.com [10.34.1.120]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s0O8vY8m016331; Fri, 24 Jan 2014 03:57:34 -0500 From: Denys Vlasenko <dvlasenk@redhat.com> To: rhkernel-list@redhat.com Subject: [RHEL5 PATCH BZ 1032217] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Date: Fri, 24 Jan 2014 09:57:28 +0100 Message-Id: <1390553848-2404-1-git-send-email-dvlasenk@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-loop: rhkernel-list@redhat.com X-BeenThere: rhkernel-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: Red Hat INTERNAL-ONLY kernel discussion list <rhkernel-list@redhat.com> List-Id: Red Hat INTERNAL-ONLY kernel discussion list <rhkernel-list.redhat.com> List-Unsubscribe: <https://post-office.corp.redhat.com/mailman/options/rhkernel-list>, <mailto:rhkernel-list-request@redhat.com?subject=unsubscribe> List-Archive: <http://post-office.corp.redhat.com/archives/rhkernel-list> List-Post: <mailto:rhkernel-list@redhat.com> List-Help: <mailto:rhkernel-list-request@redhat.com?subject=help> List-Subscribe: <https://post-office.corp.redhat.com/mailman/listinfo/rhkernel-list>, <mailto:rhkernel-list-request@redhat.com?subject=subscribe> Sender: rhkernel-list-bounces@redhat.com Errors-To: rhkernel-list-bounces@redhat.com CVE-2013-6367: BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=1032217 Brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=6924330 Upstream status of the patch: upstream commit b963a22e6d1a266a67e9eecc88134713fd54775c Author: Andy Honig <ahonig@google.com> Date: Tue Nov 19 14:12:18 2013 -0800 KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Test Status: Only compile-tested. Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> --- arch/x86/kvm/lapic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index ade469c..f3131c0 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -525,7 +525,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) ASSERT(apic != NULL); /* if initial count is 0, current count should also be 0 */ - if (apic_get_reg(apic, APIC_TMICT) == 0) + if (apic_get_reg(apic, APIC_TMICT) == 0 || + apic->timer.period == 0) return 0; remaining = hrtimer_expires_remaining(&apic->timer.dev); -- 1.8.1.4