Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > media > main-src > by-pkgid > aadbe78a25743146bb784eee19f007c5 > files > 408

kvm-83-164.el5_5.9.src.rpm

From 9b9c809ded1449ec69ee1d8058559d3f9fc6ec69 Mon Sep 17 00:00:00 2001
From: Marcelo Tosatti <mtosatti@redhat.com>
Date: Tue, 26 May 2009 11:51:13 -0300
Subject: [PATCH 2/2] KVM: x86: check for cr3 validity in ioctl_set_sregs

commit 89da4ff17f568bb3a1f69dce7e4c57a7f3bc0c63
Author: Marcelo Tosatti <mtosatti@redhat.com>
Date:   Thu Apr 16 08:30:44 2009 -0300

    KVM: x86: check for cr3 validity in ioctl_set_sregs

    Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks
validity checking for the new cr3 value:

    "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3
to the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
when userspace next tries to call KVM_RUN on the affected VCPU and kvm
attempts to activate the new non-existent page table root.

    This happens since kvm only validates that cr3 points to a valid
guest physical memory page when code *inside* the guest sets cr3.
However, kvm currently trusts the userspace caller (e.g. QEMU) on the
host machine to always supply a valid page table root, rather than
properly validating it along with the rest of the reloaded guest state."

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Message-ID: <20090526145113.GC17390@amt.cnet>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Upstream-status: applied(kvm/master)
Acked-by: Glauber Costa <glommer@redhat.com>
Acked-by: Marcelo Tosatti <mtosatti@redhat.com>
Acked-by: Juan Quintela <quintela@redhat.com>
Bugzilla: 503793
---
 arch/x86/kvm/x86.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 29d80ed..39f7843 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3799,7 +3799,13 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
 
 	vcpu->arch.cr2 = sregs->cr2;
 	mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
-	vcpu->arch.cr3 = sregs->cr3;
+
+	down_read(&vcpu->kvm->slots_lock);
+	if (gfn_to_memslot(vcpu->kvm, sregs->cr3 >> PAGE_SHIFT))
+		vcpu->arch.cr3 = sregs->cr3;
+	else
+		set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
+	up_read(&vcpu->kvm->slots_lock);
 
 	kvm_set_cr8(vcpu, sregs->cr8);
 
-- 
1.6.3.rc4.29.g8146

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional