From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Subject: Re: [PATCH] kvm: use PIT channel index in hpet_legacy_start mode Date: Thu, 7 Jan 2016 14:50:03 +0100 Message-ID: <568E6D0B.5050403@redhat.com> References: <1452169950-14711-1-git-send-email-ppandit@redhat.com> <568E5C0B.9010507@gmail.com> <568E5F08.5030900@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: Yang Zhang , kvm@vger.kernel.org To: P J P Return-path: Received: from mx1.redhat.com ([209.132.183.28]:33721 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751709AbcAGNuI (ORCPT ); Thu, 7 Jan 2016 08:50:08 -0500 In-Reply-To: Sender: kvm-owner@vger.kernel.org List-ID: On 07/01/2016 14:28, P J P wrote: > +-- On Thu, 7 Jan 2016, Paolo Bonzini wrote --+ > | > Will this trigger the same issue like CVE-2015-7513 ? > | > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0185604c2d82c560dab2f2933a18f797e74ab5a8 > | > | I am not sure (--verbose please :)) > > IIUC, it shouldn't, because pit_load_count() does > > /* > * The largest possible initial count is 0; this is equivalent > * to 216 for binary counting and 104 for BCD counting. > */ > if (val == 0) > val = 0x10000; > > > | but the right fix is to change the caller like this: > > | diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c > | @@ -420,6 +420,7 @@ void kvm_pit_load_count(struct kvm *kvm, int channel, u32 val, int hpet_legacy_s > | u8 saved_mode; > | if (hpet_legacy_start) { > | /* save existing mode for later reenablement */ > | + WARN_ON(channel != 0); > | saved_mode = kvm->arch.vpit->pit_state.channels[0].mode; > | kvm->arch.vpit->pit_state.channels[0].mode = 0xff; /* disable timer */ > | pit_load_count(kvm, channel, val); > > In that case I guess, 'pit_load_count' could be called as > > + pit_load_count(kvm, 0, val); Good idea. Paolo > > Thank you. > -- > - P J P > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >