From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Andrew Honig" <ahonig@google.com>
Subject: [PATCH 3.2 43/70] KVM: x86: Reload pit counters for all channels when restoring state
Date: Mon, 18 Jan 2016 03:18:35 +0000 [thread overview]
Message-ID: <lsq.1453087115.973179839@decadent.org.uk> (raw)
In-Reply-To: <lsq.1453087114.713093519@decadent.org.uk>
3.2.76-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Honig <ahonig@google.com>
commit 0185604c2d82c560dab2f2933a18f797e74ab5a8 upstream.
Currently if userspace restores the pit counters with a count of 0
on channels 1 or 2 and the guest attempts to read the count on those
channels, then KVM will perform a mod of 0 and crash. This will ensure
that 0 values are converted to 65536 as per the spec.
This is CVE-2015-7513.
Signed-off-by: Andy Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/x86.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3434,10 +3434,11 @@ static int kvm_vm_ioctl_get_pit(struct k
static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
{
int r = 0;
-
+ int i;
mutex_lock(&kvm->arch.vpit->pit_state.lock);
memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
- kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
+ for (i = 0; i < 3; i++)
+ kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
mutex_unlock(&kvm->arch.vpit->pit_state.lock);
return r;
}
@@ -3458,6 +3459,7 @@ static int kvm_vm_ioctl_get_pit2(struct
static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
{
int r = 0, start = 0;
+ int i;
u32 prev_legacy, cur_legacy;
mutex_lock(&kvm->arch.vpit->pit_state.lock);
prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
@@ -3467,7 +3469,8 @@ static int kvm_vm_ioctl_set_pit2(struct
memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
sizeof(kvm->arch.vpit->pit_state.channels));
kvm->arch.vpit->pit_state.flags = ps->flags;
- kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
+ for (i = 0; i < 3; i++)
+ kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
mutex_unlock(&kvm->arch.vpit->pit_state.lock);
return r;
}
next prev parent reply other threads:[~2016-01-18 3:27 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 3:18 [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 56/70] i2c: i801: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 62/70] i2c: i801: Add PCI ID for Intel Braswell Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 20/70] xen: Add RING_COPY_REQUEST() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 21/70] xen-netback: don't use last request to determine minimum Tx credit Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 41/70] ftrace/scripts: Fix incorrect use of sprintf in recordmcount Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 18/70] ftrace/scripts: Have recordmcount copy the object file Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 57/70] i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 67/70] i2c: i801: Document Intel DNV and Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 13/70] mISDN: fix a loop count Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 65/70] i2c: i801: Add support for Intel DNV Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 25/70] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 37/70] MIPS: Fix restart of indirect syscalls Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 06/70] ses: Fix problems with simple enclosures Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 55/70] i2c: i801: SMBus patch for Intel Avoton DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 58/70] i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 59/70] i2c: i801: enable Intel BayTrail SMBUS Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 60/70] i2c: i801: Fix the alignment of the device table Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 10/70] ALSA: tlv: add DECLARE_TLV_DB_RANGE() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 03/70] video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 53/70] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 11/70] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 01/70] sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 48/70] ahci: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 15/70] spi: fix parent-device reference leak Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 14/70] ser_gigaset: fix deallocation of platform device structure Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 38/70] drm/radeon: fix hotplug race at startup Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 46/70] udp: properly support MSG_PEEK with truncated buffers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 36/70] mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 66/70] i2c: i801: Add support for Intel Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 39/70] net/core: revert "net: fix __netdev_update_features return.." and add comment Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 44/70] kvm: x86: only channel 0 of the i8254 is linked to the HPET Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 45/70] Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 68/70] i2c: i801: add Intel Lewisburg device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 49/70] ahci: Add JMicron 362 " Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 07/70] ses: fix additional element traversal bug Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 27/70] xen/pciback: Do not install an IRQ handler for MSI interrupts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 69/70] cdrom: Random writing support for BD-RE media Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 26/70] xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 02/70] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 35/70] ocfs2: fix BUG when calculate new backup super Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 42/70] net: possible use after free in dst_release Ben Hutchings
2016-01-18 3:49 ` Francesco Ruggeri
2016-01-18 11:50 ` Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 61/70] i2c: i801: Add device ID for Intel Wildcat Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 12/70] sh_eth: fix TX buffer byte-swapping Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 08/70] tty: Fix GPF in flush_to_ldisc() Ben Hutchings
2016-01-18 3:18 ` Ben Hutchings [this message]
2016-01-18 3:18 ` [PATCH 3.2 05/70] rfkill: copy the name into the rfkill struct Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 54/70] ahci: Order SATA device IDs for codename Lewisburg Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 40/70] genirq: Prevent chip buslock deadlock Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 16/70] scripts: recordmcount: break hardlinks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 31/70] USB: fix invalid memory access in hub_activate() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 33/70] parisc: Fix syscall restarts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 04/70] crypto: skcipher - Copy iv from desc even for 0-len walks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 30/70] USB: ipaq.c: fix a timeout loop Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 70/70] HID: dragonrise: fix HID Descriptor for 0x0006 PID Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 32/70] KEYS: Fix race between read and revoke Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 51/70] ahci: Add Marvell 88se91a2 device id Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 63/70] i2c: i801: Add Device IDs for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 28/70] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 19/70] s390/dis: Fix handling of format specifiers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 52/70] ahci: add new Intel device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 24/70] xen/pciback: Save xen_pci_op commands before processing it Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 29/70] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 64/70] i2c: i801: Add DeviceIDs for SunrisePoint LP Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 09/70] ALSA: tlv: compute TLV_*_ITEM lengths automatically Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 17/70] net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 50/70] ahci: Remove Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 22/70] xen-netback: use RING_COPY_REQUEST() throughout Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 34/70] ipv6/addrlabel: fix ip6addrlbl_get() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 47/70] vmstat: allocate vmstat_wq before it is used Ben Hutchings
2016-01-18 22:26 ` Luis Henriques
2016-01-18 3:18 ` [PATCH 3.2 23/70] xen-blkback: only read request operation from shared ring once Ben Hutchings
2016-01-18 3:45 ` [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 9:12 ` Guenter Roeck
2016-01-18 11:50 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1453087115.973179839@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=ahonig@google.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox