From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lars Bull <larsbull@google.com>,
Gleb Natapov <gleb@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 3.10 16/78] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
Date: Wed, 18 Dec 2013 13:10:44 -0800 [thread overview]
Message-ID: <20131218211112.364315650@linuxfoundation.org> (raw)
In-Reply-To: <20131218211111.903835960@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gleb Natapov <gleb@redhat.com>
commit 17d68b763f09a9ce824ae23eb62c9efc57b69271 upstream.
A guest can cause a BUG_ON() leading to a host kernel crash.
When the guest writes to the ICR to request an IPI, while in x2apic
mode the following things happen, the destination is read from
ICR2, which is a register that the guest can control.
kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
cluster id. A BUG_ON is triggered, which is a protection against
accessing map->logical_map with an out-of-bounds access and manages
to avoid that anything really unsafe occurs.
The logic in the code is correct from real HW point of view. The problem
is that KVM supports only one cluster with ID 0 in clustered mode, but
the code that has the bug does not take this into account.
Reported-by: Lars Bull <larsbull@google.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -153,6 +153,8 @@ static inline int kvm_apic_id(struct kvm
return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
}
+#define KVM_X2APIC_CID_BITS 0
+
static void recalculate_apic_map(struct kvm *kvm)
{
struct kvm_apic_map *new, *old = NULL;
@@ -190,7 +192,8 @@ static void recalculate_apic_map(struct
if (apic_x2apic_mode(apic)) {
new->ldr_bits = 32;
new->cid_shift = 16;
- new->cid_mask = new->lid_mask = 0xffff;
+ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1;
+ new->lid_mask = 0xffff;
} else if (kvm_apic_sw_enabled(apic) &&
!new->cid_mask /* flat mode */ &&
kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
next prev parent reply other threads:[~2013-12-18 21:10 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-18 21:10 [PATCH 3.10 00/78] 3.10.25-stable review Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 01/78] MIPS: DMA: For BMIPS5000 cores flush region just like non-coherent R10000 Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 02/78] Input: xpad - add signature for Razer Onza Classic Edition Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 03/78] ALSA: compress: Fix 64bit ABI incompatibility Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 04/78] ALSA: memalloc.h - fix wrong truncation of dma_addr_t Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 05/78] ALSA: hda - Add static DAC/pin mapping for AD1986A codec Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 06/78] ALSA: hda - Mute all aamix inputs as default Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 07/78] ALSA: hda - hdmi: Fix IEC958 ctl indexes for some simple HDMI devices Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 08/78] ARM: pxa: tosa: fix keys mapping Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 09/78] ARM: pxa: prevent PXA270 occasional reboot freezes Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 10/78] ARM: OMAP3: hwmod data: Dont prevent RESET of USB Host module Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 11/78] ARM: 7912/1: check stack pointer in get_wchan Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 12/78] ARM: 7913/1: fix framepointer check in unwind_frame Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 13/78] KVM: Improve create VCPU parameter (CVE-2013-4587) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 14/78] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 15/78] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) Greg Kroah-Hartman
2013-12-18 21:10 ` Greg Kroah-Hartman [this message]
2013-12-18 21:10 ` [PATCH 3.10 17/78] hwmon: Prevent some divide by zeros in FAN_TO_REG() Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 19/78] hwmon: (w83l786ng) Fix fan speed control mode setting and reporting Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 20/78] hwmon: (w83l768ng) Fix fan speed control range Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 21/78] xfs: growfs overruns AGFL buffer on V4 filesystems Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 22/78] xfs: underflow bug in xfs_attrlist_by_handle() Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 23/78] PCI: Disable Bus Master only on kexec reboot Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 24/78] futex: fix handling of read-only-mapped hugepages Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 25/78] nfsd: when reusing an existing repcache entry, unhash it first Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 26/78] usb: hub: Use correct reset for wedged USB3 devices that are NOTATTACHED Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 27/78] usb: dwc3: fix implementation of endpoint wedge Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 28/78] usb: gadget: composite: reset delayed_status on reset_config Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 29/78] USB: serial: option: blacklist interface 1 for Huawei E173s-6 Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 30/78] USB: option: support new huawei devices Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 31/78] Input: usbtouchscreen - separate report and transmit buffer size handling Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 32/78] media: af9035: fix broken I2C and USB I/O Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 33/78] powerpc: Fix PTE page address mismatch in pgtable ctor/dtor Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 34/78] drivers/rtc/rtc-at91rm9200.c: correct alarm over day/month wrap Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 36/78] ath9k: Fix QuickDrop usage Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 37/78] ath9k: Fix XLNA bias strength Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 38/78] selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 39/78] selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 40/78] Revert "mac80211: allow disable power save in mesh" Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 41/78] mac80211: dont attempt to reorder multicast frames Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 42/78] iwlwifi: mvm: check sta_id/drain values in debugfs Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 43/78] mwifiex: fix memory leak issue for ibss join Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 44/78] igb: Fix for issue where values could be too high for udelay function Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 45/78] drm/radeon: program DCE2 audio dto just like DCE3 Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 46/78] drm/radeon: fixup bad vram size on SI Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 47/78] x86, efi: Dont use (U)EFI time services on 32 bit Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 48/78] x86, build: Pass in additional -mno-mmx, -mno-sse options Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 49/78] x86, build, icc: Remove uninitialized_var() from compiler-intel.h Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 50/78] media: saa7164: fix return value check in saa7164_initdev() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 52/78] media: af9033: fix broken I2C Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 53/78] media: wm8775: fix broken audio routing Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 54/78] media: af9035: add [0413:6a05] Leadtek WinFast DTV Dongle Dual Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 55/78] media: af9035: unlock on error in af9035_i2c_master_xfer() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 56/78] Btrfs: fix access_ok() check in btrfs_ioctl_send() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 57/78] btrfs: call mnt_drop_write after interrupted subvol deletion Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 58/78] dm bufio: initialize read-only module parameters Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 59/78] dm snapshot: avoid snapshot space leak on crash Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 60/78] dm array: fix a reference counting bug in shadow_ablock Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 61/78] dm delay: fix a possible deadlock due to shared workqueue Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 62/78] dm space map metadata: return on failure in sm_metadata_new_block Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 63/78] dm table: fail dm_table_create on dm_round_up overflow Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 64/78] dm thin: switch to read only mode if a mapping insert fails Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 66/78] [media] cxd2820r_core: fix sparse warnings Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 67/78] sched: Avoid throttle_cfs_rq() racing with period_timer stopping Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 68/78] staging: comedi: pcmuio: fix possible NULL deref on detach Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 69/78] staging: comedi: drivers: use comedi_dio_update_state() for simple cases Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 70/78] staging: comedi: ssv_dnp: use comedi_dio_update_state() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 71/78] sc1200_wdt: Fix oops Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 72/78] NFSv4 wait on recovery for async session errors Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 73/78] [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 74/78] Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST" Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 75/78] Btrfs: fix memory leak of chunks extent map Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 76/78] Btrfs: fix hole check in log_one_extent Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 77/78] Btrfs: fix incorrect inode acl reset Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 78/78] Btrfs: do not run snapshot-aware defragment on error Greg Kroah-Hartman
2013-12-19 2:04 ` [PATCH 3.10 00/78] 3.10.25-stable review Guenter Roeck
2013-12-19 3:40 ` Greg Kroah-Hartman
2013-12-19 20:47 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131218211112.364315650@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gleb@redhat.com \
--cc=larsbull@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).