From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Honig <ahonig@google.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 3.10 44/97] kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
Date: Tue, 4 Mar 2014 12:03:57 -0800 [thread overview]
Message-ID: <20140304200347.484903499@linuxfoundation.org> (raw)
In-Reply-To: <20140304200345.895517495@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Honig <ahonig@google.com>
commit a08d3b3b99efd509133946056531cdf8f3a0c09b upstream.
The problem occurs when the guest performs a pusha with the stack
address pointing to an mmio address (or an invalid guest physical
address) to start with, but then extending into an ordinary guest
physical address. When doing repeated emulated pushes
emulator_read_write sets mmio_needed to 1 on the first one. On a
later push when the stack points to regular memory,
mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
As a result, KVM exits to userspace, and then returns to
complete_emulated_mmio. In complete_emulated_mmio
vcpu->mmio_cur_fragment is incremented. The termination condition of
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
The code bounces back and fourth to userspace incrementing
mmio_cur_fragment past it's buffer. If the guest does nothing else it
eventually leads to a a crash on a memcpy from invalid memory address.
However if a guest code can cause the vm to be destroyed in another
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
can be used by the guest to control the data that's pointed to by the
call to cancel_work_item, which can be used to gain execution.
Fixes: f78146b0f9230765c6315b2e14f56112513389ad
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5982,7 +5982,7 @@ static int complete_emulated_mmio(struct
frag->len -= len;
}
- if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) {
+ if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) {
vcpu->mmio_needed = 0;
if (vcpu->mmio_is_write)
return 1;
next prev parent reply other threads:[~2014-03-04 20:03 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-04 20:03 [PATCH 3.10 00/97] 3.10.33-stable review Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 01/97] drm/nouveau: set irq_enabled manually Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 02/97] drm/nv50/disp: use correct register to determine DP display bpp Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 03/97] ext4: fix error paths in swap_inode_boot_loader() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 04/97] ext4: dont try to modify s_flags if the the file system is read-only Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 05/97] ext4: fix online resize with very large inode tables Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 06/97] ext4: fix online resize with a non-standard blocks per group setting Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 07/97] ext4: dont leave i_crtime.tv_sec uninitialized Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 08/97] ARM: dma-mapping: fix GFP_ATOMIC macro usage Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 09/97] ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 10/97] ARM: 7957/1: add DSB after icache flush in __flush_icache_all() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 11/97] ARM: OMAP2+: gpmc: fix: DT NAND child nodes not probed when MTD_NAND is built as module Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 12/97] ARM: OMAP2+: gpmc: fix: DT ONENAND child nodes not probed when MTD_ONENAND " Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 13/97] avr32: fix missing module.h causing build failure in mimc200/fram.c Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 14/97] avr32: Makefile: add -D__linux__ flag for gcc-4.4.7 use Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 15/97] cifs: ensure that uncached writes handle unmapped areas correctly Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 16/97] CIFS: Fix too big maxBuf size for SMB3 mounts Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 17/97] rtl8187: fix regression on MIPS without coherent DMA Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 18/97] rtlwifi: Fix incorrect return from rtl_ps_enable_nic() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 19/97] rtlwifi: rtl8192ce: Fix too long disable of IRQs Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 20/97] 6lowpan: fix lockdep splats Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 21/97] 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 22/97] can: add destructor for self generated skbs Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 23/97] ipv4: Fix runtime WARNING in rtmsg_ifa() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 25/97] netpoll: fix netconsole IPv6 setup Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 27/97] tcp: tsq: fix nonagle handling Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 28/97] tg3: Fix deadlock in tg3_change_mtu() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 30/97] usbnet: remove generic hard_header_len check Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 31/97] bonding: 802.3ad: make aggregator_identifier bond-private Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 32/97] ipv4: fix counter in_slow_tot Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 33/97] net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 34/97] net: add and use skb_gso_transport_seglen() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 35/97] net: core: introduce netif_skb_dev_features Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 36/97] net: ip, ipv6: handle gso skbs in forwarding path Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 37/97] net: use __GFP_NORETRY for high order allocations Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 38/97] memcg: fix endless loop caused by mem_cgroup_iter Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 39/97] fs: fix iversion handling Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 40/97] ALSA: usb-audio: work around KEF X300A firmware bug Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 41/97] ALSA: hda/ca0132 - setup/cleanup streams Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 42/97] ALSA: hda/ca0132 - Fix recording from mode id 0x8 Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 43/97] ALSA: hda - Enable front audio jacks on one HP desktop model Greg Kroah-Hartman
2014-03-04 20:03 ` Greg Kroah-Hartman [this message]
2014-03-04 20:03 ` [PATCH 3.10 45/97] ASoC: max98090: sync regcache on entering STANDBY Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 46/97] ASoC: wm8770: Fix wrong number of enum items Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 47/97] ASoC: da732x: Mark DC offset control registers volatile Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 48/97] ASoC: sta32x: Fix cache sync Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 50/97] ASoC: sta32x: Fix array access overflow Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 51/97] ASoC: wm8958-dsp: Fix firmware block loading Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 52/97] SUNRPC: Fix races in xs_nospace() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 53/97] powerpc/le: Ensure that the stop-self RTAS token is handled correctly Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 54/97] powerpc/crashdump : Fix page frame number check in copy_oldmem_page Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 55/97] ahci: disable NCQ on Samsung pci-e SSDs on macbooks Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 56/97] x86: dma-mapping: fix GFP_ATOMIC macro usage Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 57/97] perf/x86: Fix event scheduling Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 58/97] ata: enable quirk from jmicron JMB350 for JMB394 Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 59/97] sata_sil: apply MOD15WRITE quirk to TOSHIBA MK2561GSYN Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 60/97] cpufreq: powernow-k8: Initialize per-cpu data-structures properly Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 61/97] PCI: Enable INTx if BIOS left them disabled Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 62/97] ACPI / PCI: Fix memory leak in acpi_pci_irq_enable() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 63/97] i7core_edac: Fix PCI device reference count Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 64/97] ACPI / video: Filter the _BCL table for duplicate brightness values Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 65/97] ACPI / processor: Rework processor throttling with work_on_cpu() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 66/97] can: kvaser_usb: check number of channels returned by HW Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 67/97] usb: chipidea: need to mask when writting endptflush and endptprime Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 68/97] usb: gadget: bcm63xx_udc: fix build failure on DMA channel code Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 69/97] USB: serial: option: blacklist interface 4 for Cinterion PHS8 and PXS8 Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 70/97] usb: ehci: fix deadlock when threadirqs option is used Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 71/97] USB: ftdi_sio: add Cressi Leonardo PID Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 72/97] mei: set clients read_cb to NULL when flow control fails Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 73/97] hwmon: (max1668) Fix writing the minimum temperature Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 74/97] workqueue: ensure @task is valid across kthread_stop() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 76/97] iio:gyro: bug on L3GD20H gyroscope support Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 77/97] perf: Fix hotplug splat Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 78/97] ALSA: hda - Add a fixup for HP Folio 13 mute LED Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 79/97] xtensa: introduce spill_registers_kernel macro Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 80/97] SELinux: bigendian problems with filename trans rules Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 81/97] quota: Fix race between dqput() and dquot_scan_active() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 82/97] ipc,mqueue: remove limits for the amount of system-wide queues Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 83/97] Input - arizona-haptics: Fix double lock of dapm_mutex Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 84/97] irq-metag*: stop set_affinity vectoring to offline cpus Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 85/97] ARM64: unwind: Fix PC calculation Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 86/97] ARM: tegra: only run PL310 init on systems with one Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 87/97] ARM: 7749/1: spinlock: retry trylock operation if strex fails on free lock Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 88/97] ARM: 7812/1: rwlocks: " Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 89/97] qla2xxx: Fix kernel panic on selective retransmission request Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 90/97] i7300_edac: Fix device reference count Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 91/97] dma: ste_dma40: dont dereference free:d descriptor Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 92/97] dm mpath: fix stalls when handling invalid ioctls Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 93/97] dm thin: avoid metadata commit if a pools thin devices havent changed Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 94/97] dm thin: fix the error path for the thin device constructor Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 95/97] drm/radeon: print the supported atpx function mask Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 97/97] drm/radeon: disable pll sharing for DP on DCE4.1 Greg Kroah-Hartman
2014-03-05 1:16 ` [PATCH 3.10 00/97] 3.10.33-stable review Guenter Roeck
2014-03-05 22:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140304200347.484903499@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ahonig@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).