Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-07 04:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
a08d3b3b99
linux/arch/x86
History
Andrew Honig a08d3b3b99 kvm: x86: fix emulator buffer overflow (CVE-2014-0049) 
The problem occurs when the guest performs a pusha with the stack
address pointing to an mmio address (or an invalid guest physical
address) to start with, but then extending into an ordinary guest
physical address.  When doing repeated emulated pushes
emulator_read_write sets mmio_needed to 1 on the first one.  On a
later push when the stack points to regular memory,
mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.

As a result, KVM exits to userspace, and then returns to
complete_emulated_mmio.  In complete_emulated_mmio
vcpu->mmio_cur_fragment is incremented.  The termination condition of
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
The code bounces back and fourth to userspace incrementing
mmio_cur_fragment past it's buffer.  If the guest does nothing else it
eventually leads to a a crash on a memcpy from invalid memory address.

However if a guest code can cause the vm to be destroyed in another
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
can be used by the guest to control the data that's pointed to by the
call to cancel_work_item, which can be used to gain execution.

Fixes: f78146b0f9
Signed-off-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org (3.5+)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-02-27 19:35:22 +01:00
..
boot x86, boot: Fix word-size assumptions in has_eflag() inline asm 2014-01-30 08:04:32 -08:00
configs x86, defconfig: Add DEVTMPFS and DEVTMPFS_MOUNT to *86*_defconfig 2013-11-04 20:01:55 -08:00
crypto crypto: aesni - fix build on x86 (32bit) 2014-01-15 11:36:34 +08:00
ia32 constify copy_siginfo_to_user{,32}() 2013-11-09 00:16:29 -05:00
include Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-02-15 15:02:28 -08:00
kernel Two fixes in the tracing utility. 2014-02-15 15:03:34 -08:00
kvm kvm: x86: fix emulator buffer overflow (CVE-2014-0049) 2014-02-27 19:35:22 +01:00
lguest x86, asmlinkage, lguest: Fix C functions used by inline assembler 2014-01-29 22:17:17 -08:00
lib Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
math-emu x86: math-emu: Drop already-disabled print of build date 2014-01-27 23:14:12 +01:00
mm x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off 2014-02-13 08:40:52 -08:00
net bpf: do not use reciprocal divide 2014-01-15 17:02:08 -08:00
oprofile perf: Fix arch_perf_out_copy_user default 2013-11-06 12:34:25 +01:00
pci ACPI and power management updates for 3.14-rc1 2014-01-24 15:51:02 -08:00
platform x86/efi: Check status field to validate BGRT header 2014-02-14 10:07:15 +00:00
power x86, asmlinkage, power: Make various symbols used by the suspend asm code visible 2013-08-06 14:21:03 -07:00
realmode Merge commit 'f4bcd8ccddb02833340652e9f46f5127828eb79d' into x86/build 2014-01-29 09:07:00 -08:00
syscalls sched: Add new scheduler syscalls to support an extended scheduling parameters ABI 2014-01-13 13:41:04 +01:00
tools Merge commit 'f4bcd8ccddb02833340652e9f46f5127828eb79d' into x86/build 2014-01-29 09:07:00 -08:00
um um, x86: Fix vDSO build 2014-01-12 16:47:31 +01:00
vdso Merge branch 'x86-cleanups-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-01-20 12:03:57 -08:00
video
xen xen: properly account for _PAGE_NUMA during xen pte translations 2014-02-10 16:01:41 -08:00
.gitignore
Kbuild
Kconfig * Avoid WARN_ON() when mapping BGRT on Baytrail (EFI 32-bit). 2014-02-07 11:27:30 -08:00
Kconfig.cpu
Kconfig.debug x86: Disable CONFIG_X86_DECODER_SELFTEST in allmod/allyesconfigs 2014-02-05 14:10:30 -08:00
Makefile x86, build: Build 16-bit code with -m16 where possible 2014-01-30 08:05:36 -08:00
Makefile_32.cpu
Makefile.um