linux/arch/x86/kvm
Marcelo Tosatti 59839dfff5 KVM: x86: check for cr3 validity in ioctl_set_sregs
Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity
checking for the new cr3 value:

"Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to
the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
when userspace next tries to call KVM_RUN on the affected VCPU and kvm
attempts to activate the new non-existent page table root.

This happens since kvm only validates that cr3 points to a valid guest
physical memory page when code *inside* the guest sets cr3. However, kvm
currently trusts the userspace caller (e.g. QEMU) on the host machine to
always supply a valid page table root, rather than properly validating
it along with the rest of the reloaded guest state."

http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599

Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple
fault in case of failure.

Cc: stable@kernel.org
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
2009-06-10 11:48:43 +03:00
..
i8254.c KVM: PIT: fix count read and mode 0 handling 2009-06-10 11:48:39 +03:00
i8254.h KVM: unify part of generic timer handling 2009-06-10 11:48:25 +03:00
i8259.c KVM: fix sparse warnings: context imbalance 2009-03-24 11:03:13 +02:00
irq.c KVM: x86: fix LAPIC pending count calculation 2009-02-15 02:47:38 +02:00
irq.h KVM: make irq ack notifications aware of routing table 2009-03-24 11:03:08 +02:00
Kconfig Merge branch 'tracing/core-v2' into tracing-for-linus 2009-04-02 00:49:02 +02:00
kvm_cache_regs.h KVM: x86: accessors for guest registers 2008-10-15 10:13:57 +02:00
kvm_svm.h KVM: x86: Virtualize debug registers 2009-03-24 11:02:49 +02:00
kvm_timer.h KVM: unify part of generic timer handling 2009-06-10 11:48:25 +03:00
lapic.c KVM: make 'lapic_timer_ops' and 'kpit_ops' static 2009-06-10 11:48:29 +03:00
lapic.h KVM: APIC: get rid of deliver_bitmask 2009-06-10 11:48:27 +03:00
Makefile KVM: unify part of generic timer handling 2009-06-10 11:48:25 +03:00
mmu.c KVM: MMU: remove global page optimization logic 2009-06-10 11:48:39 +03:00
mmu.h KVM: Use rsvd_bits_mask in load_pdptrs() 2009-06-10 11:48:36 +03:00
paging_tmpl.h KVM: MMU: remove global page optimization logic 2009-06-10 11:48:39 +03:00
svm.c KVM: SVM: Skip instruction on a task switch only when appropriate 2009-06-10 11:48:42 +03:00
timer.c KVM: unify part of generic timer handling 2009-06-10 11:48:25 +03:00
tss.h KVM: x86: hardware task switching support 2008-04-27 12:00:39 +03:00
vmx.c KVM: Fix unneeded instruction skipping during task switching. 2009-06-10 11:48:38 +03:00
x86_emulate.c KVM: x86 emulator: Decode soft interrupt instructions 2009-06-10 11:48:41 +03:00
x86.c KVM: x86: check for cr3 validity in ioctl_set_sregs 2009-06-10 11:48:43 +03:00
x86.h KVM: reuse (pop|push)_irq from svm.c in vmx.c 2009-06-10 11:48:31 +03:00