From 9f1cdfc65fe0e6489ec6c1f75fb05946592e3a05 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Dec 12 2013 21:25:04 +0000 Subject: CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) --- diff --git a/KVM-Improve-create-VCPU-parameter.patch b/KVM-Improve-create-VCPU-parameter.patch new file mode 100644 index 0000000..5c57462 --- /dev/null +++ b/KVM-Improve-create-VCPU-parameter.patch @@ -0,0 +1,93 @@ +Bugzilla: 1042071 +Upstream-status: 3.13 and sent to stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361298oab; + Thu, 12 Dec 2013 12:41:21 -0800 (PST) +X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893; + Thu, 12 Dec 2013 12:41:20 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57 + for ; + Thu, 12 Dec 2013 12:41:20 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752041Ab3LLUhR (ORCPT + 64 others); + Thu, 12 Dec 2013 15:37:17 -0500 +Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO + mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751761Ab3LLUhN (ORCPT + ); Thu, 12 Dec 2013 15:37:13 -0500 +Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24 + for ; Thu, 12 Dec 2013 12:37:11 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=; + b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs + NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK + HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d + PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p + 79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB + XTeA== +X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657; + Thu, 12 Dec 2013 12:37:11 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:01 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + Andy Honig , stable@vger.kernel.org +Subject: [PATCH] KVM: Improve create VCPU parameter +Date: Thu, 12 Dec 2013 21:36:51 +0100 +Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Andy Honig + +In multiple functions the vcpu_id is used as an offset into a bitfield. Ag +malicious user could specify a vcpu_id greater than 255 in order to set or +clear bits in kernel memory. This could be used to elevate priveges in the +kernel. This patch verifies that the vcpu_id provided is less than 255. +The api documentation already specifies that the vcpu_id must be less than +max_vcpus, but this is currently not checked. + +Reported-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +--- + virt/kvm/kvm_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index a0aa84b5941a..4f588bc94186 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index dd9fb57..505702b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -839,6 +839,9 @@ Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch #CVE-2013-6376 rhbz 1033106 1042099 Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch +#CVE-2013-4587 rhbz 1030986 1042071 +Patch25175: KVM-Improve-create-VCPU-parameter.patch + # END OF PATCH DEFINITIONS %endif @@ -1615,6 +1618,9 @@ ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch #CVE-2013-6376 rhbz 1033106 1042099 ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch +#CVE-2013-4587 rhbz 1030986 1042071 +ApplyPatch KVM-Improve-create-VCPU-parameter.patch + # END OF PATCH APPLICATIONS %endif @@ -2457,6 +2463,7 @@ fi # || || %changelog * Thu Dec 12 2013 Josh Boyer +- CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) - CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)