From c519a21724446b74ef8823fb8c9f7ae0bb831de0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Dec 12 2013 21:25:04 +0000 Subject: CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) --- diff --git a/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch new file mode 100644 index 0000000..8e144df --- /dev/null +++ b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch @@ -0,0 +1,102 @@ +Bugzilla: 1042081 +Upstream-status: 3.13 and sent for stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361402oab; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07 + for ; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752145Ab3LLUiu (ORCPT + + 99 others); Thu, 12 Dec 2013 15:38:50 -0500 +Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO + mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751902Ab3LLUhP (ORCPT + ); + Thu, 12 Dec 2013 15:37:15 -0500 +Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32 + for ; Thu, 12 Dec 2013 12:37:13 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=; + b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O + P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple + n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3 + t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O + 3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP + H86Q== +X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625; + Thu, 12 Dec 2013 12:37:13 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:12 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + Andy Honig , stable@vger.kernel.org +Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) +Date: Thu, 12 Dec 2013 21:36:52 +0100 +Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +From: Andy Honig + +Under guest controllable circumstances apic_get_tmcct will execute a +divide by zero and cause a crash. If the guest cpuid support +tsc deadline timers and performs the following sequence of requests +the host will crash. +- Set the mode to periodic +- Set the TMICT to 0 +- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) +- Set the TMICT to non-zero. +Then the lapic_timer.period will be 0, but the TMICT will not be. If the +guest then reads from the TMCCT then the host will perform a divide by 0. + +This patch ensures that if the lapic_timer.period is 0, then the division +does not occur. + +Reported-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 5439117d5c4c..89b52ec7d09c 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) ++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || ++ apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 005b9b1..6987969 100644 --- a/kernel.spec +++ b/kernel.spec @@ -830,6 +830,9 @@ Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch +#CVE-2013-6367 rhbz 1032207 1042081 +Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch + # END OF PATCH DEFINITIONS %endif @@ -1597,6 +1600,9 @@ ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch +#CVE-2013-6367 rhbz 1032207 1042081 +ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch + # END OF PATCH APPLICATIONS %endif @@ -2438,6 +2444,9 @@ fi # ||----w | # || || %changelog +* Thu Dec 12 2013 Josh Boyer +- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) + * Wed Dec 11 2013 Josh Boyer - Add patches to support ETPS/2 Elantech touchpads (rhbz 1030802)