diff options
author | Andy Honig <ahonig@google.com> | 2013-11-19 14:12:18 -0800 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2014-01-03 04:33:31 +0000 |
commit | 245d4b4480c20ffb50f0eddadcc6516b9017d863 (patch) | |
tree | 37305bce3951d20ef3b2ee038e0a2e59b53bc983 /security | |
parent | 4a94970b318e0d7387c2d84fa7c92ea782ae52b3 (diff) | |
download | kernel_samsung_smdk4412-245d4b4480c20ffb50f0eddadcc6516b9017d863.zip kernel_samsung_smdk4412-245d4b4480c20ffb50f0eddadcc6516b9017d863.tar.gz kernel_samsung_smdk4412-245d4b4480c20ffb50f0eddadcc6516b9017d863.tar.bz2 |
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream.
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.2: s/kvm_apic_get_reg/apic_get_reg/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions