linux-sg2042/arch/x86/kvm
Gleb Natapov 17d68b763f KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
A guest can cause a BUG_ON() leading to a host kernel crash.
When the guest writes to the ICR to request an IPI, while in x2apic
mode the following things happen, the destination is read from
ICR2, which is a register that the guest can control.

kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
cluster id.  A BUG_ON is triggered, which is a protection against
accessing map->logical_map with an out-of-bounds access and manages
to avoid that anything really unsafe occurs.

The logic in the code is correct from real HW point of view. The problem
is that KVM supports only one cluster with ID 0 in clustered mode, but
the code that has the bug does not take this into account.

Reported-by: Lars Bull <larsbull@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-12-12 22:46:18 +01:00
..
Kconfig kvm: Add VFIO device 2013-10-30 19:02:03 +01:00
Makefile kvm: Add VFIO device 2013-10-30 19:02:03 +01:00
cpuid.c kvm, cpuid: Fix sparse warning 2013-11-07 12:27:46 +02:00
cpuid.h kvm: Add KVM_GET_EMULATED_CPUID 2013-10-30 18:54:39 +01:00
emulate.c KVM: emulator: cleanup decode_register_operand() a bit 2013-11-05 09:11:30 +02:00
i8254.c KVM: Let ioapic know the irq line status 2013-04-15 23:20:34 -03:00
i8254.h KVM: fold kvm_pit_timer into kvm_kpit_state 2012-08-01 00:21:07 -03:00
i8259.c KVM: inject ExtINT interrupt before APIC interrupts 2012-12-13 23:05:21 -02:00
irq.c x86, apicv: add virtual interrupt delivery support 2013-01-29 10:48:19 +02:00
irq.h KVM: switch to symbolic name for irq_states size 2012-07-20 16:12:16 -03:00
kvm_cache_regs.h KVM: MMU: Do not unconditionally read PDPTE from guest memory 2011-09-25 19:18:01 +03:00
lapic.c KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) 2013-12-12 22:46:18 +01:00
lapic.h KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) 2013-12-12 22:39:46 +01:00
mmu.c KVM: mmu: change useless int return types to void 2013-10-03 15:44:02 +03:00
mmu.h KVM: mmu: change useless int return types to void 2013-10-03 15:44:02 +03:00
mmu_audit.c kvm: mmu: delay mmu audit activation 2013-11-20 11:12:56 +02:00
mmutrace.h KVM: MMU: add tracepoint for check_mmio_spte 2013-06-27 14:20:37 +03:00
paging_tmpl.h KVM: mmu: allow page tables to be in read-only slots 2013-09-17 12:52:31 +03:00
pmu.c perf, kvm: Support the in_tx/in_tx_cp modifiers in KVM arch perfmon emulation v5 2013-07-19 18:24:45 +02:00
svm.c KVM: mmu: change useless int return types to void 2013-10-03 15:44:02 +03:00
trace.h kvm: Add a tracepoint write_tsc_offset 2013-06-27 14:20:51 +03:00
tss.h KVM: x86: hardware task switching support 2008-04-27 12:00:39 +03:00
vmx.c kvm, vmx: Fix lazy FPU on nested guest 2013-11-13 18:46:54 +01:00
x86.c KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) 2013-12-12 22:39:46 +01:00
x86.h KVM: x86: mask unsupported XSAVE entries from leaf 0Dh index 0 2013-10-03 12:29:04 +03:00