On Tue, Apr 2, 2013 at 11:05 PM, Florian Beck <beckflorian82@xxxxxxxxx> wrote: > The CVE-2013-1796 > (https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9) > reports a possibility of host memory corruption. > I see that this could lead into corruption of guest kernel memory, > but how could be the wrong aligned address reported by guest corrupt > host kernel memory? If the region crosses a page boundary. > > > Regards, Florian > > ------------------ > This was the posted fix for CVE-2013-1796: > ------------------ > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index f7c850b..2ade60c 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, > struct msr_data *msr_info) > /* ...but clean it before doing the actual write */ > vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); > + /* Check that the address is 32-byte aligned. */ > + if (vcpu->arch.time_offset & > + (sizeof(struct pvclock_vcpu_time_info) - 1)) > + break; > + > vcpu->arch.time_page = > gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); > -- > To unsubscribe from this list: send the line "unsubscribe kvm" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
