Hi.
Please backport upstream commit
b963a22e6d1a266a67e9eecc88134713fd54775c to 3.4. This patch has
already been backported to other stable kernels.
The upstream patch does not clean apply to 3.4. The function
kvm_apic_get_reg is apic_get_reg instead. Please backport similarly as
commit 245d4b4480c20ffb50f0eddadcc6516b9017d863 from 3.2.54 by Ben
Hutchings or commit 6f3bf648844e42246297315a389a7cb5a5d30ac2 from
3.5.7.28 by Luis Henriques.
commit b963a22e6d1a266a67e9eecc88134713fd54775c
Author: Andy Honig <ahonig@xxxxxxxxxx>
Date: Tue Nov 19 14:12:18 2013 -0800
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Andrew Honig <ahonig@xxxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cheers,
Vinson
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html