diff options
| author | Andy Honig <ahonig@google.com> | 2013-03-11 09:34:52 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-04-25 21:19:54 -0700 |
| commit | ce7d8662581f032101ca70bbe1a2e62cd93fd1bc (patch) | |
| tree | 56fe1217a3f7f21a9cf7dd4e5aebc214a4a90efd /arch/x86/include/asm/string_64.h | |
| parent | e3aa8553976945b33cc83c6432fab7568ba11b04 (diff) | |
KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream.
If the guest sets the GPA of the time_page so that the request to update the
time straddles a page then KVM will write onto an incorrect page. The
write is done byusing kmap atomic to get a pointer to the page for the time
structure and then performing a memcpy to that page starting at an offset
that the guest controls. Well behaved guests always provide a 32-byte aligned
address, however a malicious guest could use this to corrupt host kernel
memory.
Tested: Tested against kvmclock unit test.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/x86/include/asm/string_64.h')
0 files changed, 0 insertions, 0 deletions