KVM: PIT: control word is write-only (CVE-2010-0309)

svn path=/dists/trunk/linux-2.6/; revision=15126

debian/changelog

@@ -6,6 +6,7 @@ linux-2.6 (2.6.32-8) UNRELEASED; urgency=low
   [ dann frazier ]
   * Remove TIF_ABI_PENDING bit from x86, sparc & powerpc, fixing
     32-bit userland/64-bit kernel breakage (Closes: #568416)
+  * KVM: PIT: control word is write-only (CVE-2010-0309)
   
   [ Ben Hutchings ]
   * Build lgs8gxx driver along with cxusb (Closes: #568414)

debian/patches/bugfix/x86/kvm-pit-control-word-is-write-only.patch

@@ -0,0 +1,25 @@
+commit 336f40a728b9a4a5db5e1df5c89852c79ff95604
+Author: Marcelo Tosatti <mtosatti@redhat.com>
+Date:   Fri Jan 29 17:28:41 2010 -0200
+
+    KVM: PIT: control word is write-only
+    
+    PIT control word (address 0x43) is write-only, reads are undefined.
+    
+    Cc: stable@kernel.org
+    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index caad189..6a74246 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -467,6 +467,9 @@ static int pit_ioport_read(struct kvm_io_device *this,
+ 		return -EOPNOTSUPP;
+ 
+ 	addr &= KVM_PIT_CHANNEL_MASK;
++	if (addr == 3)
++		return 0;
++
+ 	s = &pit_state->channels[addr];
+ 
+ 	mutex_lock(&pit_state->lock);

debian/patches/series/8

@@ -4,3 +4,4 @@
 + bugfix/all/cxusb-select-lgs8gxx.patch
 - bugfix/all/clocksource-events-Fix-fallout-of-generic-code-changes.patch
 + bugfix/all/clocksource-always-define-clocksource_max_deferment.patch
++ bugfix/x86/kvm-pit-control-word-is-write-only.patch