KVM: Improve create VCPU parameter (CVE-2013-4587)

svn path=/dists/sid/linux/; revision=20897
2013-12-19 11:36:04 +00:00 · 2013-12-19 11:36:04 +00:00 · a726e68e7f
parent 0970716d70
commit a726e68e7f
3 changed files with 34 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -54,6 +54,7 @@ linux (3.12.5-1) UNRELEASED; urgency=medium
  * linux-source: Compress with gzip -1 (Closes: #725492)
  * [alpha] Prevent a NULL ptr dereference in csum_partial_copy
  * media/cxd2820r_core: Fix regression in 3.12.3, thanks to Frederik Himpe
+  * KVM: Improve create VCPU parameter (CVE-2013-4587)

  [ Ian Campbell ]
  * [armel/kirkwood+orion] Reenable MARVELL_PHY (Closes: #723177)
--- a/debian/patches/bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch
+++ b/debian/patches/bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch
@ -0,0 +1,32 @@
+From: Andy Honig <ahonig@google.com>
+Date: Mon, 18 Nov 2013 16:09:22 -0800
+Subject: KVM: Improve create VCPU parameter (CVE-2013-4587)
+Origin: https://git.kernel.org/linus/338c7dbadd2671189cec7faf64c84d01071b3f96
+
+In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
+malicious user could specify a vcpu_id greater than 255 in order to set or
+clear bits in kernel memory.  This could be used to elevate priveges in the
+kernel.  This patch verifies that the vcpu_id provided is less than 255.
+The api documentation already specifies that the vcpu_id must be less than
+max_vcpus, but this is currently not checked.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ virt/kvm/kvm_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
+@@ -1893,6 +1893,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ 	int r;
+ 	struct kvm_vcpu *vcpu, *v;
+ 
+	if (id >= KVM_MAX_VCPUS)
+		return -EINVAL;
+
+ 	vcpu = kvm_arch_vcpu_create(kvm, id);
+ 	if (IS_ERR(vcpu))
+ 		return PTR_ERR(vcpu);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -83,3 +83,4 @@ bugfix/all/disable-some-marvell-phys.patch
 features/all/media-az6007-support-Technisat-Cablestar-Combo-HDCI-.patch
 bugfix/all/alpha-Prevent-a-NULL-ptr-dereference-in-csum_partial.patch
 bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch
+bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch