diff options
| author | Andy Honig <ahonig@google.com> | 2013-11-19 14:12:18 -0800 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2013-12-12 22:39:45 +0100 |
| commit | b963a22e6d1a266a67e9eecc88134713fd54775c (patch) | |
| tree | b378e97caf7869445b6168e87b7c6b36d7e87674 /arch/x86/platform/goldfish | |
| parent | 338c7dbadd2671189cec7faf64c84d01071b3f96 (diff) | |
| download | linux-b963a22e6d1a266a67e9eecc88134713fd54775c.tar.gz linux-b963a22e6d1a266a67e9eecc88134713fd54775c.tar.bz2 linux-b963a22e6d1a266a67e9eecc88134713fd54775c.zip | |
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86/platform/goldfish')
0 files changed, 0 insertions, 0 deletions