Andy Honig f4d838225e KVM: Improve create VCPU parameter (CVE-2013-4587) ...

commit 338c7dbadd upstream.

In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
malicious user could specify a vcpu_id greater than 255 in order to set or
clear bits in kernel memory.  This could be used to elevate priveges in the
kernel.  This patch verifies that the vcpu_id provided is less than 255.
The api documentation already specifies that the vcpu_id must be less than
max_vcpus, but this is currently not checked.

Reported-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2013-12-20 07:45:07 -08:00

..

assigned-dev.c

KVM: Move irq routing to generic code

2013-04-26 20:27:17 +02:00

async_pf.c

KVM: do not release the error page

2012-08-06 16:04:58 +03:00

async_pf.h

KVM: Halt vcpu if page it tries to access is swapped out

2011-01-12 11:21:39 +02:00

coalesced_mmio.c

KVM: make checks stricter in coalesced_mmio_in_range()

2011-12-27 11:17:07 +02:00

coalesced_mmio.h

KVM: Make coalesced mmio use a device per zone

2011-09-25 19:17:57 +03:00

eventfd.c

KVM: Introduce CONFIG_HAVE_KVM_IRQ_ROUTING

2013-04-26 20:27:14 +02:00

ioapic.c

KVM: Set TMR when programming ioapic entry

2013-04-16 16:32:40 -03:00

ioapic.h

KVM: Set TMR when programming ioapic entry

2013-04-16 16:32:40 -03:00

iodev.h

KVM: remove in_range from io devices

2009-09-10 08:33:05 +03:00

iommu.c

KVM: IOMMU: hva align mapping page size

2013-11-29 11:11:50 -08:00

irq_comm.c

KVM: Move irq routing setup to irqchip.c

2013-04-26 20:27:18 +02:00

irqchip.c

KVM: Move irq routing setup to irqchip.c

2013-04-26 20:27:18 +02:00

Kconfig

KVM: Introduce CONFIG_HAVE_KVM_IRQ_ROUTING

2013-04-26 20:27:14 +02:00

kvm_main.c

KVM: Improve create VCPU parameter (CVE-2013-4587)

2013-12-20 07:45:07 -08:00