[pve-devel] [PATCH pve-kernel 1/2] fix CVE-2015-7513

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Jan 8 17:05:30 CET 2016


---
 ...-x86-Reload-pit-counters-for-all-channels.patch | 57 ++++++++++++++++++++++
 Makefile                                           |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch

diff --git a/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch b/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
new file mode 100644
index 0000000..79fc1f0
--- /dev/null
+++ b/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
@@ -0,0 +1,57 @@
+From 0185604c2d82c560dab2f2933a18f797e74ab5a8 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig at google.com>
+Date: Wed, 18 Nov 2015 14:50:23 -0800
+Subject: KVM: x86: Reload pit counters for all channels when restoring state
+
+Currently if userspace restores the pit counters with a count of 0
+on channels 1 or 2 and the guest attempts to read the count on those
+channels, then KVM will perform a mod of 0 and crash.  This will ensure
+that 0 values are converted to 65536 as per the spec.
+
+This is CVE-2015-7513.
+
+Signed-off-by: Andy Honig <ahonig at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/x86.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index b84ba4b..7ffc224 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3640,10 +3640,12 @@
+ static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
+ {
+ 	int r = 0;
++	int i = 0;
+ 
+ 	mutex_lock(&kvm->arch.vpit->pit_state.lock);
+ 	memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
+-	kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
++	for (i = 0; i < 3; i++)
++		kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
+ 	mutex_unlock(&kvm->arch.vpit->pit_state.lock);
+ 	return r;
+ }
+@@ -3664,6 +3666,7 @@
+ static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
+ {
+ 	int r = 0, start = 0;
++	int i = 0;
+ 	u32 prev_legacy, cur_legacy;
+ 	mutex_lock(&kvm->arch.vpit->pit_state.lock);
+ 	prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
+@@ -3673,7 +3676,8 @@
+ 	memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
+ 	       sizeof(kvm->arch.vpit->pit_state.channels));
+ 	kvm->arch.vpit->pit_state.flags = ps->flags;
+-	kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
++	for (i = 0; i < 3; i++)
++		kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
+ 	mutex_unlock(&kvm->arch.vpit->pit_state.lock);
+ 	return r;
+ }
+-- 
+cgit v0.11.2
+
diff --git a/Makefile b/Makefile
index cca3acc..389af54 100644
--- a/Makefile
+++ b/Makefile
@@ -240,6 +240,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
 	cd ${KERNEL_SRC}; patch -p1 <../KVM-svm-unconditionally-intercept-DB.patch
 	cd ${KERNEL_SRC}; patch -p1 <../apparmor-socket-mediation.patch
 	cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8709-ptrace-require-mapped-uids-gids.patch
+	cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
 	# backport aacraid update from kernel 4.4rc5
 	cd ${KERNEL_SRC}; patch -p1 <../0001-aacraid-fix-for-LD.patch
 	cd ${KERNEL_SRC}; patch -p1 <../0002-aacraid-add-power-management.patch
-- 
2.1.4





More information about the pve-devel mailing list