[kernel/f20] CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)

Josh Boyer jwboyer at fedoraproject.org
Thu Dec 12 21:28:29 UTC 2013 

commit 49a372e808b5160dd118413ffaa1f91e02cc8033
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Dec 12 16:06:22 2013 -0500

    CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)

 KVM-x86-Fix-potential-divide-by-0-in-lapic.patch |  102 ++++++++++++++++++++++
 kernel.spec                                      |    9 ++
 2 files changed, 111 insertions(+), 0 deletions(-)
---
diff --git a/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
new file mode 100644
index 0000000..8e144df
--- /dev/null
+++ b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
@@ -0,0 +1,102 @@
+Bugzilla: 1042081
+Upstream-status: 3.13 and sent for stable                                                                                                                                                                                                                                                               
+Delivered-To: jwboyer at gmail.com
+Received: by 10.76.104.107 with SMTP id gd11csp361402oab;
+        Thu, 12 Dec 2013 12:43:43 -0800 (PST)
+X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599;
+        Thu, 12 Dec 2013 12:43:43 -0800 (PST)
+Return-Path: <linux-kernel-owner at vger.kernel.org>
+Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
+        by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07
+        for <multiple recipients>;
+        Thu, 12 Dec 2013 12:43:43 -0800 (PST)
+Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner at vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
+Authentication-Results: mx.google.com;
+       spf=pass (google.com: best guess record for domain of linux-kernel-owner at vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner at vger.kernel.org;
+       dkim=neutral (bad format) header.i=@gmail.com
+Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+	id S1752145Ab3LLUiu (ORCPT <rfc822;multinymous at gmail.com>
+	+ 99 others); Thu, 12 Dec 2013 15:38:50 -0500
+Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO
+	mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751902Ab3LLUhP (ORCPT
+	<rfc822;linux-kernel at vger.kernel.org>);
+	Thu, 12 Dec 2013 15:37:15 -0500
+Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32
+        for <multiple recipients>; Thu, 12 Dec 2013 12:37:13 -0800 (PST)
+DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=gmail.com; s=20120113;
+        h=sender:from:to:cc:subject:date:message-id;
+        bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=;
+        b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O
+         P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple
+         n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3
+         t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O
+         3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP
+         H86Q==
+X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625;
+        Thu, 12 Dec 2013 12:37:13 -0800 (PST)
+Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
+        by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11
+        for <multiple recipients>
+        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+        Thu, 12 Dec 2013 12:37:12 -0800 (PST)
+From:	Paolo Bonzini <pbonzini at redhat.com>
+To:	linux-kernel at vger.kernel.org
+Cc:	gleb at redhat.com, kvm at vger.kernel.org, pmatouse at redhat.com,
+	Andy Honig <ahonig at google.com>, stable at vger.kernel.org
+Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
+Date:	Thu, 12 Dec 2013 21:36:52 +0100
+Message-Id: <1386880614-23300-2-git-send-email-pbonzini at redhat.com>
+X-Mailer: git-send-email 1.8.3.1
+Sender:	linux-kernel-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List:	linux-kernel at vger.kernel.org
+
+From: Andy Honig <ahonig at google.com>
+
+Under guest controllable circumstances apic_get_tmcct will execute a
+divide by zero and cause a crash.  If the guest cpuid support
+tsc deadline timers and performs the following sequence of requests
+the host will crash.
+- Set the mode to periodic
+- Set the TMICT to 0
+- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
+- Set the TMICT to non-zero.
+Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
+guest then reads from the TMCCT then the host will perform a divide by 0.
+
+This patch ensures that if the lapic_timer.period is 0, then the division
+does not occur.
+
+Reported-by: Andrew Honig <ahonig at google.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/lapic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 5439117d5c4c..89b52ec7d09c 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
+ 	ASSERT(apic != NULL);
+ 
+ 	/* if initial count is 0, current count should also be 0 */
+-	if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
++	if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
++		apic->lapic_timer.period == 0)
+ 		return 0;
+ 
+ 	remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
+-- 
+1.8.3.1
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
diff --git a/kernel.spec b/kernel.spec
index fdeb5ac..98cf9a5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -839,6 +839,9 @@ Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch
 Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch
 Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch
 
+#CVE-2013-6367 rhbz 1032207 1042081
+Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1636,6 +1639,9 @@ ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch
 ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch
 ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch
 
+#CVE-2013-6367 rhbz 1032207 1042081
+ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2438,6 +2444,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Dec 12 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)
+
 * Wed Dec 11 2013 Josh Boyer <jwboyer at fedoraproject.org>
 - Add patches to support ETPS/2 Elantech touchpads (rhbz 1030802)

More information about the scm-commits mailing list