• Michael S. Tsirkin's avatar
    kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601) · 35df08d6
    Michael S. Tsirkin authored
    commit 350b8bdd upstream.
    
    The third parameter of kvm_iommu_put_pages is wrong,
    It should be 'gfn - slot->base_gfn'.
    
    By making gfn very large, malicious guest or userspace can cause kvm to
    go to this error path, and subsequently to pass a huge value as size.
    Alternatively if gfn is small, then pages would be pinned but never
    unpinned, causing host memory leak and local DOS.
    
    Passing a reasonable but large value could be the most dangerous case,
    because it would unpin a page that should have stayed pinned, and thus
    allow the device to DMA into arbitrary memory.  However, this cannot
    happen because of the condition that can trigger the error:
    
    - out of memory (where you can't allocate even a single page)
      should not be possible for the attacker to trigger
    
    - when exceeding the iommu's address space, guest pages after gfn
      will also exceed the iommu's address space, and inside
      kvm_iommu_put_pages() the iommu_iova_to_phys() will fail.  The
      page thus would not be unpinned at all.
    Reported-by: default avatarJack Morgenstein <jackm@mellanox.com>
    Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    35df08d6
iommu.c 8.3 KB