• Andy Honig's avatar
    KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) · fda4e2e8
    Andy Honig authored
    In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
    potential to corrupt kernel memory if userspace provides an address that
    is at the end of a page.  This patches concerts those functions to use
    kvm_write_guest_cached and kvm_read_guest_cached.  It also checks the
    vapic_address specified by userspace during ioctl processing and returns
    an error to userspace if the address is not a valid GPA.
    
    This is generally not guest triggerable, because the required write is
    done by firmware that runs before the guest.  Also, it only affects AMD
    processors and oldish Intel that do not have the FlexPriority feature
    (unless you disable FlexPriority, of course; then newer processors are
    also affected).
    
    Fixes: b93463aa ('KVM: Accelerated apic support')
    Reported-by: default avatarAndrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    fda4e2e8
lapic.c 46.2 KB