Quantcast

[PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

Tim Gardner-2
From: Avi Kivity <[hidden email]>

CVE-2012-2137

BugLink: http://bugs.launchpad.net/bugs/1016298

kvm_set_irq() has an internal buffer of three irq routing entries, allowing
connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
does not properly enforce this, allowing three irqchip routes followed by
an MSI route to overflow the buffer.

Fix by ensuring that an MSI entry is added to an empty list.

Signed-off-by: Avi Kivity <[hidden email]>
(cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)

Signed-off-by: Tim Gardner <[hidden email]>
---
 virt/kvm/irq_comm.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
index 9f614b4..272407c 100644
--- a/virt/kvm/irq_comm.c
+++ b/virt/kvm/irq_comm.c
@@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
  */
  hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
  if (ei->type == KVM_IRQ_ROUTING_MSI ||
+    ue->type == KVM_IRQ_ROUTING_MSI ||
     ue->u.irqchip.irqchip == ei->irqchip.irqchip)
  return r;
 
--
1.7.9.5


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Ack: [PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

Leann Ogasawara
On 09/07/2012 08:33 AM, Tim Gardner wrote:

> From: Avi Kivity <[hidden email]>
>
> CVE-2012-2137
>
> BugLink: http://bugs.launchpad.net/bugs/1016298
>
> kvm_set_irq() has an internal buffer of three irq routing entries, allowing
> connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
> does not properly enforce this, allowing three irqchip routes followed by
> an MSI route to overflow the buffer.
>
> Fix by ensuring that an MSI entry is added to an empty list.
>
> Signed-off-by: Avi Kivity <[hidden email]>
> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)
>
> Signed-off-by: Tim Gardner <[hidden email]>

Acked-by: Leann Ogasawara <[hidden email]>

> ---
>  virt/kvm/irq_comm.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
> index 9f614b4..272407c 100644
> --- a/virt/kvm/irq_comm.c
> +++ b/virt/kvm/irq_comm.c
> @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
>   */
>   hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
>   if (ei->type == KVM_IRQ_ROUTING_MSI ||
> +    ue->type == KVM_IRQ_ROUTING_MSI ||
>      ue->u.irqchip.irqchip == ei->irqchip.irqchip)
>   return r;
>  


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

Colin King
In reply to this post by Tim Gardner-2
On 07/09/12 16:33, Tim Gardner wrote:

> From: Avi Kivity <[hidden email]>
>
> CVE-2012-2137
>
> BugLink: http://bugs.launchpad.net/bugs/1016298
>
> kvm_set_irq() has an internal buffer of three irq routing entries, allowing
> connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
> does not properly enforce this, allowing three irqchip routes followed by
> an MSI route to overflow the buffer.
>
> Fix by ensuring that an MSI entry is added to an empty list.
>
> Signed-off-by: Avi Kivity <[hidden email]>
> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed)
>
> Signed-off-by: Tim Gardner <[hidden email]>
> ---
>   virt/kvm/irq_comm.c |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
> index 9f614b4..272407c 100644
> --- a/virt/kvm/irq_comm.c
> +++ b/virt/kvm/irq_comm.c
> @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
>   */
>   hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
>   if (ei->type == KVM_IRQ_ROUTING_MSI ||
> +    ue->type == KVM_IRQ_ROUTING_MSI ||
>      ue->u.irqchip.irqchip == ei->irqchip.irqchip)
>   return r;
>
>
Looks OK to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

APPLIED: [PATCH Oneiric CVE-2012-2137] KVM: Fix buffer overflow in kvm_set_irq()

Tim Gardner-2
In reply to this post by Tim Gardner-2
Loading...