diff options
| author | Andy Honig <ahonig@google.com> | 2013-11-19 14:12:18 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-20 07:48:52 -0800 |
| commit | 10958718b005e046244d2b4a1f1bb9a3ab6e3d29 (patch) | |
| tree | 0b84935d096a353da0a30fa2dbb854766a3415a4 /crypto/internal.h | |
| parent | 41fe7fa8fdeaa5a2a9f3ecaa9a47e2d2afa1b2b1 (diff) | |
| download | linux-rt-10958718b005e046244d2b4a1f1bb9a3ab6e3d29.tar.gz | |
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream.
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/internal.h')
0 files changed, 0 insertions, 0 deletions