CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)

2 files changed, 116 insertions, 0 deletions

diff --git a/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
new file mode 100644
index 000000000..c84fc61b9
--- /dev/null
+++ b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
@@ -0,0 +1,109 @@
+Bugzilla: 1042099
+Upstream-status: 3.13 and sent for stable                                                                                                                                                                                                                                                               
+Delivered-To: jwboyer@gmail.com
+Received: by 10.76.104.107 with SMTP id gd11csp361370oab;
+        Thu, 12 Dec 2013 12:42:56 -0800 (PST)
+X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232;
+        Thu, 12 Dec 2013 12:42:56 -0800 (PST)
+Return-Path: <stable-owner@vger.kernel.org>
+Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
+        by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31
+        for <multiple recipients>;
+        Thu, 12 Dec 2013 12:42:56 -0800 (PST)
+Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
+Authentication-Results: mx.google.com;
+       spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
+       dkim=neutral (bad format) header.i=@gmail.com
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+	id S1751853Ab3LLUiJ (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
+	Thu, 12 Dec 2013 15:38:09 -0500
+Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO
+	mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751884Ab3LLUhS (ORCPT
+	<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:18 -0500
+Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13
+        for <multiple recipients>; Thu, 12 Dec 2013 12:37:17 -0800 (PST)
+DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=gmail.com; s=20120113;
+        h=sender:from:to:cc:subject:date:message-id;
+        bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=;
+        b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao
+         ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N
+         +Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx
+         UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6
+         dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1
+         Edug==
+X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981;
+        Thu, 12 Dec 2013 12:37:16 -0800 (PST)
+Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
+        by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15
+        for <multiple recipients>
+        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+        Thu, 12 Dec 2013 12:37:16 -0800 (PST)
+From:	Paolo Bonzini <pbonzini@redhat.com>
+To:	linux-kernel@vger.kernel.org
+Cc:	gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
+	stable@vger.kernel.org
+Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
+Date:	Thu, 12 Dec 2013 21:36:54 +0100
+Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com>
+X-Mailer: git-send-email 1.8.3.1
+Sender:	stable-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <stable.vger.kernel.org>
+X-Mailing-List:	stable@vger.kernel.org
+
+From: Gleb Natapov <gleb@redhat.com>
+
+A guest can cause a BUG_ON() leading to a host kernel crash.
+When the guest writes to the ICR to request an IPI, while in x2apic
+mode the following things happen, the destination is read from
+ICR2, which is a register that the guest can control.
+
+kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
+cluster id.  A BUG_ON is triggered, which is a protection against
+accessing map->logical_map with an out-of-bounds access and manages
+to avoid that anything really unsafe occurs.
+
+The logic in the code is correct from real HW point of view. The problem
+is that KVM supports only one cluster with ID 0 in clustered mode, but
+the code that has the bug does not take this into account.
+
+Reported-by: Lars Bull <larsbull@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/lapic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index b8bec45c1610..801dc3fd66e1 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
+ 	return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
+ }
+ 
++#define KMV_X2APIC_CID_BITS 0
++
+ static void recalculate_apic_map(struct kvm *kvm)
+ {
+ 	struct kvm_apic_map *new, *old = NULL;
+@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm)
+ 		if (apic_x2apic_mode(apic)) {
+ 			new->ldr_bits = 32;
+ 			new->cid_shift = 16;
+-			new->cid_mask = new->lid_mask = 0xffff;
++			new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1;
++			new->lid_mask = 0xffff;
+ 		} else if (kvm_apic_sw_enabled(apic) &&
+ 				!new->cid_mask /* flat mode */ &&
+ 				kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
+-- 
+1.8.3.1
+
+--
+To unsubscribe from this list: send the line "unsubscribe stable" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/kernel.spec b/kernel.spec
index 1914f41d2..34f64718c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -720,6 +720,9 @@ Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
 #CVE-2013-6368 rhbz 1032210 1042090
 Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
 
+#CVE-2013-6376 rhbz 1033106 1042099
+Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1406,6 +1409,9 @@ ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
 #CVE-2013-6368 rhbz 1032210 1042090
 ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
 
+#CVE-2013-6376 rhbz 1033106 1042099
+ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2219,6 +2225,7 @@ fi
 #                                    ||     ||
 %changelog
 * Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)
 - CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090)
 - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081)