diff options
| -rw-r--r-- | KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch | 38 | ||||
| -rw-r--r-- | kernel.spec | 9 |
2 files changed, 47 insertions, 0 deletions
diff --git a/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch b/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch new file mode 100644 index 000000000..170911e1d --- /dev/null +++ b/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch @@ -0,0 +1,38 @@ +Bugzilla: 1085016 +Upstream-status: Queued for 3.15 + +From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Fri, 28 Mar 2014 20:41:50 +0100 +Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi + (CVE-2014-0155) + +QE reported that they got the BUG_ON in ioapic_service to trigger. +I cannot reproduce it, but there are two reasons why this could happen. + +The less likely but also easiest one, is when kvm_irq_delivery_to_apic +does not deliver to any APIC and returns -1. + +Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that +function is never reached. However, you can target the similar loop in +kvm_irq_delivery_to_apic_fast; just program a zero logical destination +address into the IOAPIC, or an out-of-range physical destination address. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index d4b6015..d98d107 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -356,7 +356,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status) + BUG_ON(ioapic->rtc_status.pending_eoi != 0); + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, + ioapic->rtc_status.dest_map); +- ioapic->rtc_status.pending_eoi = ret; ++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); + } else + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL); + +-- +cgit v0.10.1 + diff --git a/kernel.spec b/kernel.spec index 2cf31a84e..8e94978d5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -642,6 +642,9 @@ Patch25057: net-qlcnic-include-irq.h-for-irq-definitions.patch Patch25058: net-cpts-Add-includes-for-ETH_HLEN-and-VLAN_HLEN-def.patch Patch25059: btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch +#CVE-2014-0155 rhbz 1081589 1085016 +Patch25060: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch + # END OF PATCH DEFINITIONS %endif @@ -1289,6 +1292,9 @@ ApplyPatch net-qlcnic-include-irq.h-for-irq-definitions.patch ApplyPatch net-cpts-Add-includes-for-ETH_HLEN-and-VLAN_HLEN-def.patch ApplyPatch btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch +#CVE-2014-0155 rhbz 1081589 1085016 +ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch + # END OF PATCH APPLICATIONS %endif @@ -2068,6 +2074,9 @@ fi # ||----w | # || || %changelog +* Wed Apr 09 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-0155 KVM: BUG caused by invalid guest ioapic redirect table (rhbz 1081589 1085016) + * Thu Apr 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.15.0-0.rc0.git9.1 - Linux v3.14-7333-g59ecc26004e7 |