fix CVE-2015-7513

diff --git a/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch b/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
new file mode 100644 (file)
index 0000000..79fc1f0
--- /dev/null
+++ b/CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
@@ -0,0 +1,57 @@
+From 0185604c2d82c560dab2f2933a18f797e74ab5a8 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Wed, 18 Nov 2015 14:50:23 -0800
+Subject: KVM: x86: Reload pit counters for all channels when restoring state
+
+Currently if userspace restores the pit counters with a count of 0
+on channels 1 or 2 and the guest attempts to read the count on those
+channels, then KVM will perform a mod of 0 and crash.  This will ensure
+that 0 values are converted to 65536 as per the spec.
+
+This is CVE-2015-7513.
+
+Signed-off-by: Andy Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/x86.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index b84ba4b..7ffc224 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3640,10 +3640,12 @@
+ static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
+ {
+       int r = 0;
++      int i = 0;
+ 
+       mutex_lock(&kvm->arch.vpit->pit_state.lock);
+       memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
+-      kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
++      for (i = 0; i < 3; i++)
++              kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
+       mutex_unlock(&kvm->arch.vpit->pit_state.lock);
+       return r;
+ }
+@@ -3664,6 +3666,7 @@
+ static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
+ {
+       int r = 0, start = 0;
++      int i = 0;
+       u32 prev_legacy, cur_legacy;
+       mutex_lock(&kvm->arch.vpit->pit_state.lock);
+       prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
+@@ -3673,7 +3676,8 @@
+       memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
+              sizeof(kvm->arch.vpit->pit_state.channels));
+       kvm->arch.vpit->pit_state.flags = ps->flags;
+-      kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
++      for (i = 0; i < 3; i++)
++              kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
+       mutex_unlock(&kvm->arch.vpit->pit_state.lock);
+       return r;
+ }
+-- 
+cgit v0.11.2
+

diff --git a/Makefile b/Makefile
index cd95a3d72e2a23dc2499be4bc97d24db4ebe74df..6c092ccad4672a98607f6235438971f86e1dfb58 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -242,6 +242,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
        cd ${KERNEL_SRC}; patch -p1 <../KVM-svm-unconditionally-intercept-DB.patch
        cd ${KERNEL_SRC}; patch -p1 <../apparmor-socket-mediation.patch
        cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8709-ptrace-require-mapped-uids-gids.patch
+       cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
        # backport aacraid update from kernel 4.4rc5
        cd ${KERNEL_SRC}; patch -p1 <../0001-aacraid-fix-for-LD.patch
        cd ${KERNEL_SRC}; patch -p1 <../0002-aacraid-add-power-management.patch