From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 28 Mar 2014 19:41:50 +0000 (+0100)
Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
X-Git-Tag: omap-for-v3.16/pm-signed~107^2~7
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5678de3f15010b9022ee45673f33bcfc71d47b60;p=pandora-kernel.git

KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)

QE reported that they got the BUG_ON in ioapic_service to trigger.
I cannot reproduce it, but there are two reasons why this could happen.

The less likely but also easiest one, is when kvm_irq_delivery_to_apic
does not deliver to any APIC and returns -1.

Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
function is never reached.  However, you can target the similar loop in
kvm_irq_delivery_to_apic_fast; just program a zero logical destination
address into the IOAPIC, or an out-of-range physical destination address.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

Reading git-diff-tree failed