KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
authorAndy Honig <ahonig@google.com>
Mon, 11 Mar 2013 16:34:52 +0000 (09:34 -0700)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 25 Apr 2013 19:25:49 +0000 (20:25 +0100)
commitb7c5ee6d49b7cf5a52ae87b955d7ab984cb9c974
tree53809514c9dfe544023cf958e15c16cae75b909d
parent9e6b1d64d2ba4a33cc9d64c2c6104d02b65200e8
KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)

commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream.

If the guest sets the GPA of the time_page so that the request to update the
time straddles a page then KVM will write onto an incorrect page.  The
write is done byusing kmap atomic to get a pointer to the page for the time
structure and then performing a memcpy to that page starting at an offset
that the guest controls.  Well behaved guests always provide a 32-byte aligned
address, however a malicious guest could use this to corrupt host kernel
memory.

Tested: Tested against kvmclock unit test.

Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
arch/x86/kvm/x86.c