Message ID | 1346965615-44004-2-git-send-email-tim.gardner@canonical.com |
---|---|
State | New |
Headers | show |
On 06.09.2012 23:06, Tim Gardner wrote: > From: Avi Kivity <avi@redhat.com> > > CVE-2012-2137 > > BugLink: http://bugs.launchpad.net/bugs/1016298 > > kvm_set_irq() has an internal buffer of three irq routing entries, allowing > connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() > does not properly enforce this, allowing three irqchip routes followed by > an MSI route to overflow the buffer. > > Fix by ensuring that an MSI entry is added to an empty list. > > Signed-off-by: Avi Kivity <avi@redhat.com> > (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > virt/kvm/irq_comm.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c > index 40935be..5494097 100644 > --- a/virt/kvm/irq_comm.c > +++ b/virt/kvm/irq_comm.c > @@ -300,6 +300,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, > */ > hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) > if (ei->type == KVM_IRQ_ROUTING_MSI || > + ue->type == KVM_IRQ_ROUTING_MSI || > ue->u.irqchip.irqchip == ei->irqchip.irqchip) > return r; > >
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c index 40935be..5494097 100644 --- a/virt/kvm/irq_comm.c +++ b/virt/kvm/irq_comm.c @@ -300,6 +300,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, */ hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) if (ei->type == KVM_IRQ_ROUTING_MSI || + ue->type == KVM_IRQ_ROUTING_MSI || ue->u.irqchip.irqchip == ei->irqchip.irqchip) return r;