Message ID | 1347032008-18916-1-git-send-email-tim.gardner@canonical.com |
---|---|
State | New |
Headers | show |
On 09/07/2012 08:33 AM, Tim Gardner wrote: > From: Avi Kivity <avi@redhat.com> > > CVE-2012-2137 > > BugLink: http://bugs.launchpad.net/bugs/1016298 > > kvm_set_irq() has an internal buffer of three irq routing entries, allowing > connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() > does not properly enforce this, allowing three irqchip routes followed by > an MSI route to overflow the buffer. > > Fix by ensuring that an MSI entry is added to an empty list. > > Signed-off-by: Avi Kivity <avi@redhat.com> > (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > virt/kvm/irq_comm.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c > index 9f614b4..272407c 100644 > --- a/virt/kvm/irq_comm.c > +++ b/virt/kvm/irq_comm.c > @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, > */ > hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) > if (ei->type == KVM_IRQ_ROUTING_MSI || > + ue->type == KVM_IRQ_ROUTING_MSI || > ue->u.irqchip.irqchip == ei->irqchip.irqchip) > return r; >
On 07/09/12 16:33, Tim Gardner wrote: > From: Avi Kivity <avi@redhat.com> > > CVE-2012-2137 > > BugLink: http://bugs.launchpad.net/bugs/1016298 > > kvm_set_irq() has an internal buffer of three irq routing entries, allowing > connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() > does not properly enforce this, allowing three irqchip routes followed by > an MSI route to overflow the buffer. > > Fix by ensuring that an MSI entry is added to an empty list. > > Signed-off-by: Avi Kivity <avi@redhat.com> > (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > virt/kvm/irq_comm.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c > index 9f614b4..272407c 100644 > --- a/virt/kvm/irq_comm.c > +++ b/virt/kvm/irq_comm.c > @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, > */ > hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) > if (ei->type == KVM_IRQ_ROUTING_MSI || > + ue->type == KVM_IRQ_ROUTING_MSI || > ue->u.irqchip.irqchip == ei->irqchip.irqchip) > return r; > > Looks OK to me. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c index 9f614b4..272407c 100644 --- a/virt/kvm/irq_comm.c +++ b/virt/kvm/irq_comm.c @@ -318,6 +318,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, */ hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) if (ei->type == KVM_IRQ_ROUTING_MSI || + ue->type == KVM_IRQ_ROUTING_MSI || ue->u.irqchip.irqchip == ei->irqchip.irqchip) return r;