KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 [log] [tgz]
author: Andy Honig <ahonig@google.com> Mon Mar 11 09:34:52 2013 -0700
committer: Marcelo Tosatti <mtosatti@redhat.com> Tue Mar 19 14:17:31 2013 -0300
tree: 509c85623ff9e65c383845562db3dbce2da17531
parent: c09664bb44184b3846e8c5254db4eae4b932682a [diff] [blame]
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index f7c850b..2ade60c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c

@@ -1959,6 +1959,11 @@
 		/* ...but clean it before doing the actual write */
 		vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
 
+		/* Check that the address is 32-byte aligned. */
+		if (vcpu->arch.time_offset &
+				(sizeof(struct pvclock_vcpu_time_info) - 1))
+			break;
+
 		vcpu->arch.time_page =
 				gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
commit	c300aa64ddf57d9c5d9c898a64b36877345dd4a9	[log] [tgz]
author	Andy Honig <ahonig@google.com>	Mon Mar 11 09:34:52 2013 -0700
committer	Marcelo Tosatti <mtosatti@redhat.com>	Tue Mar 19 14:17:31 2013 -0300
tree	509c85623ff9e65c383845562db3dbce2da17531
parent	c09664bb44184b3846e8c5254db4eae4b932682a [diff] [blame]