APPLIED: [Lucid][CVE-2014-3611] KVM: x86: Improve thread safety in pit
Brad Figg
brad.figg at canonical.com
Tue Dec 2 17:21:02 UTC 2014
On 12/02/2014 02:16 AM, Luis Henriques wrote:
> From: Andy Honig <ahonig at google.com>
>
> There's a race condition in the PIT emulation code in KVM. In
> __kvm_migrate_pit_timer the pit_timer object is accessed without
> synchronization. If the race condition occurs at the wrong time this
> can crash the host kernel.
>
> This fixes CVE-2014-3611.
>
> Cc: stable at vger.kernel.org
> Signed-off-by: Andrew Honig <ahonig at google.com>
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> (backported from commit 2febc839133280d5a5e8e1179c94ea674489dae2)
> CVE-2014-3611
> BugLink: http://bugs.launchpad.net/bugs/1384540
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> arch/x86/kvm/i8254.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
> index 7e361b4d2a8c..3fae9cd67a1b 100644
> --- a/arch/x86/kvm/i8254.c
> +++ b/arch/x86/kvm/i8254.c
> @@ -256,8 +256,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
> return;
>
> timer = &pit->pit_state.pit_timer.timer;
> + mutex_lock(&pit->pit_state.lock);
> if (hrtimer_cancel(timer))
> hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
> + mutex_unlock(&pit->pit_state.lock);
> }
>
> static void destroy_pit_timer(struct kvm_timer *pt)
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list