Andy Honig 338c7dbadd KVM: Improve create VCPU parameter (CVE-2013-4587) ...

In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
malicious user could specify a vcpu_id greater than 255 in order to set or
clear bits in kernel memory.  This could be used to elevate priveges in the
kernel.  This patch verifies that the vcpu_id provided is less than 255.
The api documentation already specifies that the vcpu_id must be less than
max_vcpus, but this is currently not checked.

Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

2013-12-12 22:39:33 +01:00

..

arm

ARM: KVM: Bugfix: vgic_bytemap_get_reg per cpu regs

2013-08-30 16:12:38 +03:00

assigned-dev.c

KVM: Move irq routing to generic code

2013-04-26 20:27:17 +02:00

async_pf.c

KVM: Drop FOLL_GET in GUP when doing async page fault

2013-10-15 13:43:37 +03:00

async_pf.h

KVM: Halt vcpu if page it tries to access is swapped out

2011-01-12 11:21:39 +02:00

coalesced_mmio.c

KVM: make checks stricter in coalesced_mmio_in_range()

2011-12-27 11:17:07 +02:00

coalesced_mmio.h

KVM: Make coalesced mmio use a device per zone

2011-09-25 19:17:57 +03:00

eventfd.c

kvm eventfd: switch to fdget

2013-09-03 23:04:45 -04:00

ioapic.c

KVM: Set TMR when programming ioapic entry

2013-04-16 16:32:40 -03:00

ioapic.h

KVM: Set TMR when programming ioapic entry

2013-04-16 16:32:40 -03:00

iodev.h

KVM: remove in_range from io devices

2009-09-10 08:33:05 +03:00

iommu.c

KVM: IOMMU: hva align mapping page size

2013-11-05 09:55:36 +02:00

irq_comm.c

KVM: Fix RTC interrupt coalescing tracking

2013-06-27 14:20:53 +03:00

irqchip.c

KVM: Move irq routing setup to irqchip.c

2013-04-26 20:27:18 +02:00

Kconfig

kvm: Add VFIO device

2013-10-30 19:02:03 +01:00

kvm_main.c

KVM: Improve create VCPU parameter (CVE-2013-4587)

2013-12-12 22:39:33 +01:00

vfio.c

kvm: Create non-coherent DMA registeration

2013-10-30 19:02:23 +01:00