diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-08-19 19:14:50 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-09-05 16:28:36 -0700 |
| commit | 6e0db2f1e545f8848220e8692e4d3485c845c9cb (patch) | |
| tree | 3edc40bd6a09067768732de86dc268b84e777a9a /crypto/lzo.c | |
| parent | d3cf5ab75bba12328cc3a3960ee1b2dff623960c (diff) | |
| download | linux-3.10-6e0db2f1e545f8848220e8692e4d3485c845c9cb.tar.gz linux-3.10-6e0db2f1e545f8848220e8692e4d3485c845c9cb.tar.bz2 linux-3.10-6e0db2f1e545f8848220e8692e4d3485c845c9cb.zip | |
kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)
commit 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 upstream.
The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.
By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.
Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory. However, this cannot
happen because of the condition that can trigger the error:
- out of memory (where you can't allocate even a single page)
should not be possible for the attacker to trigger
- when exceeding the iommu's address space, guest pages after gfn
will also exceed the iommu's address space, and inside
kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
page thus would not be unpinned at all.
Reported-by: Jack Morgenstein <jackm@mellanox.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/lzo.c')
0 files changed, 0 insertions, 0 deletions