|
 |
b136801 |
From: Andy Honig <ahonig@google.com>
|
|
|
b136801 |
Date: Fri, 24 Oct 2014 17:07:14 +0200
|
|
|
b136801 |
Subject: [PATCH] KVM: x86: Improve thread safety in pit
|
|
|
b136801 |
|
|
|
b136801 |
There's a race condition in the PIT emulation code in KVM. In
|
|
|
b136801 |
__kvm_migrate_pit_timer the pit_timer object is accessed without
|
|
|
b136801 |
synchronization. If the race condition occurs at the wrong time this
|
|
|
b136801 |
can crash the host kernel.
|
|
|
b136801 |
|
|
|
b136801 |
This fixes CVE-2014-3611.
|
|
|
b136801 |
|
|
|
b136801 |
Cc: stable@vger.kernel.org
|
|
|
b136801 |
Signed-off-by: Andrew Honig <ahonig@google.com>
|
|
|
b136801 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
b136801 |
---
|
|
|
b136801 |
arch/x86/kvm/i8254.c | 2 ++
|
|
|
b136801 |
1 file changed, 2 insertions(+)
|
|
|
b136801 |
|
|
|
b136801 |
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
|
|
|
b136801 |
index 518d86471b76..298781d4cfb4 100644
|
|
|
b136801 |
--- a/arch/x86/kvm/i8254.c
|
|
|
b136801 |
+++ b/arch/x86/kvm/i8254.c
|
|
|
b136801 |
@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
|
|
|
b136801 |
return;
|
|
|
b136801 |
|
|
|
b136801 |
timer = &pit->pit_state.timer;
|
|
|
b136801 |
+ mutex_lock(&pit->pit_state.lock);
|
|
|
b136801 |
if (hrtimer_cancel(timer))
|
|
|
b136801 |
hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
|
|
|
b136801 |
+ mutex_unlock(&pit->pit_state.lock);
|
|
|
b136801 |
}
|
|
|
b136801 |
|
|
|
b136801 |
static void destroy_pit_timer(struct kvm_pit *pit)
|
|
|
b136801 |
--
|
|
|
b136801 |
1.9.3
|
|
|
b136801 |
|