Headline
CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map · torvalds/linux@81cdb25
KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.
Permalink
Browse files
Browse the repository at this point in the history
KVM: x86: fix out-of-bounds accesses of rtc_eoi map
KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be bigger that the maximal number of VCPUs, resulting in out-of-bounds access.
Found by syzkaller:
BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr […] Write of size 1 by task a.out/27101 CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 […] Call Trace: […] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905 […] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495 […] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86 […] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360 […] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222 […] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235 […] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670 […] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668 […] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999 […] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/…/…/…/virt/kvm/kvm_main.c:3099
Reported-by: Dmitry Vyukov [email protected] Cc: [email protected] Fixes: af1bae5 (“KVM: x86: bump KVM_MAX_VCPU_ID to 1023”) Reviewed-by: Paolo Bonzini [email protected] Reviewed-by: David Hildenbrand [email protected] Signed-off-by: Radim Krčmář [email protected]
- Loading branch information