From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 4 Feb 2014 17:51:39 +0000 (-0800)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.79~1^2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5192f2c713cf04c0f343c42a7980f57a8958b34b;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch
---

diff --git a/queue-3.4/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch b/queue-3.4/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch
new file mode 100644
index 00000000000..001c7a9db65
--- /dev/null
+++ b/queue-3.4/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch
@@ -0,0 +1,47 @@
+From 245d4b4480c20ffb50f0eddadcc6516b9017d863 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Tue, 19 Nov 2013 14:12:18 -0800
+Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
+
+From: Andy Honig <ahonig@google.com>
+
+commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream.
+
+Under guest controllable circumstances apic_get_tmcct will execute a
+divide by zero and cause a crash.  If the guest cpuid support
+tsc deadline timers and performs the following sequence of requests
+the host will crash.
+- Set the mode to periodic
+- Set the TMICT to 0
+- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
+- Set the TMICT to non-zero.
+Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
+guest then reads from the TMCCT then the host will perform a divide by 0.
+
+This patch ensures that if the lapic_timer.period is 0, then the division
+does not occur.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[bwh: Backported to 3.2: s/kvm_apic_get_reg/apic_get_reg/]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -538,7 +538,8 @@ static u32 apic_get_tmcct(struct kvm_lap
+ 	ASSERT(apic != NULL);
+ 
+ 	/* if initial count is 0, current count should also be 0 */
+-	if (apic_get_reg(apic, APIC_TMICT) == 0)
++	if (apic_get_reg(apic, APIC_TMICT) == 0 ||
++		apic->lapic_timer.period == 0)
+ 		return 0;
+ 
+ 	remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
diff --git a/queue-3.4/series b/queue-3.4/series
index f4dc6cde491..d05a47cc8b7 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -30,3 +30,4 @@ bnx2x-fix-dma-unmapping-of-tso-split-bds.patch
 inet_diag-fix-inet_diag_dump_icsk-timewait-socket-state-logic.patch
 net-avoid-reference-counter-overflows-on-fib_rules-in-multicast-forwarding.patch
 net-via-rhine-fix-tx_timeout-handling.patch
+kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch