[x86] KVM: Prevent starting PIT timers in the absence of irqchip support (CVE-2011-4622)

svn path=/dists/sid/linux-2.6/; revision=18481

3 files changed, 73 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 47b1aac50756..90bf3b193cd0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,8 @@ linux-2.6 (3.1.8-1) UNRELEASED; urgency=low
     (Closes: #653716)
   * v4l2-ioctl: integer overflow in video_usercopy()
   * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
+  * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support
+    (CVE-2011-4622)
 
   [ Jonathan Nieder ]
   * prerm: Print an error message when aborting removal of the running
diff --git a/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch b/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
new file mode 100644
index 000000000000..ae2315864757
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
@@ -0,0 +1,70 @@
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Wed, 14 Dec 2011 19:25:13 +0100
+Subject: [PATCH] KVM: x86: Prevent starting PIT timers in the absence of
+ irqchip support
+
+commit 0924ab2cfa98b1ece26c033d696651fd62896c69 upstream.
+
+User space may create the PIT and forgets about setting up the irqchips.
+In that case, firing PIT IRQs will crash the host:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
+IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
+...
+Call Trace:
+ [<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
+ [<ffffffff81071431>] process_one_work+0x111/0x4d0
+ [<ffffffff81071bb2>] worker_thread+0x152/0x340
+ [<ffffffff81075c8e>] kthread+0x7e/0x90
+ [<ffffffff815a4474>] kernel_thread_helper+0x4/0x10
+
+Prevent this by checking the irqchip mode before starting a timer. We
+can't deny creating the PIT if the irqchips aren't set up yet as
+current user land expects this order to work.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+---
+ arch/x86/kvm/i8254.c |   10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 76e3f1c..405f262 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -338,11 +338,15 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer *data)
+ 		return HRTIMER_NORESTART;
+ }
+ 
+-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++	struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
+ 	struct kvm_timer *pt = &ps->pit_timer;
+ 	s64 interval;
+ 
++	if (!irqchip_in_kernel(kvm))
++		return;
++
+ 	interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+ 
+ 	pr_debug("create pit timer, interval is %llu nsec\n", interval);
+@@ -394,13 +398,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+         /* FIXME: enhance mode 4 precision */
+ 	case 4:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
+-			create_pit_timer(ps, val, 0);
++			create_pit_timer(kvm, val, 0);
+ 		}
+ 		break;
+ 	case 2:
+ 	case 3:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
+-			create_pit_timer(ps, val, 1);
++			create_pit_timer(kvm, val, 1);
+ 		}
+ 		break;
+ 	default:
+-- 
+1.7.8.2
+
diff --git a/debian/patches/series/base b/debian/patches/series/base
index d5e827db376f..f938682b0d25 100644
--- a/debian/patches/series/base
+++ b/debian/patches/series/base
@@ -95,3 +95,4 @@
 + bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch
 + bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch
 + bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
++ bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch