diff options
| author | Andy Honig <ahonig@google.com> | 2013-11-18 16:09:22 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-20 07:34:19 -0800 |
| commit | f843edd53fec967be6d41c81b1426ec82728934b (patch) | |
| tree | f7a04b87ade92a43ecc4261afe75d2f18a66c071 /lib/mpi/mpi-inline.c | |
| parent | 47131c7c78b82c3b67020ee99834841ec6f096b5 (diff) | |
KVM: Improve create VCPU parameter (CVE-2013-4587)
commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream.
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
malicious user could specify a vcpu_id greater than 255 in order to set or
clear bits in kernel memory. This could be used to elevate priveges in the
kernel. This patch verifies that the vcpu_id provided is less than 255.
The api documentation already specifies that the vcpu_id must be less than
max_vcpus, but this is currently not checked.
Reported-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/mpi/mpi-inline.c')
0 files changed, 0 insertions, 0 deletions