KVM: x86: Improve thread safety in pit

commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. There's a race condition in the PIT emulation code in KVM. In __kvm_migrate_pit_timer the pit_timer object is accessed without synchronization. If the race condition occurs at the wrong time this can crash the host kernel. This fixes CVE-2014-3611. Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Andy Honig <ahonig@google.com> 2014-08-27 14:42:54 -0700
committer: Ben Hutchings <ben@decadent.org.uk> 2014-11-05 20:27:47 +0000
commit: 30a340f59414f02434e8b7a880241b2bd657cb7b (patch)
tree: 27be63c790716b35c6af1337c97e4f41fe9e7364
parent: 76715b56c6fcdafae8d47d4fcfe8c940e76f0553 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 139415e2c5bf..cced57f8b23b 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -264,8 +264,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
 		return;
 
 	timer = &pit->pit_state.pit_timer.timer;
+	mutex_lock(&pit->pit_state.lock);
 	if (hrtimer_cancel(timer))
 		hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
+	mutex_unlock(&pit->pit_state.lock);
 }
 
 static void destroy_pit_timer(struct kvm_pit *pit)
author	Andy Honig <ahonig@google.com>	2014-08-27 14:42:54 -0700
committer	Ben Hutchings <ben@decadent.org.uk>	2014-11-05 20:27:47 +0000
commit	30a340f59414f02434e8b7a880241b2bd657cb7b (patch)
tree	27be63c790716b35c6af1337c97e4f41fe9e7364
parent	76715b56c6fcdafae8d47d4fcfe8c940e76f0553 (diff)