diff options
| author | Boris Ostrovsky <[email protected]> | 2019-12-05 03:45:32 +0000 |
|---|---|---|
| committer | Paolo Bonzini <[email protected]> | 2020-01-30 18:45:55 +0100 |
| commit | b043138246a41064527cf019a3d51d9f015e9796 (patch) | |
| tree | e702c1dec588a3c872d1c94e8e877176480b5846 /scripts/gcc-plugins/cyc_complexity_plugin.c | |
| parent | 917248144db5d7320655dbb41d3af0b8a0f3d589 (diff) | |
x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed
There is a potential race in record_steal_time() between setting
host-local vcpu->arch.st.steal.preempted to zero (i.e. clearing
KVM_VCPU_PREEMPTED) and propagating this value to the guest with
kvm_write_guest_cached(). Between those two events the guest may
still see KVM_VCPU_PREEMPTED in its copy of kvm_steal_time, set
KVM_VCPU_FLUSH_TLB and assume that hypervisor will do the right
thing. Which it won't.
Instad of copying, we should map kvm_steal_time and that will
guarantee atomicity of accesses to @preempted.
This is part of CVE-2019-3016.
Signed-off-by: Boris Ostrovsky <[email protected]>
Reviewed-by: Joao Martins <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Diffstat (limited to 'scripts/gcc-plugins/cyc_complexity_plugin.c')
0 files changed, 0 insertions, 0 deletions