)]}'
{
  "commit": "17d68b763f09a9ce824ae23eb62c9efc57b69271",
  "tree": "2be4f93e491c3094d7ae1994191941ba4c1dcc4f",
  "parents": [
    "fda4e2e85589191b123d31cdc21fd33ee70f50fd"
  ],
  "author": {
    "name": "Gleb Natapov",
    "email": "gleb@redhat.com",
    "time": "Thu Dec 12 21:20:08 2013 +0100"
  },
  "committer": {
    "name": "Paolo Bonzini",
    "email": "pbonzini@redhat.com",
    "time": "Thu Dec 12 22:46:18 2013 +0100"
  },
  "message": "KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)\n\nA guest can cause a BUG_ON() leading to a host kernel crash.\nWhen the guest writes to the ICR to request an IPI, while in x2apic\nmode the following things happen, the destination is read from\nICR2, which is a register that the guest can control.\n\nkvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the\ncluster id.  A BUG_ON is triggered, which is a protection against\naccessing map-\u003elogical_map with an out-of-bounds access and manages\nto avoid that anything really unsafe occurs.\n\nThe logic in the code is correct from real HW point of view. The problem\nis that KVM supports only one cluster with ID 0 in clustered mode, but\nthe code that has the bug does not take this into account.\n\nReported-by: Lars Bull \u003clarsbull@google.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Gleb Natapov \u003cgleb@redhat.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "b8bec45c1610dd5bef338a84d19a15cdc6172aa3",
      "old_mode": 33188,
      "old_path": "arch/x86/kvm/lapic.c",
      "new_id": "dec48bfaddb8ff79ee7f7734cebfca7f36844461",
      "new_mode": 33188,
      "new_path": "arch/x86/kvm/lapic.c"
    }
  ]
}