xen-netback: fix input validation in xenvif_set_hash_mapping() (CVE-2018-15471)

2018-10-07 21:29:25 +01:00 · 2018-10-07 21:29:25 +01:00 · 272a938bb7
parent 2db297e8f5
commit 272a938bb7
3 changed files with 63 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -2,6 +2,8 @@ linux (4.18.10-2) UNRELEASED; urgency=medium

  [ Ben Hutchings ]
  * [rt][arm64,armhf] Fix build failure after rebasing onto 4.18.10
+  * xen-netback: fix input validation in xenvif_set_hash_mapping()
+    (CVE-2018-15471)

  [ Salvatore Bonaccorso ]
  * [arm64] KVM: Tighten guest core register access from userspace
--- a/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
+++ b/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
@ -0,0 +1,60 @@
+From: Jan Beulich <JBeulich@suse.com>
+Date: Tue, 25 Sep 2018 02:12:30 -0600
+Subject: xen-netback: fix input validation in xenvif_set_hash_mapping()
+Origin: https://git.kernel.org/linus/780e83c259fc33e8959fed8dfdad17e378d72b62
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15471
+
+Both len and off are frontend specified values, so we need to make
+sure there's no overflow when adding the two for the bounds check. We
+also want to avoid undefined behavior and hence use off to index into
+->hash.mapping[] only after bounds checking. This at the same time
+allows to take care of not applying off twice for the bounds checking
+against vif->num_queues.
+
+It is also insufficient to bounds check copy_op.len, as this is len
+truncated to 16 bits.
+
+This is XSA-270 / CVE-2018-15471.
+
+Reported-by: Felix Wilhelm <fwilhelm@google.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
+Tested-by: Paul Durrant <paul.durrant@citrix.com>
+Cc: stable@vger.kernel.org [4.7 onwards]
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/xen-netback/hash.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
+index 3c4c58b9fe76..3b6fb5b3bdb2 100644
+--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
+@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size)
+ u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
+ 			    u32 off)
+ {
+-	u32 *mapping = &vif->hash.mapping[off];
+	u32 *mapping = vif->hash.mapping;
+ 	struct gnttab_copy copy_op = {
+ 		.source.u.ref = gref,
+ 		.source.domid = vif->domid,
+-		.dest.u.gmfn = virt_to_gfn(mapping),
+ 		.dest.domid = DOMID_SELF,
+-		.dest.offset = xen_offset_in_page(mapping),
+-		.len = len * sizeof(u32),
+		.len = len * sizeof(*mapping),
+ 		.flags = GNTCOPY_source_gref
+ 	};
+ 
+-	if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
+	if ((off + len < off) || (off + len > vif->hash.size) ||
+	    len > XEN_PAGE_SIZE / sizeof(*mapping))
+ 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
+ 
+	copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
+	copy_op.dest.offset = xen_offset_in_page(mapping + off);
+
+ 	while (len-- != 0)
+ 		if (mapping[off++] >= vif->num_queues)
+ 			return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
--- a/debian/patches/series
+++ b/debian/patches/series
@ -147,6 +147,7 @@ bugfix/all/scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
 bugfix/all/scsi-target-iscsi-Use-bin2hex-instead-of-a-re-implem.patch
 bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch
 bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch
+bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch