From 272a938bb7057cec76def6e6a551534013ec1536 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 7 Oct 2018 21:29:25 +0100 Subject: [PATCH] xen-netback: fix input validation in xenvif_set_hash_mapping() (CVE-2018-15471) --- debian/changelog | 2 + ...input-validation-in-xenvif_set_hash_.patch | 60 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 63 insertions(+) create mode 100644 debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch diff --git a/debian/changelog b/debian/changelog index d18d337f4..23b314fda 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ linux (4.18.10-2) UNRELEASED; urgency=medium [ Ben Hutchings ] * [rt][arm64,armhf] Fix build failure after rebasing onto 4.18.10 + * xen-netback: fix input validation in xenvif_set_hash_mapping() + (CVE-2018-15471) [ Salvatore Bonaccorso ] * [arm64] KVM: Tighten guest core register access from userspace diff --git a/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch b/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch new file mode 100644 index 000000000..1f51b3535 --- /dev/null +++ b/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch @@ -0,0 +1,60 @@ +From: Jan Beulich +Date: Tue, 25 Sep 2018 02:12:30 -0600 +Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() +Origin: https://git.kernel.org/linus/780e83c259fc33e8959fed8dfdad17e378d72b62 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15471 + +Both len and off are frontend specified values, so we need to make +sure there's no overflow when adding the two for the bounds check. We +also want to avoid undefined behavior and hence use off to index into +->hash.mapping[] only after bounds checking. This at the same time +allows to take care of not applying off twice for the bounds checking +against vif->num_queues. + +It is also insufficient to bounds check copy_op.len, as this is len +truncated to 16 bits. + +This is XSA-270 / CVE-2018-15471. + +Reported-by: Felix Wilhelm +Signed-off-by: Jan Beulich +Reviewed-by: Paul Durrant +Tested-by: Paul Durrant +Cc: stable@vger.kernel.org [4.7 onwards] +Signed-off-by: David S. Miller +--- + drivers/net/xen-netback/hash.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c +index 3c4c58b9fe76..3b6fb5b3bdb2 100644 +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size) + u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, + u32 off) + { +- u32 *mapping = &vif->hash.mapping[off]; ++ u32 *mapping = vif->hash.mapping; + struct gnttab_copy copy_op = { + .source.u.ref = gref, + .source.domid = vif->domid, +- .dest.u.gmfn = virt_to_gfn(mapping), + .dest.domid = DOMID_SELF, +- .dest.offset = xen_offset_in_page(mapping), +- .len = len * sizeof(u32), ++ .len = len * sizeof(*mapping), + .flags = GNTCOPY_source_gref + }; + +- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) ++ if ((off + len < off) || (off + len > vif->hash.size) || ++ len > XEN_PAGE_SIZE / sizeof(*mapping)) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; + ++ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); ++ copy_op.dest.offset = xen_offset_in_page(mapping + off); ++ + while (len-- != 0) + if (mapping[off++] >= vif->num_queues) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; diff --git a/debian/patches/series b/debian/patches/series index 174480bdd..cca6ebc71 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -147,6 +147,7 @@ bugfix/all/scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch bugfix/all/scsi-target-iscsi-Use-bin2hex-instead-of-a-re-implem.patch bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch +bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch