From aa8fb19232c123a6a30b6db76840c548cebdaa1d Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Wed, 28 Aug 2019 13:29:10 +0200 Subject: [PATCH 1/6] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) [carnil: Use 4.19.67-2+deb10u1 version for buster-security branch] --- debian/changelog | 7 +++ ...an-OOB-bug-in-parse_audio_mixer_unit.patch | 56 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) create mode 100644 debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch diff --git a/debian/changelog b/debian/changelog index af78ce0a6..23c14ed63 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium + + [ Romain Perier ] + * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) + + -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 + linux (4.19.67-2) buster; urgency=medium [ Salvatore Bonaccorso ] diff --git a/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch new file mode 100644 index 000000000..362b284d4 --- /dev/null +++ b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch @@ -0,0 +1,56 @@ +From: Hui Peng +Date: Tue, 13 Aug 2019 22:34:04 -0400 +Subject: ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15117 +Origin: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c + +commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream. + +The `uac_mixer_unit_descriptor` shown as below is read from the +device side. In `parse_audio_mixer_unit`, `baSourceID` field is +accessed from index 0 to `bNrInPins` - 1, the current implementation +assumes that descriptor is always valid (the length of descriptor +is no shorter than 5 + `bNrInPins`). If a descriptor read from +the device side is invalid, it may trigger out-of-bound memory +access. + +``` +struct uac_mixer_unit_descriptor { + __u8 bLength; + __u8 bDescriptorType; + __u8 bDescriptorSubtype; + __u8 bUnitID; + __u8 bNrInPins; + __u8 baSourceID[]; +} +``` + +This patch fixes the bug by add a sanity check on the length of +the descriptor. + +Reported-by: Hui Peng +Reported-by: Mathias Payer +Cc: +Signed-off-by: Hui Peng +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 996126a28072..4b3e1c48ca2f 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -760,6 +760,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state, + return -EINVAL; + if (!desc->bNrInPins) + return -EINVAL; ++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins) ++ return -EINVAL; + + switch (state->mixer->protocol) { + case UAC_VERSION_1: +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 04db48f77..65e6a8fc2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -162,6 +162,7 @@ features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch +bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 782d6ea88046fde4101416e2840d593f121f90ab Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Wed, 28 Aug 2019 13:37:05 +0200 Subject: [PATCH 2/6] ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) --- debian/changelog | 2 + ...fer-overflow-bug-in-check_input_term.patch | 134 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 137 insertions(+) create mode 100644 debian/patches/bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch diff --git a/debian/changelog b/debian/changelog index 23c14ed63..a4377e674 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium [ Romain Perier ] * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) + * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term + (CVE-2019-15118) -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 diff --git a/debian/patches/bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch new file mode 100644 index 000000000..4f7a8deb9 --- /dev/null +++ b/debian/patches/bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch @@ -0,0 +1,134 @@ +From: Hui Peng +Date: Thu, 15 Aug 2019 00:31:34 -0400 +Subject: ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15118 +Origin: https://git.kernel.org/linus/19bce474c45be69a284ecee660aa12d8f1e88f18 + +commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream. + +`check_input_term` recursively calls itself with input from +device side (e.g., uac_input_terminal_descriptor.bCSourceID) +as argument (id). In `check_input_term`, if `check_input_term` +is called with the same `id` argument as the caller, it triggers +endless recursive call, resulting kernel space stack overflow. + +This patch fixes the bug by adding a bitmap to `struct mixer_build` +to keep track of the checked ids and stop the execution if some id +has been checked (similar to how parse_audio_unit handles unitid +argument). + +Reported-by: Hui Peng +Reported-by: Mathias Payer +Signed-off-by: Hui Peng +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 7e1c6c2dc99e..996126a28072 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -83,6 +83,7 @@ struct mixer_build { + unsigned char *buffer; + unsigned int buflen; + DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS); ++ DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS); + struct usb_audio_term oterm; + const struct usbmix_name_map *map; + const struct usbmix_selector_map *selector_map; +@@ -788,16 +789,25 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state, + * parse the source unit recursively until it reaches to a terminal + * or a branched unit. + */ +-static int check_input_term(struct mixer_build *state, int id, ++static int __check_input_term(struct mixer_build *state, int id, + struct usb_audio_term *term) + { + int protocol = state->mixer->protocol; + int err; + void *p1; ++ unsigned char *hdr; + + memset(term, 0, sizeof(*term)); +- while ((p1 = find_audio_control_unit(state, id)) != NULL) { +- unsigned char *hdr = p1; ++ for (;;) { ++ /* a loop in the terminal chain? */ ++ if (test_and_set_bit(id, state->termbitmap)) ++ return -EINVAL; ++ ++ p1 = find_audio_control_unit(state, id); ++ if (!p1) ++ break; ++ ++ hdr = p1; + term->id = id; + + if (protocol == UAC_VERSION_1 || protocol == UAC_VERSION_2) { +@@ -815,7 +825,7 @@ static int check_input_term(struct mixer_build *state, int id, + + /* call recursively to verify that the + * referenced clock entity is valid */ +- err = check_input_term(state, d->bCSourceID, term); ++ err = __check_input_term(state, d->bCSourceID, term); + if (err < 0) + return err; + +@@ -849,7 +859,7 @@ static int check_input_term(struct mixer_build *state, int id, + case UAC2_CLOCK_SELECTOR: { + struct uac_selector_unit_descriptor *d = p1; + /* call recursively to retrieve the channel info */ +- err = check_input_term(state, d->baSourceID[0], term); ++ err = __check_input_term(state, d->baSourceID[0], term); + if (err < 0) + return err; + term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */ +@@ -912,7 +922,7 @@ static int check_input_term(struct mixer_build *state, int id, + + /* call recursively to verify that the + * referenced clock entity is valid */ +- err = check_input_term(state, d->bCSourceID, term); ++ err = __check_input_term(state, d->bCSourceID, term); + if (err < 0) + return err; + +@@ -963,7 +973,7 @@ static int check_input_term(struct mixer_build *state, int id, + case UAC3_CLOCK_SELECTOR: { + struct uac_selector_unit_descriptor *d = p1; + /* call recursively to retrieve the channel info */ +- err = check_input_term(state, d->baSourceID[0], term); ++ err = __check_input_term(state, d->baSourceID[0], term); + if (err < 0) + return err; + term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */ +@@ -979,7 +989,7 @@ static int check_input_term(struct mixer_build *state, int id, + return -EINVAL; + + /* call recursively to retrieve the channel info */ +- err = check_input_term(state, d->baSourceID[0], term); ++ err = __check_input_term(state, d->baSourceID[0], term); + if (err < 0) + return err; + +@@ -997,6 +1007,15 @@ static int check_input_term(struct mixer_build *state, int id, + return -ENODEV; + } + ++ ++static int check_input_term(struct mixer_build *state, int id, ++ struct usb_audio_term *term) ++{ ++ memset(term, 0, sizeof(*term)); ++ memset(state->termbitmap, 0, sizeof(state->termbitmap)); ++ return __check_input_term(state, id, term); ++} ++ + /* + * Feature Unit + */ +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 65e6a8fc2..5c987a19b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -163,6 +163,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch +bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 78f0b2574a32e4ce982e0aede89358d10695c281 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 13 Sep 2019 06:11:19 +0200 Subject: [PATCH 3/6] vhost: make sure log_num < in_num (CVE-2019-14835) --- debian/changelog | 3 ++ .../all/vhost-make-sure-log_num-in_num.patch | 54 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 58 insertions(+) create mode 100644 debian/patches/bugfix/all/vhost-make-sure-log_num-in_num.patch diff --git a/debian/changelog b/debian/changelog index a4377e674..f76431682 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) + [ Salvatore Bonaccorso ] + * vhost: make sure log_num < in_num (CVE-2019-14835) + -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 linux (4.19.67-2) buster; urgency=medium diff --git a/debian/patches/bugfix/all/vhost-make-sure-log_num-in_num.patch b/debian/patches/bugfix/all/vhost-make-sure-log_num-in_num.patch new file mode 100644 index 000000000..5681e359a --- /dev/null +++ b/debian/patches/bugfix/all/vhost-make-sure-log_num-in_num.patch @@ -0,0 +1,54 @@ +From: yongduan +Date: Wed, 11 Sep 2019 17:44:24 +0800 +Subject: vhost: make sure log_num < in_num +Origin: https://git.kernel.org/linus/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14835 + +The code assumes log_num < in_num everywhere, and that is true as long as +in_num is incremented by descriptor iov count, and log_num by 1. However +this breaks if there's a zero sized descriptor. + +As a result, if a malicious guest creates a vring desc with desc.len = 0, +it may cause the host kernel to crash by overflowing the log array. This +bug can be triggered during the VM migration. + +There's no need to log when desc.len = 0, so just don't increment log_num +in this case. + +Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server") +Cc: stable@vger.kernel.org +Reviewed-by: Lidong Chen +Signed-off-by: ruippan +Signed-off-by: yongduan +Acked-by: Michael S. Tsirkin +Reviewed-by: Tyler Hicks +Signed-off-by: Michael S. Tsirkin +--- + drivers/vhost/vhost.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 34ea219936e3..acabf20b069e 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2180,7 +2180,7 @@ static int get_indirect(struct vhost_virtqueue *vq, + /* If this is an input descriptor, increment that count. */ + if (access == VHOST_ACCESS_WO) { + *in_num += ret; +- if (unlikely(log)) { ++ if (unlikely(log && ret)) { + log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); + log[*log_num].len = vhost32_to_cpu(vq, desc.len); + ++*log_num; +@@ -2321,7 +2321,7 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq, + /* If this is an input descriptor, + * increment that count. */ + *in_num += ret; +- if (unlikely(log)) { ++ if (unlikely(log && ret)) { + log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); + log[*log_num].len = vhost32_to_cpu(vq, desc.len); + ++*log_num; +-- +2.23.0 + diff --git a/debian/patches/series b/debian/patches/series index 5c987a19b..7137208d9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -164,6 +164,7 @@ debian/ntfs-mark-it-as-broken.patch bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch +bugfix/all/vhost-make-sure-log_num-in_num.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From c0096a08f97d9a51a9527f51c74d54df76c4ca4d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 18 Sep 2019 21:33:40 +0200 Subject: [PATCH 4/6] [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) --- debian/changelog | 1 + ...ix-up-botched-merge-of-spectrev1-fix.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 46 insertions(+) create mode 100644 debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch diff --git a/debian/changelog b/debian/changelog index f76431682..5dde8228e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * vhost: make sure log_num < in_num (CVE-2019-14835) + * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 diff --git a/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch b/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch new file mode 100644 index 000000000..b9daadb14 --- /dev/null +++ b/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch @@ -0,0 +1,44 @@ +From: Greg Kroah-Hartman +Date: Wed, 4 Sep 2019 12:27:18 +0200 +Subject: x86/ptrace: fix up botched merge of spectrev1 fix +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=69f692bb7e684592aaba779299bc576626d414b4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15902 + +I incorrectly merged commit 31a2fbb390fe ("x86/ptrace: Fix possible +spectre-v1 in ptrace_get_debugreg()") when backporting it, as was +graciously pointed out at +https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php + +Resolve the upstream difference with the stable kernel merge to properly +protect things. + +Reported-by: Brad Spengler +Cc: Dianzhang Chen +Cc: Thomas Gleixner +Cc: +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/ptrace.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c +index 8d20fb09722c..7f377f8792aa 100644 +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -651,11 +651,10 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n) + { + struct thread_struct *thread = &tsk->thread; + unsigned long val = 0; +- int index = n; + + if (n < HBP_NUM) { ++ int index = array_index_nospec(n, HBP_NUM); + struct perf_event *bp = thread->ptrace_bps[index]; +- index = array_index_nospec(index, HBP_NUM); + + if (bp) + val = bp->hw.info.address; +-- +2.23.0 + diff --git a/debian/patches/series b/debian/patches/series index 7137208d9..2108173e4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -165,6 +165,7 @@ bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch bugfix/all/vhost-make-sure-log_num-in_num.patch +bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 942d6ddd3f4bb401b0cf183fec476055c813400b Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 19 Sep 2019 17:10:20 +0200 Subject: [PATCH 5/6] KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) --- debian/changelog | 1 + ...M-coalesced_mmio-add-bounds-checking.patch | 79 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 81 insertions(+) create mode 100644 debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch diff --git a/debian/changelog b/debian/changelog index 5dde8228e..850a409cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * vhost: make sure log_num < in_num (CVE-2019-14835) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) + * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 diff --git a/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch b/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch new file mode 100644 index 000000000..d8fc61ebb --- /dev/null +++ b/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch @@ -0,0 +1,79 @@ +From: Matt Delco +Date: Mon, 16 Sep 2019 14:16:54 -0700 +Subject: KVM: coalesced_mmio: add bounds checking +Origin: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14821 + +The first/last indexes are typically shared with a user app. +The app can change the 'last' index that the kernel uses +to store the next result. This change sanity checks the index +before using it for writing to a potentially arbitrary address. + +This fixes CVE-2019-14821. + +Cc: stable@vger.kernel.org +Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") +Signed-off-by: Matt Delco +Signed-off-by: Jim Mattson +Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com +[Use READ_ONCE. - Paolo] +Signed-off-by: Paolo Bonzini +[Salvatore Bonaccorso: backport to 4.19: Adjust for context changes, cherry-pick + commit from stable-queue for 4.19.75] +--- + virt/kvm/coalesced_mmio.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/virt/kvm/coalesced_mmio.c ++++ b/virt/kvm/coalesced_mmio.c +@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struc + return 1; + } + +-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) ++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) + { + struct kvm_coalesced_mmio_ring *ring; + unsigned avail; +@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struc + * there is always one unused entry in the buffer + */ + ring = dev->kvm->coalesced_mmio_ring; +- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; ++ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX; + if (avail == 0) { + /* full */ + return 0; +@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct k + { + struct kvm_coalesced_mmio_dev *dev = to_mmio(this); + struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; ++ __u32 insert; + + if (!coalesced_mmio_in_range(dev, addr, len)) + return -EOPNOTSUPP; + + spin_lock(&dev->kvm->ring_lock); + +- if (!coalesced_mmio_has_room(dev)) { ++ insert = READ_ONCE(ring->last); ++ if (!coalesced_mmio_has_room(dev, insert) || ++ insert >= KVM_COALESCED_MMIO_MAX) { + spin_unlock(&dev->kvm->ring_lock); + return -EOPNOTSUPP; + } + + /* copy data in first free entry of the ring */ + +- ring->coalesced_mmio[ring->last].phys_addr = addr; +- ring->coalesced_mmio[ring->last].len = len; +- memcpy(ring->coalesced_mmio[ring->last].data, val, len); ++ ring->coalesced_mmio[insert].phys_addr = addr; ++ ring->coalesced_mmio[insert].len = len; ++ memcpy(ring->coalesced_mmio[insert].data, val, len); + smp_wmb(); +- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX; ++ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX; + spin_unlock(&dev->kvm->ring_lock); + return 0; + } diff --git a/debian/patches/series b/debian/patches/series index 2108173e4..b0b9b263d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -166,6 +166,7 @@ bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch bugfix/all/vhost-make-sure-log_num-in_num.patch bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch +bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From f13b3cd9927afc43b0e0195a5cce74c0b37f80f0 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 20 Sep 2019 12:51:56 +0200 Subject: [PATCH 6/6] Prepare to release linux (4.19.67-2+deb10u1). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 850a409cb..13e18b429 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium +linux (4.19.67-2+deb10u1) buster-security; urgency=high [ Romain Perier ] * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) @@ -10,7 +10,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) - -- Romain Perier Wed, 28 Aug 2019 13:28:09 +0200 + -- Salvatore Bonaccorso Fri, 20 Sep 2019 12:51:55 +0200 linux (4.19.67-2) buster; urgency=medium