Add patches for two CVEs in vhost
svn path=/dists/sid/linux/; revision=21204
This commit is contained in:
parent
d2cf486950
commit
e55302e247
|
@ -26,6 +26,10 @@ linux (3.13.8-1) UNRELEASED; urgency=medium
|
|||
- [x86] KVM: x86: handle invalid root_hpa everywhere
|
||||
- KVM: VMX: fix use after free of vmx->loaded_vmcs
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* vhost: fix total length when packets are too short (CVE-2014-0077)
|
||||
* vhost: validate vhost_get_vq_desc return value (CVE-2014-0055)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 31 Mar 2014 21:12:56 +0100
|
||||
|
||||
linux (3.13.7-1) unstable; urgency=medium
|
||||
|
|
58
debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
vendored
Normal file
58
debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
vendored
Normal file
|
@ -0,0 +1,58 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 27 Mar 2014 12:00:26 +0200
|
||||
Subject: [1/2] vhost: fix total length when packets are too short
|
||||
Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0
|
||||
|
||||
When mergeable buffers are disabled, and the
|
||||
incoming packet is too large for the rx buffer,
|
||||
get_rx_bufs returns success.
|
||||
|
||||
This was intentional in order for make recvmsg
|
||||
truncate the packet and then handle_rx would
|
||||
detect err != sock_len and drop it.
|
||||
|
||||
Unfortunately we pass the original sock_len to
|
||||
recvmsg - which means we use parts of iov not fully
|
||||
validated.
|
||||
|
||||
Fix this up by detecting this overrun and doing packet drop
|
||||
immediately.
|
||||
|
||||
CVE-2014-0077
|
||||
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/vhost/net.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
--- a/drivers/vhost/net.c
|
||||
+++ b/drivers/vhost/net.c
|
||||
@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt
|
||||
*iovcount = seg;
|
||||
if (unlikely(log))
|
||||
*log_num = nlogs;
|
||||
+
|
||||
+ /* Detect overrun */
|
||||
+ if (unlikely(datalen > 0)) {
|
||||
+ r = UIO_MAXIOV + 1;
|
||||
+ goto err;
|
||||
+ }
|
||||
return headcount;
|
||||
err:
|
||||
vhost_discard_vq_desc(vq, headcount);
|
||||
@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net *
|
||||
/* On error, stop handling until the next kick. */
|
||||
if (unlikely(headcount < 0))
|
||||
break;
|
||||
+ /* On overrun, truncate and discard */
|
||||
+ if (unlikely(headcount > UIO_MAXIOV)) {
|
||||
+ msg.msg_iovlen = 1;
|
||||
+ err = sock->ops->recvmsg(NULL, sock, &msg,
|
||||
+ 1, MSG_DONTWAIT | MSG_TRUNC);
|
||||
+ pr_debug("Discarded rx packet: len %zd\n", sock_len);
|
||||
+ continue;
|
||||
+ }
|
||||
/* OK, now we need to know about added descriptors. */
|
||||
if (!headcount) {
|
||||
if (unlikely(vhost_enable_notify(&net->dev, vq))) {
|
39
debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch
vendored
Normal file
39
debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch
vendored
Normal file
|
@ -0,0 +1,39 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 27 Mar 2014 12:53:37 +0200
|
||||
Subject: [2/2] vhost: validate vhost_get_vq_desc return value
|
||||
Origin: https://git.kernel.org/linus/a39ee449f96a2cd44ce056d8a0a112211a9b1a1f
|
||||
|
||||
vhost fails to validate negative error code
|
||||
from vhost_get_vq_desc causing
|
||||
a crash: we are using -EFAULT which is 0xfffffff2
|
||||
as vector size, which exceeds the allocated size.
|
||||
|
||||
The code in question was introduced in commit
|
||||
8dd014adfea6f173c1ef6378f7e5e7924866c923
|
||||
vhost-net: mergeable buffers support
|
||||
|
||||
CVE-2014-0055
|
||||
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/vhost/net.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/vhost/net.c
|
||||
+++ b/drivers/vhost/net.c
|
||||
@@ -501,9 +501,13 @@ static int get_rx_bufs(struct vhost_virt
|
||||
r = -ENOBUFS;
|
||||
goto err;
|
||||
}
|
||||
- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
|
||||
+ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
|
||||
ARRAY_SIZE(vq->iov) - seg, &out,
|
||||
&in, log, log_num);
|
||||
+ if (unlikely(r < 0))
|
||||
+ goto err;
|
||||
+
|
||||
+ d = r;
|
||||
if (d == vq->num) {
|
||||
r = 0;
|
||||
goto err;
|
|
@ -94,3 +94,5 @@ debian/can-avoid-abi-change-in-3.13.6.patch
|
|||
debian/arm-mm-avoid-abi-change-in-3.13.6.patch
|
||||
debian/fireware-avoid-abi-change-in-3.13.7.patch
|
||||
bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
|
||||
bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
|
||||
bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch
|
||||
|
|
Loading…
Reference in New Issue