Add patches for two CVEs in vhost

svn path=/dists/sid/linux/; revision=21204
2014-03-31 21:43:48 +00:00 · 2014-03-31 21:43:48 +00:00 · e55302e247
parent d2cf486950
commit e55302e247
4 changed files with 103 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -26,6 +26,10 @@ linux (3.13.8-1) UNRELEASED; urgency=medium
    - [x86] KVM: x86: handle invalid root_hpa everywhere
    - KVM: VMX: fix use after free of vmx->loaded_vmcs

+  [ Ben Hutchings ]
+  * vhost: fix total length when packets are too short (CVE-2014-0077)
+  * vhost: validate vhost_get_vq_desc return value (CVE-2014-0055)
+
 -- Ben Hutchings <ben@decadent.org.uk>  Mon, 31 Mar 2014 21:12:56 +0100

 linux (3.13.7-1) unstable; urgency=medium
--- a/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
+++ b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
@ -0,0 +1,58 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 27 Mar 2014 12:00:26 +0200
+Subject: [1/2] vhost: fix total length when packets are too short
+Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0
+
+When mergeable buffers are disabled, and the
+incoming packet is too large for the rx buffer,
+get_rx_bufs returns success.
+
+This was intentional in order for make recvmsg
+truncate the packet and then handle_rx would
+detect err != sock_len and drop it.
+
+Unfortunately we pass the original sock_len to
+recvmsg - which means we use parts of iov not fully
+validated.
+
+Fix this up by detecting this overrun and doing packet drop
+immediately.
+
+CVE-2014-0077
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/vhost/net.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
+@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt
+ 	*iovcount = seg;
+ 	if (unlikely(log))
+ 		*log_num = nlogs;
+
+	/* Detect overrun */
+	if (unlikely(datalen > 0)) {
+		r = UIO_MAXIOV + 1;
+		goto err;
+	}
+ 	return headcount;
+ err:
+ 	vhost_discard_vq_desc(vq, headcount);
+@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net *
+ 		/* On error, stop handling until the next kick. */
+ 		if (unlikely(headcount < 0))
+ 			break;
+		/* On overrun, truncate and discard */
+		if (unlikely(headcount > UIO_MAXIOV)) {
+			msg.msg_iovlen = 1;
+			err = sock->ops->recvmsg(NULL, sock, &msg,
+						 1, MSG_DONTWAIT | MSG_TRUNC);
+			pr_debug("Discarded rx packet: len %zd\n", sock_len);
+			continue;
+		}
+ 		/* OK, now we need to know about added descriptors. */
+ 		if (!headcount) {
+ 			if (unlikely(vhost_enable_notify(&net->dev, vq))) {
--- a/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch
+++ b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch
@ -0,0 +1,39 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 27 Mar 2014 12:53:37 +0200
+Subject: [2/2] vhost: validate vhost_get_vq_desc return value
+Origin: https://git.kernel.org/linus/a39ee449f96a2cd44ce056d8a0a112211a9b1a1f
+
+vhost fails to validate negative error code
+from vhost_get_vq_desc causing
+a crash: we are using -EFAULT which is 0xfffffff2
+as vector size, which exceeds the allocated size.
+
+The code in question was introduced in commit
+8dd014adfea6f173c1ef6378f7e5e7924866c923
+    vhost-net: mergeable buffers support
+
+CVE-2014-0055
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/vhost/net.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
+@@ -501,9 +501,13 @@ static int get_rx_bufs(struct vhost_virt
+ 			r = -ENOBUFS;
+ 			goto err;
+ 		}
+-		d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+		r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+ 				      ARRAY_SIZE(vq->iov) - seg, &out,
+ 				      &in, log, log_num);
+		if (unlikely(r < 0))
+			goto err;
+
+		d = r;
+ 		if (d == vq->num) {
+ 			r = 0;
+ 			goto err;
--- a/debian/patches/series
+++ b/debian/patches/series
@ -94,3 +94,5 @@ debian/can-avoid-abi-change-in-3.13.6.patch
 debian/arm-mm-avoid-abi-change-in-3.13.6.patch
 debian/fireware-avoid-abi-change-in-3.13.7.patch
 bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
+bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch
+bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch