diff options
| author | Ben Hutchings <benh@debian.org> | 2014-03-31 21:43:48 +0000 |
|---|---|---|
| committer | Ben Hutchings <benh@debian.org> | 2014-03-31 21:43:48 +0000 |
| commit | e55302e2477076d51abc661c9dafefd1b5f94990 (patch) | |
| tree | d6012d043dfea3e04db51e80f040807ceece00d2 | |
| parent | d2cf486950f5015f38f1dbb331cdd2d9d3fec7b0 (diff) | |
| download | kernel_replicant_linux-e55302e2477076d51abc661c9dafefd1b5f94990.tar.gz kernel_replicant_linux-e55302e2477076d51abc661c9dafefd1b5f94990.tar.bz2 kernel_replicant_linux-e55302e2477076d51abc661c9dafefd1b5f94990.zip | |
Add patches for two CVEs in vhost
svn path=/dists/sid/linux/; revision=21204
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch | 58 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch | 39 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
4 files changed, 103 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index bac6526446a3..f03e093c4aab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,10 @@ linux (3.13.8-1) UNRELEASED; urgency=medium - [x86] KVM: x86: handle invalid root_hpa everywhere - KVM: VMX: fix use after free of vmx->loaded_vmcs + [ Ben Hutchings ] + * vhost: fix total length when packets are too short (CVE-2014-0077) + * vhost: validate vhost_get_vq_desc return value (CVE-2014-0055) + -- Ben Hutchings <ben@decadent.org.uk> Mon, 31 Mar 2014 21:12:56 +0100 linux (3.13.7-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch new file mode 100644 index 000000000000..3110e61b5848 --- /dev/null +++ b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch @@ -0,0 +1,58 @@ +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Thu, 27 Mar 2014 12:00:26 +0200 +Subject: [1/2] vhost: fix total length when packets are too short +Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0 + +When mergeable buffers are disabled, and the +incoming packet is too large for the rx buffer, +get_rx_bufs returns success. + +This was intentional in order for make recvmsg +truncate the packet and then handle_rx would +detect err != sock_len and drop it. + +Unfortunately we pass the original sock_len to +recvmsg - which means we use parts of iov not fully +validated. + +Fix this up by detecting this overrun and doing packet drop +immediately. + +CVE-2014-0077 + +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/vhost/net.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt + *iovcount = seg; + if (unlikely(log)) + *log_num = nlogs; ++ ++ /* Detect overrun */ ++ if (unlikely(datalen > 0)) { ++ r = UIO_MAXIOV + 1; ++ goto err; ++ } + return headcount; + err: + vhost_discard_vq_desc(vq, headcount); +@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net * + /* On error, stop handling until the next kick. */ + if (unlikely(headcount < 0)) + break; ++ /* On overrun, truncate and discard */ ++ if (unlikely(headcount > UIO_MAXIOV)) { ++ msg.msg_iovlen = 1; ++ err = sock->ops->recvmsg(NULL, sock, &msg, ++ 1, MSG_DONTWAIT | MSG_TRUNC); ++ pr_debug("Discarded rx packet: len %zd\n", sock_len); ++ continue; ++ } + /* OK, now we need to know about added descriptors. */ + if (!headcount) { + if (unlikely(vhost_enable_notify(&net->dev, vq))) { diff --git a/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch new file mode 100644 index 000000000000..3460e830499e --- /dev/null +++ b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch @@ -0,0 +1,39 @@ +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Thu, 27 Mar 2014 12:53:37 +0200 +Subject: [2/2] vhost: validate vhost_get_vq_desc return value +Origin: https://git.kernel.org/linus/a39ee449f96a2cd44ce056d8a0a112211a9b1a1f + +vhost fails to validate negative error code +from vhost_get_vq_desc causing +a crash: we are using -EFAULT which is 0xfffffff2 +as vector size, which exceeds the allocated size. + +The code in question was introduced in commit +8dd014adfea6f173c1ef6378f7e5e7924866c923 + vhost-net: mergeable buffers support + +CVE-2014-0055 + +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/vhost/net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -501,9 +501,13 @@ static int get_rx_bufs(struct vhost_virt + r = -ENOBUFS; + goto err; + } +- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num); ++ if (unlikely(r < 0)) ++ goto err; ++ ++ d = r; + if (d == vq->num) { + r = 0; + goto err; diff --git a/debian/patches/series b/debian/patches/series index fd62e6a4d844..ed7953f4537a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -94,3 +94,5 @@ debian/can-avoid-abi-change-in-3.13.6.patch debian/arm-mm-avoid-abi-change-in-3.13.6.patch debian/fireware-avoid-abi-change-in-3.13.7.patch bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch +bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch |