diff options
| author | Ben Hutchings <benh@debian.org> | 2012-06-11 01:45:24 +0000 |
|---|---|---|
| committer | Ben Hutchings <benh@debian.org> | 2012-06-11 01:45:24 +0000 |
| commit | 412108cbfe16dd8c7c7cf0039cab594a0731bb3b (patch) | |
| tree | 0a24cc2784f186e79ae500bd010df9fd48cf03d4 | |
| parent | d6260419d9e8d4d041effcc1a7c47ec4226019a2 (diff) | |
| download | kernel_replicant_linux-412108cbfe16dd8c7c7cf0039cab594a0731bb3b.tar.gz kernel_replicant_linux-412108cbfe16dd8c7c7cf0039cab594a0731bb3b.tar.bz2 kernel_replicant_linux-412108cbfe16dd8c7c7cf0039cab594a0731bb3b.zip | |
KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)
svn path=/dists/sid/linux/; revision=19122
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch | 33 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
3 files changed, 36 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 6de4d61f4505..59a4947b63c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -57,6 +57,7 @@ linux (3.2.20-1) UNRELEASED; urgency=low * macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built successfully * macvtap: zerocopy: validate vectors before building skb (CVE-2012-2119) + * KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137) [ Bastian Blank ] * [s390/s390x,s390x/s390x] Build debugging symbols. diff --git a/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch b/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch new file mode 100644 index 000000000000..08d4368d0263 --- /dev/null +++ b/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch @@ -0,0 +1,33 @@ +From: Avi Kivity <avi@redhat.com> +Date: Sun, 22 Apr 2012 17:02:11 +0300 +Subject: [PATCH] KVM: Fix buffer overflow in kvm_set_irq() + +commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed upstream. + +kvm_set_irq() has an internal buffer of three irq routing entries, allowing +connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() +does not properly enforce this, allowing three irqchip routes followed by +an MSI route to overflow the buffer. + +Fix by ensuring that an MSI entry is added to an empty list. + +Signed-off-by: Avi Kivity <avi@redhat.com> +--- + virt/kvm/irq_comm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c +index a6a0365..5afb431 100644 +--- a/virt/kvm/irq_comm.c ++++ b/virt/kvm/irq_comm.c +@@ -332,6 +332,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, + */ + hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link) + if (ei->type == KVM_IRQ_ROUTING_MSI || ++ ue->type == KVM_IRQ_ROUTING_MSI || + ue->u.irqchip.irqchip == ei->irqchip.irqchip) + return r; + +-- +1.7.10 + diff --git a/debian/patches/series b/debian/patches/series index 420d198cf1ad..85f31202de8c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -324,3 +324,5 @@ bugfix/all/macvtap-zerocopy-fix-truesize-underestimation.patch bugfix/all/macvtap-zerocopy-put-page-when-fail-to-get-all-reque.patch bugfix/all/macvtap-zerocopy-set-SKBTX_DEV_ZEROCOPY-only-when-sk.patch bugfix/all/macvtap-zerocopy-validate-vectors-before-building-sk.patch + +bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch |