From 1174973de19bbac7f7d9a035f7dd7aeb07f75af4 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 19 Apr 2012 16:03:21 -0500 Subject: [PATCH] Linux v3.4-rc3-65-g9b7f43a --- kernel.spec | 27 ++++++++++++------- macvtap-zerocopy-validate-vector-length.patch | 25 +++++++++++++++++ sources | 2 +- 3 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 macvtap-zerocopy-validate-vector-length.patch diff --git a/kernel.spec b/kernel.spec index 9d50c7cf2..3fb13c567 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 3 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -737,9 +737,6 @@ Patch21260: x86-Avoid-invoking-RCU-when-CPU-is-idle.patch #rhbz 804957 CVE-2012-1568 Patch21306: shlib_base_randomize.patch -#rhbz 807632 -Patch21385: libata-forbid-port-runtime-pm-by-default.patch - Patch21400: unhandled-irqs-switch-to-polling.patch Patch21620: vgaarb-vga_default_device.patch @@ -752,9 +749,12 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 814149 814155 +#rhbz 814149 814155 CVE-2012-2121 Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch +#rhbz 814278 814289 CVE-2012-2119 +Patch22007: macvtap-zerocopy-validate-vector-length.patch + # END OF PATCH DEFINITIONS %endif @@ -1446,9 +1446,6 @@ ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch #Highbank clock functions ApplyPatch highbank-export-clock-functions.patch -#rhbz 807632 -ApplyPatch libata-forbid-port-runtime-pm-by-default.patch - #vgaarb patches. blame mjg59 ApplyPatch vgaarb-vga_default_device.patch @@ -1456,9 +1453,12 @@ ApplyPatch vgaarb-vga_default_device.patch ApplyPatch x86-microcode-Fix-sysfs-warning-during-module-unload-on-unsupported-CPUs.patch ApplyPatch x86-microcode-Ensure-that-module-is-only-loaded-for-supported-AMD-CPUs.patch -#rhbz 814149 814155 +#rhbz 814149 814155 CVE-2012-2121 ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch +#rhbz 814278 814289 CVE-2012-2119 +ApplyPatch macvtap-zerocopy-validate-vector-length.patch + # END OF PATCH APPLICATIONS %endif @@ -2319,8 +2319,15 @@ fi # ||----w | # || || %changelog +* Thu Apr 19 2012 Justin M. Forbes - 3.4.0-0.rc3.git3.1 +- Linux v3.4-rc3-65-g9b7f43a + * Thu Apr 19 2012 Justin M. Forbes -- Fix KVM device assignment page leak (rhbz 814149 814155) +- CVE-2012-2119 macvtap: zerocopy: vector length is not validated before + pinning user pages (rhbz 814278 814289) + +* Thu Apr 19 2012 Justin M. Forbes +- CVE-2012-2121: Fix KVM device assignment page leak (rhbz 814149 814155) * Wed Apr 18 2012 Justin M. Forbes - 3.4.0-0.rc3.git2.1 - Linux v3.4-rc3-36-g592fe89 diff --git a/macvtap-zerocopy-validate-vector-length.patch b/macvtap-zerocopy-validate-vector-length.patch new file mode 100644 index 000000000..3ac31e4b6 --- /dev/null +++ b/macvtap-zerocopy-validate-vector-length.patch @@ -0,0 +1,25 @@ +Currently we do not validate the vector length before calling +get_user_pages_fast(), host stack would be easily overflowed by +malicious guest driver who give us a descriptor with length greater +than MAX_SKB_FRAGS. Solve this problem by checking the free entries +before trying to pin user pages. + +Signed-off-by: Jason Wang +--- + drivers/net/macvtap.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 7cb2684..d197a78 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + } + base = (unsigned long)from->iov_base + offset1; + size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ if (i + size >= MAX_SKB_FRAGS) ++ return -EFAULT; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if ((num_pages != size) || + (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) + diff --git a/sources b/sources index 83400cf08..8f32eb395 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 7133f5a2086a7d7ef97abac610c094f5 linux-3.3.tar.xz 2dfdc406169c0fcec64d5f939a44aff0 patch-3.4-rc3.xz -5884dc5b83805f09c87e6ce0cf7766ff patch-3.4-rc3-git2.xz +92d57dac7a77f41fb939df4eb3024aea patch-3.4-rc3-git3.xz