Linux v4.5.6
This commit is contained in:
parent
634a74ca7b
commit
48656c00cb
|
@ -1,49 +0,0 @@
|
|||
From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
|
||||
Date: Mon, 16 May 2016 09:45:35 -0400
|
||||
Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
|
||||
was introduced by 9ba075a664df ("KVM: MTRR support").
|
||||
|
||||
0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
|
||||
size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
|
||||
which made access to index 124 out of bounds. The surrounding code only
|
||||
WARNs in this situation, thus the guest gained a limited read/write
|
||||
access to struct kvm_arch_vcpu.
|
||||
|
||||
0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
|
||||
MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8
|
||||
was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
|
||||
not implemented in KVM, therefore 0x2f8 could never do anything useful
|
||||
and getting rid of it is safe.
|
||||
|
||||
This fixes CVE-2016-TBD.
|
||||
|
||||
Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: David Matlack <dmatlack@google.com>
|
||||
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mtrr.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
|
||||
index 3f8c732117ec..c146f3c262c3 100644
|
||||
--- a/arch/x86/kvm/mtrr.c
|
||||
+++ b/arch/x86/kvm/mtrr.c
|
||||
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
|
||||
case MSR_MTRRdefType:
|
||||
case MSR_IA32_CR_PAT:
|
||||
return true;
|
||||
- case 0x2f8:
|
||||
- return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
--
|
||||
2.5.5
|
||||
|
11
kernel.spec
11
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 5
|
||||
%define stable_update 6
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -646,9 +646,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
|
|||
#CVE-2016-4482 rhbz 1332931 1332932
|
||||
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
|
||||
|
||||
#rhbz 1328633
|
||||
Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
|
@ -657,9 +654,6 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
|||
#CVE-2016-0758 rhbz 1300257 1335386
|
||||
Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
||||
|
||||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4440 rhbz 1337806 1337807
|
||||
Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
|
||||
|
||||
|
@ -2187,6 +2181,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jun 01 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.6-300
|
||||
- Linux v4.5.6
|
||||
|
||||
* Sun May 29 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Update Utilite patch
|
||||
- Fix AllWinner DMA driver loading
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz
|
||||
6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz
|
||||
fe89010925304f6f07713741f0c8e811 patch-4.5.5.xz
|
||||
165ea1f74c34d264f11be8c25d97635b patch-4.5.6.xz
|
||||
|
|
|
@ -1,75 +0,0 @@
|
|||
From 5896a59895689db447e888c1714022bbb9526ede Mon Sep 17 00:00:00 2001
|
||||
From: Lucas Stach <dev@lynxeye.de>
|
||||
Date: Tue, 3 May 2016 19:15:58 +0200
|
||||
Subject: [PATCH] sp5100_tco: properly check for new register layouts
|
||||
|
||||
Commits 190aa4304de6 (Add AMD Mullins platform support) and
|
||||
cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the
|
||||
driver on a lot more devices, but the following commit missed
|
||||
a single location in the code when checking if the SB800 register
|
||||
offsets should be used. This leads to the wrong register being
|
||||
written which in turn causes ACPI to go haywire.
|
||||
|
||||
Fix this by introducing a helper function to check for the new
|
||||
register layout and use this consistently.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=114201
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1329910
|
||||
Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800
|
||||
and later chipsets)
|
||||
Cc: stable@vger.kernel.org (4.5+)
|
||||
Signed-off-by: Lucas Stach <dev@lynxeye.de>
|
||||
---
|
||||
drivers/watchdog/sp5100_tco.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c
|
||||
index 6467b91..028618c 100644
|
||||
--- a/drivers/watchdog/sp5100_tco.c
|
||||
+++ b/drivers/watchdog/sp5100_tco.c
|
||||
@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started."
|
||||
/*
|
||||
* Some TCO specific functions
|
||||
*/
|
||||
+
|
||||
+static bool tco_has_sp5100_reg_layout(struct pci_dev *dev)
|
||||
+{
|
||||
+ return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
|
||||
+ dev->revision < 0x40;
|
||||
+}
|
||||
+
|
||||
static void tco_timer_start(void)
|
||||
{
|
||||
u32 val;
|
||||
@@ -129,7 +136,7 @@ static void tco_timer_enable(void)
|
||||
{
|
||||
int val;
|
||||
|
||||
- if (sp5100_tco_pci->revision >= 0x40) {
|
||||
+ if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
|
||||
/* For SB800 or later */
|
||||
/* Set the Watchdog timer resolution to 1 sec */
|
||||
outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG);
|
||||
@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdevice(void)
|
||||
/*
|
||||
* Determine type of southbridge chipset.
|
||||
*/
|
||||
- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
|
||||
- sp5100_tco_pci->revision < 0x40) {
|
||||
+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
|
||||
dev_name = SP5100_DEVNAME;
|
||||
index_reg = SP5100_IO_PM_INDEX_REG;
|
||||
data_reg = SP5100_IO_PM_DATA_REG;
|
||||
@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdevice(void)
|
||||
* Secondly, Find the watchdog timer MMIO address
|
||||
* from SBResource_MMIO register.
|
||||
*/
|
||||
- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
|
||||
- sp5100_tco_pci->revision < 0x40) {
|
||||
+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
|
||||
/* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */
|
||||
pci_read_config_dword(sp5100_tco_pci,
|
||||
SP5100_SB_RESOURCE_MMIO_BASE, &val);
|
||||
--
|
||||
2.7.4
|
||||
|
Loading…
Reference in New Issue