Linux v3.12.6
This commit is contained in:
parent
a16697cbe5
commit
56f55299ff
|
@ -1,36 +0,0 @@
|
|||
Bugzilla: 1030802
|
||||
Upstream-status: 3.13
|
||||
|
||||
From 9cb80b965eaf7af1369f6e16f48a05fbaaccc021 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Walker <matt.g.d.walker@gmail.com>
|
||||
Date: Thu, 5 Dec 2013 12:39:02 -0800
|
||||
Subject: [PATCH] Input: elantech - add support for newer (August 2013) devices
|
||||
|
||||
Added detection for newer Elantech touchpads, so that kernel doesn't
|
||||
fall-back to default PS/2 driver. Supports touchpads released after
|
||||
~August 2013. Fixes bug:
|
||||
https://lists.launchpad.net/kernel-packages/msg18481.html
|
||||
|
||||
Tested on an Acer Aspire S7-392-6302.
|
||||
|
||||
Signed-off by: Matt Walker <matt.g.d.walker@gmail.com>
|
||||
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/elantech.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
|
||||
index 8551dca..597e9b8 100644
|
||||
--- a/drivers/input/mouse/elantech.c
|
||||
+++ b/drivers/input/mouse/elantech.c
|
||||
@@ -1313,6 +1313,7 @@ static int elantech_set_properties(struct elantech_data *etd)
|
||||
break;
|
||||
case 6:
|
||||
case 7:
|
||||
+ case 8:
|
||||
etd->hw_version = 4;
|
||||
break;
|
||||
default:
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -1,93 +0,0 @@
|
|||
Bugzilla: 1042071
|
||||
Upstream-status: 3.13 and sent to stable
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.104.107 with SMTP id gd11csp361298oab;
|
||||
Thu, 12 Dec 2013 12:41:21 -0800 (PST)
|
||||
X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893;
|
||||
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
|
||||
Return-Path: <stable-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57
|
||||
for <multiple recipients>;
|
||||
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
|
||||
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1752041Ab3LLUhR (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
|
||||
Thu, 12 Dec 2013 15:37:17 -0500
|
||||
Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO
|
||||
mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751761Ab3LLUhN (ORCPT
|
||||
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:13 -0500
|
||||
Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24
|
||||
for <multiple recipients>; Thu, 12 Dec 2013 12:37:11 -0800 (PST)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=sender:from:to:cc:subject:date:message-id;
|
||||
bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=;
|
||||
b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs
|
||||
NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK
|
||||
HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d
|
||||
PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p
|
||||
79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB
|
||||
XTeA==
|
||||
X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657;
|
||||
Thu, 12 Dec 2013 12:37:11 -0800 (PST)
|
||||
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00
|
||||
for <multiple recipients>
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||
Thu, 12 Dec 2013 12:37:01 -0800 (PST)
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
|
||||
Subject: [PATCH] KVM: Improve create VCPU parameter
|
||||
Date: Thu, 12 Dec 2013 21:36:51 +0100
|
||||
Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com>
|
||||
X-Mailer: git-send-email 1.8.3.1
|
||||
Sender: stable-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <stable.vger.kernel.org>
|
||||
X-Mailing-List: stable@vger.kernel.org
|
||||
|
||||
From: Andy Honig <ahonig@google.com>
|
||||
|
||||
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
|
||||
malicious user could specify a vcpu_id greater than 255 in order to set or
|
||||
clear bits in kernel memory. This could be used to elevate priveges in the
|
||||
kernel. This patch verifies that the vcpu_id provided is less than 255.
|
||||
The api documentation already specifies that the vcpu_id must be less than
|
||||
max_vcpus, but this is currently not checked.
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
virt/kvm/kvm_main.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
|
||||
index a0aa84b5941a..4f588bc94186 100644
|
||||
--- a/virt/kvm/kvm_main.c
|
||||
+++ b/virt/kvm/kvm_main.c
|
||||
@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
|
||||
int r;
|
||||
struct kvm_vcpu *vcpu, *v;
|
||||
|
||||
+ if (id >= KVM_MAX_VCPUS)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
vcpu = kvm_arch_vcpu_create(kvm, id);
|
||||
if (IS_ERR(vcpu))
|
||||
return PTR_ERR(vcpu);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe stable" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
@ -1,247 +0,0 @@
|
|||
Bugzilla: 1042090
|
||||
Upstream-status: 3.13 and sent for stable
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.104.107 with SMTP id gd11csp361293oab;
|
||||
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
|
||||
X-Received: by 10.68.244.2 with SMTP id xc2mr15600217pbc.58.1386880872483;
|
||||
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
|
||||
Return-Path: <stable-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id 5si8126292pbj.245.2013.12.12.12.40.49
|
||||
for <multiple recipients>;
|
||||
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
|
||||
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1751901Ab3LLUiK (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
|
||||
Thu, 12 Dec 2013 15:38:10 -0500
|
||||
Received: from mail-ea0-f169.google.com ([209.85.215.169]:43997 "EHLO
|
||||
mail-ea0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751940Ab3LLUhR (ORCPT
|
||||
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:17 -0500
|
||||
Received: by mail-ea0-f169.google.com with SMTP id l9so411843eaj.0
|
||||
for <multiple recipients>; Thu, 12 Dec 2013 12:37:15 -0800 (PST)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=sender:from:to:cc:subject:date:message-id;
|
||||
bh=2MLmYgVGbv9FpnyP90yrPKk21SJoXFj93yQcaRn4G8Y=;
|
||||
b=ouBadI22VTf1UuezbySC80FWJYdpF/8Ks6I8f5rq1/7SDQPTpScjOYjZX0UtIf1ihj
|
||||
aeQ7IHqpmIYGKWadUbH2l88ZP1+rP7T+f2dZQeCb3HLNsPum0Ix8dzm/koeDnuS3dx75
|
||||
50E9ZcFXO13Hx24tM8p0SAuYZ1DvbCNnPRK0yxHOmCtCWe+mQLBIgig1rg8TzSAazWm7
|
||||
8LhpztDlIzNyZcfzKQvtdqTOBdnhadx5x39fxOe54Yw4JbppDa7R+BY5Jz6GOd3U0Op1
|
||||
Nf97rU0pe/jeyOtjF0LVs/d9iyPPeRoSE+VAr91iT8qj9S2PFEN1QxxWL8sdvsDPZK6B
|
||||
ZCmw==
|
||||
X-Received: by 10.14.182.199 with SMTP id o47mr10030582eem.7.1386880635352;
|
||||
Thu, 12 Dec 2013 12:37:15 -0800 (PST)
|
||||
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.13
|
||||
for <multiple recipients>
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||
Thu, 12 Dec 2013 12:37:14 -0800 (PST)
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
|
||||
Subject: [PATCH] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
|
||||
Date: Thu, 12 Dec 2013 21:36:53 +0100
|
||||
Message-Id: <1386880614-23300-3-git-send-email-pbonzini@redhat.com>
|
||||
X-Mailer: git-send-email 1.8.3.1
|
||||
Sender: stable-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <stable.vger.kernel.org>
|
||||
X-Mailing-List: stable@vger.kernel.org
|
||||
|
||||
From: Andy Honig <ahonig@google.com>
|
||||
|
||||
In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
|
||||
potential to corrupt kernel memory if userspace provides an address that
|
||||
is at the end of a page. This patches concerts those functions to use
|
||||
kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
|
||||
vapic_address specified by userspace during ioctl processing and returns
|
||||
an error to userspace if the address is not a valid GPA.
|
||||
|
||||
This is generally not guest triggerable, because the required write is
|
||||
done by firmware that runs before the guest. Also, it only affects AMD
|
||||
processors and oldish Intel that do not have the FlexPriority feature
|
||||
(unless you disable FlexPriority, of course; then newer processors are
|
||||
also affected).
|
||||
|
||||
Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
|
||||
arch/x86/kvm/lapic.h | 4 ++--
|
||||
arch/x86/kvm/x86.c | 40 +---------------------------------------
|
||||
3 files changed, 18 insertions(+), 53 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index 89b52ec7d09c..b8bec45c1610 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(struct kvm_vcpu *vcpu,
|
||||
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
u32 data;
|
||||
- void *vapic;
|
||||
|
||||
if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
|
||||
apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
|
||||
@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
|
||||
if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
|
||||
return;
|
||||
|
||||
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
|
||||
- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
|
||||
- kunmap_atomic(vapic);
|
||||
+ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
|
||||
+ sizeof(u32));
|
||||
|
||||
apic_set_tpr(vcpu->arch.apic, data & 0xff);
|
||||
}
|
||||
@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
|
||||
u32 data, tpr;
|
||||
int max_irr, max_isr;
|
||||
struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- void *vapic;
|
||||
|
||||
apic_sync_pv_eoi_to_guest(vcpu, apic);
|
||||
|
||||
@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
|
||||
max_isr = 0;
|
||||
data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
|
||||
|
||||
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
|
||||
- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
|
||||
- kunmap_atomic(vapic);
|
||||
+ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
|
||||
+ sizeof(u32));
|
||||
}
|
||||
|
||||
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
|
||||
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
|
||||
{
|
||||
- vcpu->arch.apic->vapic_addr = vapic_addr;
|
||||
- if (vapic_addr)
|
||||
+ if (vapic_addr) {
|
||||
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
|
||||
+ &vcpu->arch.apic->vapic_cache,
|
||||
+ vapic_addr, sizeof(u32)))
|
||||
+ return -EINVAL;
|
||||
__set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
|
||||
- else
|
||||
+ } else {
|
||||
__clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
|
||||
+ }
|
||||
+
|
||||
+ vcpu->arch.apic->vapic_addr = vapic_addr;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
|
||||
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
|
||||
index c730ac9fe801..c8b0d0d2da5c 100644
|
||||
--- a/arch/x86/kvm/lapic.h
|
||||
+++ b/arch/x86/kvm/lapic.h
|
||||
@@ -34,7 +34,7 @@ struct kvm_lapic {
|
||||
*/
|
||||
void *regs;
|
||||
gpa_t vapic_addr;
|
||||
- struct page *vapic_page;
|
||||
+ struct gfn_to_hva_cache vapic_cache;
|
||||
unsigned long pending_events;
|
||||
unsigned int sipi_vector;
|
||||
};
|
||||
@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data);
|
||||
void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
|
||||
void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
|
||||
|
||||
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
|
||||
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
|
||||
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
|
||||
void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
|
||||
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 21ef1ba184ae..5d004da1e35d 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -3214,8 +3214,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
|
||||
r = -EFAULT;
|
||||
if (copy_from_user(&va, argp, sizeof va))
|
||||
goto out;
|
||||
- r = 0;
|
||||
- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
|
||||
+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
|
||||
break;
|
||||
}
|
||||
case KVM_X86_SETUP_MCE: {
|
||||
@@ -5739,36 +5738,6 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu)
|
||||
!kvm_event_needs_reinjection(vcpu);
|
||||
}
|
||||
|
||||
-static int vapic_enter(struct kvm_vcpu *vcpu)
|
||||
-{
|
||||
- struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- struct page *page;
|
||||
-
|
||||
- if (!apic || !apic->vapic_addr)
|
||||
- return 0;
|
||||
-
|
||||
- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
|
||||
- if (is_error_page(page))
|
||||
- return -EFAULT;
|
||||
-
|
||||
- vcpu->arch.apic->vapic_page = page;
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-static void vapic_exit(struct kvm_vcpu *vcpu)
|
||||
-{
|
||||
- struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- int idx;
|
||||
-
|
||||
- if (!apic || !apic->vapic_addr)
|
||||
- return;
|
||||
-
|
||||
- idx = srcu_read_lock(&vcpu->kvm->srcu);
|
||||
- kvm_release_page_dirty(apic->vapic_page);
|
||||
- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
|
||||
- srcu_read_unlock(&vcpu->kvm->srcu, idx);
|
||||
-}
|
||||
-
|
||||
static void update_cr8_intercept(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
int max_irr, tpr;
|
||||
@@ -6069,11 +6038,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
|
||||
struct kvm *kvm = vcpu->kvm;
|
||||
|
||||
vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
|
||||
- r = vapic_enter(vcpu);
|
||||
- if (r) {
|
||||
- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
|
||||
- return r;
|
||||
- }
|
||||
|
||||
r = 1;
|
||||
while (r > 0) {
|
||||
@@ -6132,8 +6096,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
|
||||
|
||||
srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
|
||||
|
||||
- vapic_exit(vcpu);
|
||||
-
|
||||
return r;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe stable" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
@ -1,102 +0,0 @@
|
|||
Bugzilla: 1042081
|
||||
Upstream-status: 3.13 and sent for stable
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.104.107 with SMTP id gd11csp361402oab;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
Return-Path: <linux-kernel-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07
|
||||
for <multiple recipients>;
|
||||
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
|
||||
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1752145Ab3LLUiu (ORCPT <rfc822;multinymous@gmail.com>
|
||||
+ 99 others); Thu, 12 Dec 2013 15:38:50 -0500
|
||||
Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO
|
||||
mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751902Ab3LLUhP (ORCPT
|
||||
<rfc822;linux-kernel@vger.kernel.org>);
|
||||
Thu, 12 Dec 2013 15:37:15 -0500
|
||||
Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32
|
||||
for <multiple recipients>; Thu, 12 Dec 2013 12:37:13 -0800 (PST)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=sender:from:to:cc:subject:date:message-id;
|
||||
bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=;
|
||||
b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O
|
||||
P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple
|
||||
n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3
|
||||
t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O
|
||||
3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP
|
||||
H86Q==
|
||||
X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625;
|
||||
Thu, 12 Dec 2013 12:37:13 -0800 (PST)
|
||||
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11
|
||||
for <multiple recipients>
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||
Thu, 12 Dec 2013 12:37:12 -0800 (PST)
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
|
||||
Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
|
||||
Date: Thu, 12 Dec 2013 21:36:52 +0100
|
||||
Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com>
|
||||
X-Mailer: git-send-email 1.8.3.1
|
||||
Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
|
||||
From: Andy Honig <ahonig@google.com>
|
||||
|
||||
Under guest controllable circumstances apic_get_tmcct will execute a
|
||||
divide by zero and cause a crash. If the guest cpuid support
|
||||
tsc deadline timers and performs the following sequence of requests
|
||||
the host will crash.
|
||||
- Set the mode to periodic
|
||||
- Set the TMICT to 0
|
||||
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
|
||||
- Set the TMICT to non-zero.
|
||||
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
|
||||
guest then reads from the TMCCT then the host will perform a divide by 0.
|
||||
|
||||
This patch ensures that if the lapic_timer.period is 0, then the division
|
||||
does not occur.
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index 5439117d5c4c..89b52ec7d09c 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
|
||||
ASSERT(apic != NULL);
|
||||
|
||||
/* if initial count is 0, current count should also be 0 */
|
||||
- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
|
||||
+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
|
||||
+ apic->lapic_timer.period == 0)
|
||||
return 0;
|
||||
|
||||
remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
|
@ -1,109 +0,0 @@
|
|||
Bugzilla: 1042099
|
||||
Upstream-status: 3.13 and sent for stable
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.104.107 with SMTP id gd11csp361370oab;
|
||||
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
|
||||
X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232;
|
||||
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
|
||||
Return-Path: <stable-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31
|
||||
for <multiple recipients>;
|
||||
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
|
||||
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1751853Ab3LLUiJ (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
|
||||
Thu, 12 Dec 2013 15:38:09 -0500
|
||||
Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO
|
||||
mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751884Ab3LLUhS (ORCPT
|
||||
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:18 -0500
|
||||
Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13
|
||||
for <multiple recipients>; Thu, 12 Dec 2013 12:37:17 -0800 (PST)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=sender:from:to:cc:subject:date:message-id;
|
||||
bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=;
|
||||
b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao
|
||||
ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N
|
||||
+Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx
|
||||
UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6
|
||||
dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1
|
||||
Edug==
|
||||
X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981;
|
||||
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
|
||||
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
|
||||
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15
|
||||
for <multiple recipients>
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
|
||||
stable@vger.kernel.org
|
||||
Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
|
||||
Date: Thu, 12 Dec 2013 21:36:54 +0100
|
||||
Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com>
|
||||
X-Mailer: git-send-email 1.8.3.1
|
||||
Sender: stable-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <stable.vger.kernel.org>
|
||||
X-Mailing-List: stable@vger.kernel.org
|
||||
|
||||
From: Gleb Natapov <gleb@redhat.com>
|
||||
|
||||
A guest can cause a BUG_ON() leading to a host kernel crash.
|
||||
When the guest writes to the ICR to request an IPI, while in x2apic
|
||||
mode the following things happen, the destination is read from
|
||||
ICR2, which is a register that the guest can control.
|
||||
|
||||
kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
|
||||
cluster id. A BUG_ON is triggered, which is a protection against
|
||||
accessing map->logical_map with an out-of-bounds access and manages
|
||||
to avoid that anything really unsafe occurs.
|
||||
|
||||
The logic in the code is correct from real HW point of view. The problem
|
||||
is that KVM supports only one cluster with ID 0 in clustered mode, but
|
||||
the code that has the bug does not take this into account.
|
||||
|
||||
Reported-by: Lars Bull <larsbull@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Gleb Natapov <gleb@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index b8bec45c1610..801dc3fd66e1 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
|
||||
return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
|
||||
}
|
||||
|
||||
+#define KMV_X2APIC_CID_BITS 0
|
||||
+
|
||||
static void recalculate_apic_map(struct kvm *kvm)
|
||||
{
|
||||
struct kvm_apic_map *new, *old = NULL;
|
||||
@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm)
|
||||
if (apic_x2apic_mode(apic)) {
|
||||
new->ldr_bits = 32;
|
||||
new->cid_shift = 16;
|
||||
- new->cid_mask = new->lid_mask = 0xffff;
|
||||
+ new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1;
|
||||
+ new->lid_mask = 0xffff;
|
||||
} else if (kvm_apic_sw_enabled(apic) &&
|
||||
!new->cid_mask /* flat mode */ &&
|
||||
kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe stable" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
39
kernel.spec
39
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 303
|
||||
%global baserelease 300
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 5
|
||||
%define stable_update 6
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -739,28 +739,12 @@ Patch25166: sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch
|
|||
Patch25167: rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch
|
||||
Patch25168: rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
#rhbz 958826
|
||||
Patch25164: dell-laptop.patch
|
||||
|
||||
#rhbz 1030802
|
||||
Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch
|
||||
Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch
|
||||
|
||||
#CVE-2013-6367 rhbz 1032207 1042081
|
||||
Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
|
||||
|
||||
#CVE-2013-6368 rhbz 1032210 1042090
|
||||
Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
|
||||
|
||||
#CVE-2013-6376 rhbz 1033106 1042099
|
||||
Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
||||
|
||||
#CVE-2013-4587 rhbz 1030986 1042071
|
||||
Patch25175: KVM-Improve-create-VCPU-parameter.patch
|
||||
|
||||
#rhbz 1025770
|
||||
Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
|
||||
|
||||
|
@ -1461,28 +1445,12 @@ ApplyPatch rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch
|
|||
ApplyPatch sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch
|
||||
ApplyPatch rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch
|
||||
|
||||
#CVE-2013-6382 rhbz 1033603 1034670
|
||||
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
#rhbz 958826
|
||||
ApplyPatch dell-laptop.patch
|
||||
|
||||
#rhbz 1030802
|
||||
ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch
|
||||
ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch
|
||||
|
||||
#CVE-2013-6367 rhbz 1032207 1042081
|
||||
ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
|
||||
|
||||
#CVE-2013-6368 rhbz 1032210 1042090
|
||||
ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
|
||||
|
||||
#CVE-2013-6376 rhbz 1033106 1042099
|
||||
ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
|
||||
|
||||
#CVE-2013-4587 rhbz 1030986 1042071
|
||||
ApplyPatch KVM-Improve-create-VCPU-parameter.patch
|
||||
|
||||
#rhbz 1025770
|
||||
ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
|
||||
|
||||
|
@ -2291,6 +2259,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Dec 23 2013 Justin M. Forbes <jforbes@fedoraproject.org - 3.12.6-300
|
||||
- Linux v3.12.6
|
||||
|
||||
* Fri Dec 20 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add patches to fix dummy gssd entry (rhbz 1037793)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz
|
||||
70e456d21f7e7c0dc2f9bd170f1ae4ee patch-3.12.5.xz
|
||||
9e75be8b127e58f1a76c0015eabb12ae patch-3.12.6.xz
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
Bugzilla: 1033603
|
||||
Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
|
||||
|
||||
Path: news.gmane.org!not-for-mail
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Newsgroups: gmane.comp.file-systems.xfs.general
|
||||
Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
|
||||
Date: Thu, 31 Oct 2013 21:00:10 +0300
|
||||
Lines: 43
|
||||
Approved: news@gmane.org
|
||||
Message-ID: <20131031180010.GA24839@longonot.mountain>
|
||||
References: <20131025144452.GA28451@ngolde.de>
|
||||
NNTP-Posting-Host: plane.gmane.org
|
||||
Mime-Version: 1.0
|
||||
Content-Type: text/plain; charset="us-ascii"
|
||||
Content-Transfer-Encoding: 7bit
|
||||
X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
|
||||
X-Complaints-To: usenet@ger.gmane.org
|
||||
NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
|
||||
Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
|
||||
Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
|
||||
To: Ben Myers <bpm@sgi.com>
|
||||
Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
|
||||
Return-path: <xfs-bounces@oss.sgi.com>
|
||||
Envelope-to: sgi-linux-xfs@gmane.org
|
||||
Original-Received: from oss.sgi.com ([192.48.182.195])
|
||||
by plane.gmane.org with esmtp (Exim 4.69)
|
||||
(envelope-from <xfs-bounces@oss.sgi.com>)
|
||||
id 1Vbwag-0001Ow-Sv
|
||||
for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
|
||||
Original-Received: from oss.sgi.com (localhost [IPv6:::1])
|
||||
by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
|
||||
Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
|
||||
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
|
||||
X-Spam-Level:
|
||||
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
|
||||
autolearn=ham version=3.3.1
|
||||
X-Original-To: xfs@oss.sgi.com
|
||||
Delivered-To: xfs@oss.sgi.com
|
||||
Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
|
||||
by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
|
||||
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
|
||||
Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
|
||||
by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
|
||||
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
|
||||
X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
|
||||
Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
|
||||
cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
|
||||
cipher=AES256-SHA bits=256 verify=NO);
|
||||
Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
|
||||
X-Barracuda-Envelope-From: dan.carpenter@oracle.com
|
||||
X-Barracuda-Apparent-Source-IP: 156.151.31.81
|
||||
Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
|
||||
by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
|
||||
ESMTP id r9VI3AZn009606
|
||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
|
||||
Thu, 31 Oct 2013 18:03:11 GMT
|
||||
Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
|
||||
by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
|
||||
r9VI39qG016923
|
||||
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
|
||||
Thu, 31 Oct 2013 18:03:10 GMT
|
||||
Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
|
||||
by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
|
||||
r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
|
||||
Original-Received: from longonot.mountain (/105.160.144.228)
|
||||
by default (Oracle Beehive Gateway v4.0)
|
||||
with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
|
||||
X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
|
||||
Content-Disposition: inline
|
||||
In-Reply-To: <20131025144452.GA28451@ngolde.de>
|
||||
User-Agent: Mutt/1.5.21 (2010-09-15)
|
||||
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
|
||||
X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
|
||||
X-Barracuda-Start-Time: 1383242600
|
||||
X-Barracuda-Encrypted: AES256-SHA
|
||||
X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
|
||||
X-Virus-Scanned: by bsmtpd at sgi.com
|
||||
X-Barracuda-BRTS-Status: 1
|
||||
X-Barracuda-Spam-Score: 0.00
|
||||
X-Barracuda-Spam-Status: No,
|
||||
SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
|
||||
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
|
||||
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
|
||||
Rule breakdown below
|
||||
pts rule name description
|
||||
---- ----------------------
|
||||
--------------------------------------------------
|
||||
0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
|
||||
lines
|
||||
X-BeenThere: xfs@oss.sgi.com
|
||||
X-Mailman-Version: 2.1.14
|
||||
Precedence: list
|
||||
List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
|
||||
List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
|
||||
<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
|
||||
List-Archive: <http://oss.sgi.com/pipermail/xfs>
|
||||
List-Post: <mailto:xfs@oss.sgi.com>
|
||||
List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
|
||||
List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
|
||||
<mailto:xfs-request@oss.sgi.com?subject=subscribe>
|
||||
Errors-To: xfs-bounces@oss.sgi.com
|
||||
Original-Sender: xfs-bounces@oss.sgi.com
|
||||
Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
|
||||
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
|
||||
|
||||
If we allocate less than sizeof(struct attrlist) then we end up
|
||||
corrupting memory or doing a ZERO_PTR_SIZE dereference.
|
||||
|
||||
This can only be triggered with CAP_SYS_ADMIN.
|
||||
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
|
||||
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
|
||||
index 4d61340..33ad9a7 100644
|
||||
--- a/fs/xfs/xfs_ioctl.c
|
||||
+++ b/fs/xfs/xfs_ioctl.c
|
||||
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
|
||||
return -XFS_ERROR(EPERM);
|
||||
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
||||
diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
|
||||
index e8fb123..a7992f8 100644
|
||||
--- a/fs/xfs/xfs_ioctl32.c
|
||||
+++ b/fs/xfs/xfs_ioctl32.c
|
||||
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
|
||||
if (copy_from_user(&al_hreq, arg,
|
||||
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
||||
|
||||
_______________________________________________
|
||||
xfs mailing list
|
||||
xfs@oss.sgi.com
|
||||
http://oss.sgi.com/mailman/listinfo/xfs
|
||||
|
Loading…
Reference in New Issue