rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.12.6

This commit is contained in:
Justin M. Forbes 2013-12-23 09:59:14 -06:00
parent a16697cbe5
commit 56f55299ff
8 changed files with 6 additions and 771 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Input-elantech-add-support-for-newer-August-2013-dev.patch
View File

@ -1,36 +0,0 @@
Bugzilla: 1030802
Upstream-status: 3.13
From 9cb80b965eaf7af1369f6e16f48a05fbaaccc021 Mon Sep 17 00:00:00 2001
From: Matt Walker <matt.g.d.walker@gmail.com>
Date: Thu, 5 Dec 2013 12:39:02 -0800
Subject: [PATCH] Input: elantech - add support for newer (August 2013) devices
Added detection for newer Elantech touchpads, so that kernel doesn't
fall-back to default PS/2 driver. Supports touchpads released after
~August 2013. Fixes bug:
https://lists.launchpad.net/kernel-packages/msg18481.html
Tested on an Acer Aspire S7-392-6302.
Signed-off by: Matt Walker <matt.g.d.walker@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/mouse/elantech.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
index 8551dca..597e9b8 100644
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1313,6 +1313,7 @@ static int elantech_set_properties(struct elantech_data *etd)
break;
case 6:
case 7:
+ case 8:
etd->hw_version = 4;
break;
default:
--
1.8.3.1

93
KVM-Improve-create-VCPU-parameter.patch
View File

@ -1,93 +0,0 @@
Bugzilla: 1042071
Upstream-status: 3.13 and sent to stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361298oab;
Thu, 12 Dec 2013 12:41:21 -0800 (PST)
X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893;
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57
for <multiple recipients>;
Thu, 12 Dec 2013 12:41:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1752041Ab3LLUhR (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:37:17 -0500
Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO
mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751761Ab3LLUhN (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:13 -0500
Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24
for <multiple recipients>; Thu, 12 Dec 2013 12:37:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=;
b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs
NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK
HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d
PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p
79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB
XTeA==
X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657;
Thu, 12 Dec 2013 12:37:11 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:01 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: Improve create VCPU parameter
Date: Thu, 12 Dec 2013 21:36:51 +0100
Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Andy Honig <ahonig@google.com>
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
malicious user could specify a vcpu_id greater than 255 in order to set or
clear bits in kernel memory. This could be used to elevate priveges in the
kernel. This patch verifies that the vcpu_id provided is less than 255.
The api documentation already specifies that the vcpu_id must be less than
max_vcpus, but this is currently not checked.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
virt/kvm/kvm_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index a0aa84b5941a..4f588bc94186 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
int r;
struct kvm_vcpu *vcpu, *v;
+ if (id >= KVM_MAX_VCPUS)
+ return -EINVAL;
+
vcpu = kvm_arch_vcpu_create(kvm, id);
if (IS_ERR(vcpu))
return PTR_ERR(vcpu);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

247
KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
View File

@ -1,247 +0,0 @@
Bugzilla: 1042090
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361293oab;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
X-Received: by 10.68.244.2 with SMTP id xc2mr15600217pbc.58.1386880872483;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id 5si8126292pbj.245.2013.12.12.12.40.49
for <multiple recipients>;
Thu, 12 Dec 2013 12:41:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1751901Ab3LLUiK (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:38:10 -0500
Received: from mail-ea0-f169.google.com ([209.85.215.169]:43997 "EHLO
mail-ea0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751940Ab3LLUhR (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:17 -0500
Received: by mail-ea0-f169.google.com with SMTP id l9so411843eaj.0
for <multiple recipients>; Thu, 12 Dec 2013 12:37:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=2MLmYgVGbv9FpnyP90yrPKk21SJoXFj93yQcaRn4G8Y=;
b=ouBadI22VTf1UuezbySC80FWJYdpF/8Ks6I8f5rq1/7SDQPTpScjOYjZX0UtIf1ihj
aeQ7IHqpmIYGKWadUbH2l88ZP1+rP7T+f2dZQeCb3HLNsPum0Ix8dzm/koeDnuS3dx75
50E9ZcFXO13Hx24tM8p0SAuYZ1DvbCNnPRK0yxHOmCtCWe+mQLBIgig1rg8TzSAazWm7
8LhpztDlIzNyZcfzKQvtdqTOBdnhadx5x39fxOe54Yw4JbppDa7R+BY5Jz6GOd3U0Op1
Nf97rU0pe/jeyOtjF0LVs/d9iyPPeRoSE+VAr91iT8qj9S2PFEN1QxxWL8sdvsDPZK6B
ZCmw==
X-Received: by 10.14.182.199 with SMTP id o47mr10030582eem.7.1386880635352;
Thu, 12 Dec 2013 12:37:15 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.13
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:14 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
Date: Thu, 12 Dec 2013 21:36:53 +0100
Message-Id: <1386880614-23300-3-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Andy Honig <ahonig@google.com>
In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
potential to corrupt kernel memory if userspace provides an address that
is at the end of a page. This patches concerts those functions to use
kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
vapic_address specified by userspace during ioctl processing and returns
an error to userspace if the address is not a valid GPA.
This is generally not guest triggerable, because the required write is
done by firmware that runs before the guest. Also, it only affects AMD
processors and oldish Intel that do not have the FlexPriority feature
(unless you disable FlexPriority, of course; then newer processors are
also affected).
Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
arch/x86/kvm/lapic.h | 4 ++--
arch/x86/kvm/x86.c | 40 +---------------------------------------
3 files changed, 18 insertions(+), 53 deletions(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 89b52ec7d09c..b8bec45c1610 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(struct kvm_vcpu *vcpu,
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
{
u32 data;
- void *vapic;
if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
return;
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
- kunmap_atomic(vapic);
+ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
+ sizeof(u32));
apic_set_tpr(vcpu->arch.apic, data & 0xff);
}
@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
u32 data, tpr;
int max_irr, max_isr;
struct kvm_lapic *apic = vcpu->arch.apic;
- void *vapic;
apic_sync_pv_eoi_to_guest(vcpu, apic);
@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu)
max_isr = 0;
data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
- kunmap_atomic(vapic);
+ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
+ sizeof(u32));
}
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
{
- vcpu->arch.apic->vapic_addr = vapic_addr;
- if (vapic_addr)
+ if (vapic_addr) {
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+ &vcpu->arch.apic->vapic_cache,
+ vapic_addr, sizeof(u32)))
+ return -EINVAL;
__set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
- else
+ } else {
__clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
+ }
+
+ vcpu->arch.apic->vapic_addr = vapic_addr;
+ return 0;
}
int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index c730ac9fe801..c8b0d0d2da5c 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -34,7 +34,7 @@ struct kvm_lapic {
*/
void *regs;
gpa_t vapic_addr;
- struct page *vapic_page;
+ struct gfn_to_hva_cache vapic_cache;
unsigned long pending_events;
unsigned int sipi_vector;
};
@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data);
void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 21ef1ba184ae..5d004da1e35d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3214,8 +3214,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
r = -EFAULT;
if (copy_from_user(&va, argp, sizeof va))
goto out;
- r = 0;
- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
break;
}
case KVM_X86_SETUP_MCE: {
@@ -5739,36 +5738,6 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu)
!kvm_event_needs_reinjection(vcpu);
}
-static int vapic_enter(struct kvm_vcpu *vcpu)
-{
- struct kvm_lapic *apic = vcpu->arch.apic;
- struct page *page;
-
- if (!apic || !apic->vapic_addr)
- return 0;
-
- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
- if (is_error_page(page))
- return -EFAULT;
-
- vcpu->arch.apic->vapic_page = page;
- return 0;
-}
-
-static void vapic_exit(struct kvm_vcpu *vcpu)
-{
- struct kvm_lapic *apic = vcpu->arch.apic;
- int idx;
-
- if (!apic || !apic->vapic_addr)
- return;
-
- idx = srcu_read_lock(&vcpu->kvm->srcu);
- kvm_release_page_dirty(apic->vapic_page);
- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
- srcu_read_unlock(&vcpu->kvm->srcu, idx);
-}
-
static void update_cr8_intercept(struct kvm_vcpu *vcpu)
{
int max_irr, tpr;
@@ -6069,11 +6038,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
struct kvm *kvm = vcpu->kvm;
vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
- r = vapic_enter(vcpu);
- if (r) {
- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
- return r;
- }
r = 1;
while (r > 0) {
@@ -6132,8 +6096,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
- vapic_exit(vcpu);
-
return r;
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

102
KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
View File

@ -1,102 +0,0 @@
Bugzilla: 1042081
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361402oab;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07
for <multiple recipients>;
Thu, 12 Dec 2013 12:43:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1752145Ab3LLUiu (ORCPT <rfc822;multinymous@gmail.com>
+ 99 others); Thu, 12 Dec 2013 15:38:50 -0500
Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO
mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751902Ab3LLUhP (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 12 Dec 2013 15:37:15 -0500
Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32
for <multiple recipients>; Thu, 12 Dec 2013 12:37:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=;
b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O
P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple
n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3
t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O
3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP
H86Q==
X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625;
Thu, 12 Dec 2013 12:37:13 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:12 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
Andy Honig <ahonig@google.com>, stable@vger.kernel.org
Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
Date: Thu, 12 Dec 2013 21:36:52 +0100
Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
From: Andy Honig <ahonig@google.com>
Under guest controllable circumstances apic_get_tmcct will execute a
divide by zero and cause a crash. If the guest cpuid support
tsc deadline timers and performs the following sequence of requests
the host will crash.
- Set the mode to periodic
- Set the TMICT to 0
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
- Set the TMICT to non-zero.
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
guest then reads from the TMCCT then the host will perform a divide by 0.
This patch ensures that if the lapic_timer.period is 0, then the division
does not occur.
Reported-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 5439117d5c4c..89b52ec7d09c 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
ASSERT(apic != NULL);
/* if initial count is 0, current count should also be 0 */
- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
+ apic->lapic_timer.period == 0)
return 0;
remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

109
KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
View File

@ -1,109 +0,0 @@
Bugzilla: 1042099
Upstream-status: 3.13 and sent for stable
Delivered-To: jwboyer@gmail.com
Received: by 10.76.104.107 with SMTP id gd11csp361370oab;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31
for <multiple recipients>;
Thu, 12 Dec 2013 12:42:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
dkim=neutral (bad format) header.i=@gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1751853Ab3LLUiJ (ORCPT <rfc822;kumadasu@gmail.com> + 64 others);
Thu, 12 Dec 2013 15:38:09 -0500
Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO
mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751884Ab3LLUhS (ORCPT
<rfc822;stable@vger.kernel.org>); Thu, 12 Dec 2013 15:37:18 -0500
Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13
for <multiple recipients>; Thu, 12 Dec 2013 12:37:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=sender:from:to:cc:subject:date:message-id;
bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=;
b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao
ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N
+Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx
UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6
dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1
Edug==
X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981;
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54])
by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15
for <multiple recipients>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 12 Dec 2013 12:37:16 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com,
stable@vger.kernel.org
Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
Date: Thu, 12 Dec 2013 21:36:54 +0100
Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org
From: Gleb Natapov <gleb@redhat.com>
A guest can cause a BUG_ON() leading to a host kernel crash.
When the guest writes to the ICR to request an IPI, while in x2apic
mode the following things happen, the destination is read from
ICR2, which is a register that the guest can control.
kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
cluster id. A BUG_ON is triggered, which is a protection against
accessing map->logical_map with an out-of-bounds access and manages
to avoid that anything really unsafe occurs.
The logic in the code is correct from real HW point of view. The problem
is that KVM supports only one cluster with ID 0 in clustered mode, but
the code that has the bug does not take this into account.
Reported-by: Lars Bull <larsbull@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/lapic.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index b8bec45c1610..801dc3fd66e1 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
}
+#define KMV_X2APIC_CID_BITS 0
+
static void recalculate_apic_map(struct kvm *kvm)
{
struct kvm_apic_map *new, *old = NULL;
@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm)
if (apic_x2apic_mode(apic)) {
new->ldr_bits = 32;
new->cid_shift = 16;
- new->cid_mask = new->lid_mask = 0xffff;
+ new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1;
+ new->lid_mask = 0xffff;
} else if (kvm_apic_sw_enabled(apic) &&
!new->cid_mask /* flat mode */ &&
kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

39
kernel.spec
View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 303
%global baserelease 300
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -74,7 +74,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 5
%define stable_update 6
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -739,28 +739,12 @@ Patch25166: sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch
Patch25167: rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch
Patch25168: rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch
#CVE-2013-6382 rhbz 1033603 1034670
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
#rhbz 958826
Patch25164: dell-laptop.patch
#rhbz 1030802
Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch
Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch
#CVE-2013-6367 rhbz 1032207 1042081
Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
#CVE-2013-6368 rhbz 1032210 1042090
Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
#CVE-2013-6376 rhbz 1033106 1042099
Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
#CVE-2013-4587 rhbz 1030986 1042071
Patch25175: KVM-Improve-create-VCPU-parameter.patch
#rhbz 1025770
Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
@ -1461,28 +1445,12 @@ ApplyPatch rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch
ApplyPatch sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch
ApplyPatch rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch
#CVE-2013-6382 rhbz 1033603 1034670
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
#rhbz 958826
ApplyPatch dell-laptop.patch
#rhbz 1030802
ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch
ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch
#CVE-2013-6367 rhbz 1032207 1042081
ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch
#CVE-2013-6368 rhbz 1032210 1042090
ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch
#CVE-2013-6376 rhbz 1033106 1042099
ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
#CVE-2013-4587 rhbz 1030986 1042071
ApplyPatch KVM-Improve-create-VCPU-parameter.patch
#rhbz 1025770
ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
@ -2291,6 +2259,9 @@ fi
# ||----w |
# || ||
%changelog
* Mon Dec 23 2013 Justin M. Forbes <jforbes@fedoraproject.org - 3.12.6-300
- Linux v3.12.6
* Fri Dec 20 2013 Josh Boyer <jwboyer@fedoraproject.org>
- Add patches to fix dummy gssd entry (rhbz 1037793)

2
sources
View File

@ -1,2 +1,2 @@
cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz
70e456d21f7e7c0dc2f9bd170f1ae4ee patch-3.12.5.xz
9e75be8b127e58f1a76c0015eabb12ae patch-3.12.6.xz

149
xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
View File

@ -1,149 +0,0 @@
Bugzilla: 1033603
Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
Path: news.gmane.org!not-for-mail
From: Dan Carpenter <dan.carpenter@oracle.com>
Newsgroups: gmane.comp.file-systems.xfs.general
Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Date: Thu, 31 Oct 2013 21:00:10 +0300
Lines: 43
Approved: news@gmane.org
Message-ID: <20131031180010.GA24839@longonot.mountain>
References: <20131025144452.GA28451@ngolde.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
To: Ben Myers <bpm@sgi.com>
Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
Return-path: <xfs-bounces@oss.sgi.com>
Envelope-to: sgi-linux-xfs@gmane.org
Original-Received: from oss.sgi.com ([192.48.182.195])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <xfs-bounces@oss.sgi.com>)
id 1Vbwag-0001Ow-Sv
for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
Original-Received: from oss.sgi.com (localhost [IPv6:::1])
by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=ham version=3.3.1
X-Original-To: xfs@oss.sgi.com
Delivered-To: xfs@oss.sgi.com
Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
cipher=AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
X-Barracuda-Envelope-From: dan.carpenter@oracle.com
X-Barracuda-Apparent-Source-IP: 156.151.31.81
Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
ESMTP id r9VI3AZn009606
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Thu, 31 Oct 2013 18:03:11 GMT
Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI39qG016923
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 18:03:10 GMT
Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
Original-Received: from longonot.mountain (/105.160.144.228)
by default (Oracle Beehive Gateway v4.0)
with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Content-Disposition: inline
In-Reply-To: <20131025144452.GA28451@ngolde.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
X-Barracuda-Start-Time: 1383242600
X-Barracuda-Encrypted: AES256-SHA
X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at sgi.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
Rule breakdown below
pts rule name description
---- ----------------------
--------------------------------------------------
0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-BeenThere: xfs@oss.sgi.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
List-Archive: <http://oss.sgi.com/pipermail/xfs>
List-Post: <mailto:xfs@oss.sgi.com>
List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=subscribe>
Errors-To: xfs-bounces@oss.sgi.com
Original-Sender: xfs-bounces@oss.sgi.com
Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
If we allocate less than sizeof(struct attrlist) then we end up
corrupting memory or doing a ZERO_PTR_SIZE dereference.
This can only be triggered with CAP_SYS_ADMIN.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 4d61340..33ad9a7 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
return -XFS_ERROR(EPERM);
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
index e8fb123..a7992f8 100644
--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
if (copy_from_user(&al_hreq, arg,
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs