CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
This commit is contained in:
Josh Boyer
parent
0fc5fab4f7
commit
6676648289
|
|
@ -645,6 +645,9 @@ Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
|||
#CVE-2014-2568 rhbz 1079012 1079013
|
||||
Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
|
||||
|
||||
#CVE-2014-0055 rhbz 1062577 1081503
|
||||
Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1295,6 +1298,9 @@ ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
|
|||
#CVE-2014-2568 rhbz 1079012 1079013
|
||||
ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
|
||||
|
||||
#CVE-2014-0055 rhbz 1062577 1081503
|
||||
ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2075,6 +2081,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
|
||||
- CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
|
||||
|
||||
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc8.git1.1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,55 @@
|
|||
Bugzilla: 1081503
|
||||
Upstream-status: Sent to netdev
|
||||
|
||||
From patchwork Thu Mar 27 10:53:37 2014
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [net] vhost: validate vhost_get_vq_desc return value
|
||||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
X-Patchwork-Id: 334291
|
||||
Message-Id: <1395917517-30937-1-git-send-email-mst@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
|
||||
virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
|
||||
David Miller <davem@davemloft.net>, Jason Wang <jasowang@redhat.com>
|
||||
Date: Thu, 27 Mar 2014 12:53:37 +0200
|
||||
|
||||
vhost fails to validate negative error code
|
||||
from vhost_get_vq_desc causing
|
||||
a crash: we are using -EFAULT which is 0xfffffff2
|
||||
as vector size, which exceeds the allocated size.
|
||||
|
||||
The code in question was introduced in commit
|
||||
8dd014adfea6f173c1ef6378f7e5e7924866c923
|
||||
vhost-net: mergeable buffers support
|
||||
|
||||
CVE-2014-0055
|
||||
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
|
||||
---
|
||||
This is needed in -stable.
|
||||
|
||||
drivers/vhost/net.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
|
||||
index 026be58..e1e22e0 100644
|
||||
--- a/drivers/vhost/net.c
|
||||
+++ b/drivers/vhost/net.c
|
||||
@@ -505,9 +505,13 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
|
||||
r = -ENOBUFS;
|
||||
goto err;
|
||||
}
|
||||
- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
|
||||
+ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
|
||||
ARRAY_SIZE(vq->iov) - seg, &out,
|
||||
&in, log, log_num);
|
||||
+ if (unlikely(r < 0))
|
||||
+ goto err;
|
||||
+
|
||||
+ d = r;
|
||||
if (d == vq->num) {
|
||||
r = 0;
|
||||
goto err;
|
||||
Loading…
Reference in New Issue