Linux v3.6.9
This commit is contained in:
Josh Boyer
parent
211b22ddaf
commit
78f006e1f1
|
|
@ -1,83 +0,0 @@
|
|||
From 6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Tue, 6 Nov 2012 19:24:07 +0100
|
||||
Subject: [PATCH] KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit
|
||||
set (CVE-2012-4461)
|
||||
|
||||
On hosts without the XSAVE support unprivileged local user can trigger
|
||||
oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
|
||||
cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
|
||||
ioctl.
|
||||
|
||||
invalid opcode: 0000 [#2] SMP
|
||||
Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
|
||||
...
|
||||
Pid: 24935, comm: zoog_kvm_monito Tainted: G D 3.2.0-3-686-pae
|
||||
EIP: 0060:[<f8b9550c>] EFLAGS: 00210246 CPU: 0
|
||||
EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
|
||||
EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
|
||||
ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
|
||||
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
||||
Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
|
||||
task.ti=d7c62000)
|
||||
Stack:
|
||||
00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
|
||||
ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
|
||||
c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
|
||||
Call Trace:
|
||||
[<f8b940a9>] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
|
||||
...
|
||||
[<c12bfb44>] ? syscall_call+0x7/0xb
|
||||
Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
|
||||
1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01
|
||||
d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
|
||||
EIP: [<f8b9550c>] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
|
||||
0068:d7c63e70
|
||||
|
||||
QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
|
||||
and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
|
||||
out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
|
||||
X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
|
||||
X86_FEATURE_XSAVE even on hosts that do not support it, might be
|
||||
susceptible to this attack from inside the guest as well.
|
||||
|
||||
Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/cpuid.h | 3 +++
|
||||
arch/x86/kvm/x86.c | 3 +++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
|
||||
index a10e460..58fc514 100644
|
||||
--- a/arch/x86/kvm/cpuid.h
|
||||
+++ b/arch/x86/kvm/cpuid.h
|
||||
@@ -24,6 +24,9 @@ static inline bool guest_cpuid_has_xsave(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
struct kvm_cpuid_entry2 *best;
|
||||
|
||||
+ if (!static_cpu_has(X86_FEATURE_XSAVE))
|
||||
+ return 0;
|
||||
+
|
||||
best = kvm_find_cpuid_entry(vcpu, 1, 0);
|
||||
return best && (best->ecx & bit(X86_FEATURE_XSAVE));
|
||||
}
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 224a7e7..4f76417 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -5781,6 +5781,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
|
||||
int pending_vec, max_bits, idx;
|
||||
struct desc_ptr dt;
|
||||
|
||||
+ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
dt.size = sregs->idt.limit;
|
||||
dt.address = sregs->idt.base;
|
||||
kvm_x86_ops->set_idt(vcpu, &dt);
|
||||
--
|
||||
1.8.0
|
||||
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
index 105e3af..79a4ddc 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
|
||||
@@ -480,20 +480,12 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo,
|
||||
void iwl_trans_pcie_txq_disable(struct iwl_trans *trans, int txq_id)
|
||||
{
|
||||
struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
|
||||
- u16 rd_ptr, wr_ptr;
|
||||
- int n_bd = trans_pcie->txq[txq_id].q.n_bd;
|
||||
|
||||
if (!test_and_clear_bit(txq_id, trans_pcie->queue_used)) {
|
||||
WARN_ONCE(1, "queue %d not used", txq_id);
|
||||
return;
|
||||
}
|
||||
|
||||
- rd_ptr = iwl_read_prph(trans, SCD_QUEUE_RDPTR(txq_id)) & (n_bd - 1);
|
||||
- wr_ptr = iwl_read_prph(trans, SCD_QUEUE_WRPTR(txq_id));
|
||||
-
|
||||
- WARN_ONCE(rd_ptr != wr_ptr, "queue %d isn't empty: [%d,%d]",
|
||||
- txq_id, rd_ptr, wr_ptr);
|
||||
-
|
||||
iwl_txq_set_inactive(trans, txq_id);
|
||||
IWL_DEBUG_TX_QUEUES(trans, "Deactivate queue %d\n", txq_id);
|
||||
}
|
||||
19
kernel.spec
19
kernel.spec
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -66,7 +66,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 8
|
||||
%define stable_update 9
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -706,9 +706,6 @@ Patch22112: USB-report-submission-of-active-URBs.patch
|
|||
#rhbz 869341
|
||||
Patch22113: smp_irq_move_cleanup_interrupt.patch
|
||||
|
||||
#rhbz 873001
|
||||
Patch22114: iwlwifi-remove-queue-empty-warn-3.6.patch
|
||||
|
||||
#rhbz 812129
|
||||
Patch22120: block-fix-a-crash-when-block-device-is.patch
|
||||
Patch22121: blockdev-turn-a-rw-semaphore-into-a-percpu-rw-sem.patch
|
||||
|
|
@ -717,9 +714,6 @@ Patch22122: fs-lock-splice_read-and-splice_write-functions.patch
|
|||
#rhbz 874791
|
||||
Patch22125: Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
#rhbz CVE-2012-4461 862900 878518
|
||||
Patch21227: KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch
|
||||
|
||||
#rhbz CVE-2012-4530 868285 880147
|
||||
Patch21228: exec-do-not-leave-bprm-interp-on-stack.patch
|
||||
Patch21229: exec-use-eloop-for-max-recursion-depth.patch
|
||||
|
|
@ -1354,9 +1348,6 @@ ApplyPatch USB-report-submission-of-active-URBs.patch
|
|||
#rhbz 869341
|
||||
ApplyPatch smp_irq_move_cleanup_interrupt.patch
|
||||
|
||||
#rhbz 873001
|
||||
ApplyPatch iwlwifi-remove-queue-empty-warn-3.6.patch
|
||||
|
||||
#rhbz 812129
|
||||
ApplyPatch block-fix-a-crash-when-block-device-is.patch
|
||||
ApplyPatch blockdev-turn-a-rw-semaphore-into-a-percpu-rw-sem.patch
|
||||
|
|
@ -1365,9 +1356,6 @@ ApplyPatch fs-lock-splice_read-and-splice_write-functions.patch
|
|||
#rhbz 874791
|
||||
ApplyPatch Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
#rhbz CVE-2012-4461 862900 878518
|
||||
ApplyPatch KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch
|
||||
|
||||
#rhbz CVE-2012-4530 868285 880147
|
||||
ApplyPatch exec-do-not-leave-bprm-interp-on-stack.patch
|
||||
ApplyPatch exec-use-eloop-for-max-recursion-depth.patch
|
||||
|
|
@ -2079,6 +2067,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Dec 03 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.9-1
|
||||
- Linux v3.6.9
|
||||
|
||||
* Tue Nov 27 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.8-2
|
||||
- Update patches for 8139cp issues from David Woodhouse (rhbz 851278)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue