CVE-2016-9083 CVE-2016-9084 vfio multiple flaws
This commit is contained in:
Justin M. Forbes
parent
a5179f37fc
commit
793d04075c
@ -606,6 +606,9 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch
|
|||||||
#ongoing complaint, full discussion delayed until ksummit/plumbers
|
#ongoing complaint, full discussion delayed until ksummit/plumbers
|
||||||
Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
|
Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
|
||||||
|
|
||||||
|
# CVE-2016-9083 CVE-2016-9084 rhbz 1389258 1389259 1389285
|
||||||
|
Patch850: v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2144,6 +2147,9 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Oct 27 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||||
|
- CVE-2016-9083 CVE-2016-9084 vfio multiple flaws (rhbz 1389258 1389259 1389285)
|
||||||
|
|
||||||
* Tue Oct 25 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc2.git1.1
|
* Tue Oct 25 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc2.git1.1
|
||||||
- Linux v4.9-rc2-40-g9fe68ca
|
- Linux v4.9-rc2-40-g9fe68ca
|
||||||
|
|
||||||
|
|||||||
102
v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
Normal file
102
v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
From patchwork Wed Oct 12 16:51:24 2016
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
Subject: [v3] vfio/pci: Fix integer overflows, bitmask check
|
||||||
|
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
|
||||||
|
X-Patchwork-Id: 9373631
|
||||||
|
Message-Id: <1476291084-50737-1-git-send-email-vlad@tsyrklevich.net>
|
||||||
|
To: kvm@vger.kernel.org
|
||||||
|
Cc: alex.williamson@redhat.com, Vlad Tsyrklevich <vlad@tsyrklevich.net>
|
||||||
|
Date: Wed, 12 Oct 2016 18:51:24 +0200
|
||||||
|
|
||||||
|
The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
|
||||||
|
user-supplied integers, potentially allowing memory corruption. This
|
||||||
|
patch adds appropriate integer overflow checks, checks the range bounds
|
||||||
|
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
|
||||||
|
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
|
||||||
|
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
|
||||||
|
vfio_pci_set_irqs_ioctl().
|
||||||
|
|
||||||
|
Furthermore, a kzalloc is changed to a kcalloc because the use of a
|
||||||
|
kzalloc with an integer multiplication allowed an integer overflow
|
||||||
|
condition to be reached without this patch. kcalloc checks for overflow
|
||||||
|
and should prevent a similar occurrence.
|
||||||
|
|
||||||
|
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
|
||||||
|
---
|
||||||
|
drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------
|
||||||
|
drivers/vfio/pci/vfio_pci_intrs.c | 2 +-
|
||||||
|
2 files changed, 22 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
|
||||||
|
index d624a52..031bc08 100644
|
||||||
|
--- a/drivers/vfio/pci/vfio_pci.c
|
||||||
|
+++ b/drivers/vfio/pci/vfio_pci.c
|
||||||
|
@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data,
|
||||||
|
|
||||||
|
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
|
||||||
|
struct vfio_irq_set hdr;
|
||||||
|
+ size_t size;
|
||||||
|
u8 *data = NULL;
|
||||||
|
- int ret = 0;
|
||||||
|
+ int max, ret = 0;
|
||||||
|
|
||||||
|
minsz = offsetofend(struct vfio_irq_set, count);
|
||||||
|
|
||||||
|
@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data,
|
||||||
|
return -EFAULT;
|
||||||
|
|
||||||
|
if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
|
||||||
|
+ hdr.count >= (U32_MAX - hdr.start) ||
|
||||||
|
hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
|
||||||
|
VFIO_IRQ_SET_ACTION_TYPE_MASK))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
|
||||||
|
- size_t size;
|
||||||
|
- int max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||||
|
+ max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||||
|
+ if (hdr.start >= max || hdr.start + hdr.count > max)
|
||||||
|
+ return -EINVAL;
|
||||||
|
|
||||||
|
- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
|
||||||
|
- size = sizeof(uint8_t);
|
||||||
|
- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
|
||||||
|
- size = sizeof(int32_t);
|
||||||
|
- else
|
||||||
|
- return -EINVAL;
|
||||||
|
+ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
|
||||||
|
+ case VFIO_IRQ_SET_DATA_NONE:
|
||||||
|
+ size = 0;
|
||||||
|
+ break;
|
||||||
|
+ case VFIO_IRQ_SET_DATA_BOOL:
|
||||||
|
+ size = sizeof(uint8_t);
|
||||||
|
+ break;
|
||||||
|
+ case VFIO_IRQ_SET_DATA_EVENTFD:
|
||||||
|
+ size = sizeof(int32_t);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (hdr.argsz - minsz < hdr.count * size ||
|
||||||
|
- hdr.start >= max || hdr.start + hdr.count > max)
|
||||||
|
+ if (size) {
|
||||||
|
+ if (hdr.argsz - minsz < hdr.count * size)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
data = memdup_user((void __user *)(arg + minsz),
|
||||||
|
diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
|
||||||
|
index c2e6089..1c46045 100644
|
||||||
|
--- a/drivers/vfio/pci/vfio_pci_intrs.c
|
||||||
|
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
|
||||||
|
@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
|
||||||
|
if (!is_irq_none(vdev))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||||
|
+ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||||
|
if (!vdev->ctx)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user