diff --git a/kernel.spec b/kernel.spec index 16f2d3b63..5d7b2b1f3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -651,6 +651,8 @@ Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch #CVE-2014-0077 rhbz 1064440 1081504 Patch25051: net-vhost-fix-total-length-when-packets-are-too-short.patch +#CVE-2014-2580 rhbz 1080084 1080086 +Patch25052: net-xen-netback-disable-rogue-vif-in-kthread-context.patch # END OF PATCH DEFINITIONS @@ -1308,6 +1310,9 @@ ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch #CVE-2014-0077 rhbz 1064440 1081504 ApplyPatch net-vhost-fix-total-length-when-packets-are-too-short.patch +#CVE-2014-2580 rhbz 1080084 1080086 +ApplyPatch net-xen-netback-disable-rogue-vif-in-kthread-context.patch + # END OF PATCH APPLICATIONS %endif @@ -2088,6 +2093,7 @@ fi # || || %changelog * Fri Mar 28 2014 Josh Boyer +- CVE-2014-2580 xen: netback crash trying to disable due to malformed packet (rhbz 1080084 1080086) - CVE-2014-0077 vhost-net: insufficent big packet handling in handle_rx (rhbz 1064440 1081504) - CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503) - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013) diff --git a/net-xen-netback-disable-rogue-vif-in-kthread-context.patch b/net-xen-netback-disable-rogue-vif-in-kthread-context.patch new file mode 100644 index 000000000..75e04f11a --- /dev/null +++ b/net-xen-netback-disable-rogue-vif-in-kthread-context.patch @@ -0,0 +1,143 @@ +Bugzilla: 1080086 +Upstream-status: sent to netdev list + +From patchwork Tue Mar 25 12:20:51 2014 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: [net,V2] xen-netback: disable rogue vif in kthread context +From: Wei Liu +X-Patchwork-Id: 333459 +Message-Id: <1395750051-15932-1-git-send-email-wei.liu2@citrix.com> +To: , +Cc: , , + , , + Wei Liu , Ian Campbell +Date: Tue, 25 Mar 2014 12:20:51 +0000 + +When netback discovers frontend is sending malformed packet it will +disables the interface which serves that frontend. + +However disabling a network interface involving taking a mutex which +cannot be done in softirq context, so we need to defer this process to +kthread context. + +This patch does the following: +1. introduce a flag to indicate the interface is disabled. +2. check that flag in TX path, don't do any work if it's true. +3. check that flag in RX path, turn off that interface if it's true. + +The reason to disable it in RX path is because RX uses kthread. After +this change the behavior of netback is still consistent -- it won't do +any TX work for a rogue frontend, and the interface will be eventually +turned off. + +Also change a "continue" to "break" after xenvif_fatal_tx_err, as it +doesn't make sense to continue processing packets if frontend is rogue. + +This is a fix for XSA-90. + +Reported-by: Török Edwin +Signed-off-by: Wei Liu +Cc: Ian Campbell + +--- +drivers/net/xen-netback/common.h | 5 +++++ + drivers/net/xen-netback/interface.c | 15 ++++++++++++++- + drivers/net/xen-netback/netback.c | 15 +++++++++++++-- + 3 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index ae413a2..4bf5b33 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -113,6 +113,11 @@ struct xenvif { + domid_t domid; + unsigned int handle; + ++ /* Is this interface disabled? True when backend discovers ++ * frontend is rogue. ++ */ ++ bool disabled; ++ + /* Use NAPI for guest TX */ + struct napi_struct napi; + /* When feature-split-event-channels = 0, tx_irq = rx_irq. */ +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 301cc03..8c921de 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -61,12 +61,23 @@ static int xenvif_poll(struct napi_struct *napi, int budget) + { + struct xenvif *vif = container_of(napi, struct xenvif, napi); + int work_done; ++ unsigned long flags; ++ ++ /* This vif is rogue, we pretend we've there is nothing to do ++ * for this vif to deschedule it from NAPI. But this interface ++ * will be turned off in thread context later. ++ */ ++ if (unlikely(vif->disabled)) { ++ local_irq_save(flags); ++ __napi_complete(napi); ++ local_irq_restore(flags); ++ return 0; ++ } + + work_done = xenvif_tx_action(vif, budget); + + if (work_done < budget) { + int more_to_do = 0; +- unsigned long flags; + + /* It is necessary to disable IRQ before calling + * RING_HAS_UNCONSUMED_REQUESTS. Otherwise we might +@@ -321,6 +332,8 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, + vif->ip_csum = 1; + vif->dev = dev; + ++ vif->disabled = false; ++ + vif->credit_bytes = vif->remaining_credit = ~0UL; + vif->credit_usec = 0UL; + init_timer(&vif->credit_timeout); +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 438d0c0..17633dd 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -655,7 +655,8 @@ static void xenvif_tx_err(struct xenvif *vif, + static void xenvif_fatal_tx_err(struct xenvif *vif) + { + netdev_err(vif->dev, "fatal error; disabling device\n"); +- xenvif_carrier_off(vif); ++ vif->disabled = true; ++ xenvif_kick_thread(vif); + } + + static int xenvif_count_requests(struct xenvif *vif, +@@ -1126,7 +1127,7 @@ static unsigned xenvif_tx_build_gops(struct xenvif *vif, int budget) + vif->tx.sring->req_prod, vif->tx.req_cons, + XEN_NETIF_TX_RING_SIZE); + xenvif_fatal_tx_err(vif); +- continue; ++ break; + } + + work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&vif->tx); +@@ -1549,6 +1550,16 @@ int xenvif_kthread(void *data) + wait_event_interruptible(vif->wq, + rx_work_todo(vif) || + kthread_should_stop()); ++ ++ /* This frontend is found to be rogue, disable it in ++ * kthread context. Currently this is only set when ++ * netback finds out frontend sends malformed packet, ++ * but we cannot disable the interface in softirq ++ * context so we defer it here. ++ */ ++ if (unlikely(vif->disabled && netif_carrier_ok(vif->dev))) ++ xenvif_carrier_off(vif); ++ + if (kthread_should_stop()) + break; +