diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2014-03-28 11:17:27 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2014-03-28 11:17:30 -0400 |
| commit | 305a09258f827c8faefddc5a0285a04202d5acbb (patch) | |
| tree | bb344e776be212bef85d9bb075f372ddf2d28204 | |
| parent | 20ac8e7c1a0e99dfd57ffe486093c92328c9edbe (diff) | |
| download | kernel-305a09258f827c8faefddc5a0285a04202d5acbb.tar.gz kernel-305a09258f827c8faefddc5a0285a04202d5acbb.tar.xz kernel-305a09258f827c8faefddc5a0285a04202d5acbb.zip | |
CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
| -rw-r--r-- | kernel.spec | 7 | ||||
| -rw-r--r-- | net-vhost-validate-vhost_get_vq_desc-return-value.patch | 55 |
2 files changed, 62 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 8e245645..100da23f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -790,6 +790,9 @@ Patch25048: skbuff-zero-copy.patch #CVE-2014-2568 rhbz 1079012 1079013 Patch25049: nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch +#CVE-2014-0055 rhbz 1062577 1081503 +Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch + # END OF PATCH DEFINITIONS %endif @@ -1536,6 +1539,9 @@ ApplyPatch skbuff-zero-copy.patch #CVE-2014-2568 rhbz 1079012 1079013 ApplyPatch nfqueue-Orphan-frags-in-nfqnl_zcopy-and-handle-error.patch +#CVE-2014-0055 rhbz 1062577 1081503 +ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch + # END OF PATCH APPLICATIONS %endif @@ -2348,6 +2354,7 @@ fi # || || %changelog * Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503) - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013) * Mon Mar 24 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.7-200 diff --git a/net-vhost-validate-vhost_get_vq_desc-return-value.patch b/net-vhost-validate-vhost_get_vq_desc-return-value.patch new file mode 100644 index 00000000..5ed9bdf0 --- /dev/null +++ b/net-vhost-validate-vhost_get_vq_desc-return-value.patch @@ -0,0 +1,55 @@ +Bugzilla: 1081503 +Upstream-status: Sent to netdev + +From patchwork Thu Mar 27 10:53:37 2014 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [net] vhost: validate vhost_get_vq_desc return value +From: "Michael S. Tsirkin" <mst@redhat.com> +X-Patchwork-Id: 334291 +Message-Id: <1395917517-30937-1-git-send-email-mst@redhat.com> +To: linux-kernel@vger.kernel.org +Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org, + virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, + David Miller <davem@davemloft.net>, Jason Wang <jasowang@redhat.com> +Date: Thu, 27 Mar 2014 12:53:37 +0200 + +vhost fails to validate negative error code +from vhost_get_vq_desc causing +a crash: we are using -EFAULT which is 0xfffffff2 +as vector size, which exceeds the allocated size. + +The code in question was introduced in commit +8dd014adfea6f173c1ef6378f7e5e7924866c923 + vhost-net: mergeable buffers support + +CVE-2014-0055 + +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +--- +This is needed in -stable. + + drivers/vhost/net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 026be58..e1e22e0 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -505,9 +505,13 @@ static int get_rx_bufs(struct vhost_virtqueue *vq, + r = -ENOBUFS; + goto err; + } +- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num); ++ if (unlikely(r < 0)) ++ goto err; ++ ++ d = r; + if (d == vq->num) { + r = 0; + goto err; |