diff options
| author | Justin M. Forbes <jforbes@redhat.com> | 2012-04-19 16:03:21 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2012-04-19 16:03:21 -0500 |
| commit | 1174973de19bbac7f7d9a035f7dd7aeb07f75af4 (patch) | |
| tree | 94ea39c75bfeb59db83de0d8dcbbdbad95429d7d | |
| parent | 7d3a78564ab43271375c063fe37bd9bdd0296d37 (diff) | |
| download | kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.tar.gz kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.tar.xz kernel-1174973de19bbac7f7d9a035f7dd7aeb07f75af4.zip | |
Linux v3.4-rc3-65-g9b7f43a
| -rw-r--r-- | kernel.spec | 27 | ||||
| -rw-r--r-- | macvtap-zerocopy-validate-vector-length.patch | 25 | ||||
| -rw-r--r-- | sources | 2 |
3 files changed, 43 insertions, 11 deletions
diff --git a/kernel.spec b/kernel.spec index 9d50c7cf2..3fb13c567 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 3 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -737,9 +737,6 @@ Patch21260: x86-Avoid-invoking-RCU-when-CPU-is-idle.patch #rhbz 804957 CVE-2012-1568 Patch21306: shlib_base_randomize.patch -#rhbz 807632 -Patch21385: libata-forbid-port-runtime-pm-by-default.patch - Patch21400: unhandled-irqs-switch-to-polling.patch Patch21620: vgaarb-vga_default_device.patch @@ -752,9 +749,12 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 814149 814155 +#rhbz 814149 814155 CVE-2012-2121 Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch +#rhbz 814278 814289 CVE-2012-2119 +Patch22007: macvtap-zerocopy-validate-vector-length.patch + # END OF PATCH DEFINITIONS %endif @@ -1446,9 +1446,6 @@ ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch #Highbank clock functions ApplyPatch highbank-export-clock-functions.patch -#rhbz 807632 -ApplyPatch libata-forbid-port-runtime-pm-by-default.patch - #vgaarb patches. blame mjg59 ApplyPatch vgaarb-vga_default_device.patch @@ -1456,9 +1453,12 @@ ApplyPatch vgaarb-vga_default_device.patch ApplyPatch x86-microcode-Fix-sysfs-warning-during-module-unload-on-unsupported-CPUs.patch ApplyPatch x86-microcode-Ensure-that-module-is-only-loaded-for-supported-AMD-CPUs.patch -#rhbz 814149 814155 +#rhbz 814149 814155 CVE-2012-2121 ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch +#rhbz 814278 814289 CVE-2012-2119 +ApplyPatch macvtap-zerocopy-validate-vector-length.patch + # END OF PATCH APPLICATIONS %endif @@ -2319,8 +2319,15 @@ fi # ||----w | # || || %changelog +* Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc3.git3.1 +- Linux v3.4-rc3-65-g9b7f43a + +* Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com> +- CVE-2012-2119 macvtap: zerocopy: vector length is not validated before + pinning user pages (rhbz 814278 814289) + * Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com> -- Fix KVM device assignment page leak (rhbz 814149 814155) +- CVE-2012-2121: Fix KVM device assignment page leak (rhbz 814149 814155) * Wed Apr 18 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc3.git2.1 - Linux v3.4-rc3-36-g592fe89 diff --git a/macvtap-zerocopy-validate-vector-length.patch b/macvtap-zerocopy-validate-vector-length.patch new file mode 100644 index 000000000..3ac31e4b6 --- /dev/null +++ b/macvtap-zerocopy-validate-vector-length.patch @@ -0,0 +1,25 @@ +Currently we do not validate the vector length before calling +get_user_pages_fast(), host stack would be easily overflowed by +malicious guest driver who give us a descriptor with length greater +than MAX_SKB_FRAGS. Solve this problem by checking the free entries +before trying to pin user pages. + +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + drivers/net/macvtap.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 7cb2684..d197a78 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + } + base = (unsigned long)from->iov_base + offset1; + size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ if (i + size >= MAX_SKB_FRAGS) ++ return -EFAULT; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if ((num_pages != size) || + (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) + @@ -1,3 +1,3 @@ 7133f5a2086a7d7ef97abac610c094f5 linux-3.3.tar.xz 2dfdc406169c0fcec64d5f939a44aff0 patch-3.4-rc3.xz -5884dc5b83805f09c87e6ce0cf7766ff patch-3.4-rc3-git2.xz +92d57dac7a77f41fb939df4eb3024aea patch-3.4-rc3-git3.xz |