diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-20 08:58:36 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-20 08:58:36 -0500 |
| commit | d9b24fa3d23f03602c30aac0162bdecc8bfd808d (patch) | |
| tree | 586f1f7cf33437c4e3b1542c9bdea409fb23edb7 | |
| parent | 3a24c754250dd2c58496916e71e3cdd09878a84f (diff) | |
| download | kernel-d9b24fa3d23f03602c30aac0162bdecc8bfd808d.tar.gz kernel-d9b24fa3d23f03602c30aac0162bdecc8bfd808d.tar.xz kernel-d9b24fa3d23f03602c30aac0162bdecc8bfd808d.zip | |
Fix CVE-2018-15471 rhbz 1610555 1618414
| -rw-r--r-- | kernel.spec | 4 | ||||
| -rw-r--r-- | xsa270.patch | 55 |
2 files changed, 59 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index bacc5af0e..3499fafba 100644 --- a/kernel.spec +++ b/kernel.spec @@ -665,6 +665,9 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1597333 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch +# CVE-2018-15471 rhbz 1610555 1618414 +Patch524: xsa270.patch + # END OF PATCH DEFINITIONS %endif @@ -1916,6 +1919,7 @@ fi %changelog * Mon Aug 20 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.17-200 - Linux v4.17.17 +- Fix CVE-2018-15471 (rhbz 1610555 1618414) * Wed Aug 15 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.14-202 - Include missing Forshadow patches diff --git a/xsa270.patch b/xsa270.patch new file mode 100644 index 000000000..867896f9d --- /dev/null +++ b/xsa270.patch @@ -0,0 +1,55 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() + +Both len and off are frontend specified values, so we need to make +sure there's no overflow when adding the two for the bounds check. We +also want to avoid undefined behavior and hence use off to index into +->hash.mapping[] only after bounds checking. This at the same time +allows to take care of not applying off twice for the bounds checking +against vif->num_queues. + +It is also insufficient to bounds check copy_op.len, as this is len +truncated to 16 bits. + +This is XSA-270. + +Reported-by: Felix Wilhelm <fwilhelm@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Paul Durrant <paul.durrant@citrix.com> +Tested-by: Paul Durrant <paul.durrant@citrix.com> +--- +The bounds checking against vif->num_queues also occurs too early afaict +(it should be done after the grant copy). I have patches ready as public +follow-ups for both this and the (at least latent) issue of the mapping +array crossing a page boundary. + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct + u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, + u32 off) + { +- u32 *mapping = &vif->hash.mapping[off]; ++ u32 *mapping = vif->hash.mapping; + struct gnttab_copy copy_op = { + .source.u.ref = gref, + .source.domid = vif->domid, +- .dest.u.gmfn = virt_to_gfn(mapping), + .dest.domid = DOMID_SELF, +- .dest.offset = xen_offset_in_page(mapping), +- .len = len * sizeof(u32), ++ .len = len * sizeof(*mapping), + .flags = GNTCOPY_source_gref + }; + +- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) ++ if ((off + len < off) || (off + len > vif->hash.size) || ++ len > XEN_PAGE_SIZE / sizeof(*mapping)) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; + ++ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); ++ copy_op.dest.offset = xen_offset_in_page(mapping + off); ++ + while (len-- != 0) + if (mapping[off++] >= vif->num_queues) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |