diff options
| author | Laura Abbott <labbott@redhat.com> | 2016-11-04 08:00:53 -0600 |
|---|---|---|
| committer | Laura Abbott <labbott@redhat.com> | 2016-11-04 08:00:53 -0600 |
| commit | c1ca5717a0b0923d2ec56c6e3d7070b8bd483c72 (patch) | |
| tree | 5a6dc0cc1c9f36331c9937f74bc51e49a74ded1c | |
| parent | 07611bcea1ec16ba8f4c2020397127bf302b1e5f (diff) | |
| download | kernel-c1ca5717a0b0923d2ec56c6e3d7070b8bd483c72.tar.gz kernel-c1ca5717a0b0923d2ec56c6e3d7070b8bd483c72.tar.xz kernel-c1ca5717a0b0923d2ec56c6e3d7070b8bd483c72.zip | |
Linux v4.9-rc3-261-g577f12c
| -rw-r--r-- | gitrev | 2 | ||||
| -rw-r--r-- | kernel.spec | 8 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch | 102 |
4 files changed, 6 insertions, 108 deletions
@@ -1 +1 @@ -0c183d92b20b5c84ca655b45ef57b3318b83eb9e +577f12c07e4edd54730dc559a9c7bc44d22bf7dc diff --git a/kernel.spec b/kernel.spec index 245f11204..7ca551236 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 3 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -616,9 +616,6 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch -# CVE-2016-9083 CVE-2016-9084 rhbz 1389258 1389259 1389285 -Patch850: v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch - # END OF PATCH DEFINITIONS %endif @@ -2157,6 +2154,9 @@ fi # # %changelog +* Fri Nov 04 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc3.git2.1 +- Linux v4.9-rc3-261-g577f12c + * Wed Nov 2 2016 Peter Robinson <pbrobinson@fedoraproject.org> - Some OMAP4 fixes - ARM64 fix for NUMA @@ -1,4 +1,4 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz bf2eeea112993a992434d0151b0e9db8 patch-4.9-rc3.xz -e494de724a883883d2d99c87140c6208 patch-4.9-rc3-git1.xz +036b044a6daa15a7dc463ffe5d1c390c patch-4.9-rc3-git2.xz diff --git a/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch b/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch deleted file mode 100644 index 5278d4486..000000000 --- a/v3-vfio-pci-Fix-integer-overflows-bitmask-check.patch +++ /dev/null @@ -1,102 +0,0 @@ -From patchwork Wed Oct 12 16:51:24 2016 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [v3] vfio/pci: Fix integer overflows, bitmask check -From: Vlad Tsyrklevich <vlad@tsyrklevich.net> -X-Patchwork-Id: 9373631 -Message-Id: <1476291084-50737-1-git-send-email-vlad@tsyrklevich.net> -To: kvm@vger.kernel.org -Cc: alex.williamson@redhat.com, Vlad Tsyrklevich <vlad@tsyrklevich.net> -Date: Wed, 12 Oct 2016 18:51:24 +0200 - -The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize -user-supplied integers, potentially allowing memory corruption. This -patch adds appropriate integer overflow checks, checks the range bounds -for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element -in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set. -VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in -vfio_pci_set_irqs_ioctl(). - -Furthermore, a kzalloc is changed to a kcalloc because the use of a -kzalloc with an integer multiplication allowed an integer overflow -condition to be reached without this patch. kcalloc checks for overflow -and should prevent a similar occurrence. - -Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> ---- - drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------ - drivers/vfio/pci/vfio_pci_intrs.c | 2 +- - 2 files changed, 22 insertions(+), 13 deletions(-) - -diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c -index d624a52..031bc08 100644 ---- a/drivers/vfio/pci/vfio_pci.c -+++ b/drivers/vfio/pci/vfio_pci.c -@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data, - - } else if (cmd == VFIO_DEVICE_SET_IRQS) { - struct vfio_irq_set hdr; -+ size_t size; - u8 *data = NULL; -- int ret = 0; -+ int max, ret = 0; - - minsz = offsetofend(struct vfio_irq_set, count); - -@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data, - return -EFAULT; - - if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS || -+ hdr.count >= (U32_MAX - hdr.start) || - hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK | - VFIO_IRQ_SET_ACTION_TYPE_MASK)) - return -EINVAL; - -- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) { -- size_t size; -- int max = vfio_pci_get_irq_count(vdev, hdr.index); -+ max = vfio_pci_get_irq_count(vdev, hdr.index); -+ if (hdr.start >= max || hdr.start + hdr.count > max) -+ return -EINVAL; - -- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL) -- size = sizeof(uint8_t); -- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD) -- size = sizeof(int32_t); -- else -- return -EINVAL; -+ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) { -+ case VFIO_IRQ_SET_DATA_NONE: -+ size = 0; -+ break; -+ case VFIO_IRQ_SET_DATA_BOOL: -+ size = sizeof(uint8_t); -+ break; -+ case VFIO_IRQ_SET_DATA_EVENTFD: -+ size = sizeof(int32_t); -+ break; -+ default: -+ return -EINVAL; -+ } - -- if (hdr.argsz - minsz < hdr.count * size || -- hdr.start >= max || hdr.start + hdr.count > max) -+ if (size) { -+ if (hdr.argsz - minsz < hdr.count * size) - return -EINVAL; - - data = memdup_user((void __user *)(arg + minsz), -diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c -index c2e6089..1c46045 100644 ---- a/drivers/vfio/pci/vfio_pci_intrs.c -+++ b/drivers/vfio/pci/vfio_pci_intrs.c -@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) - if (!is_irq_none(vdev)) - return -EINVAL; - -- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); -+ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); - if (!vdev->ctx) - return -ENOMEM; - |