summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@redhat.com>2014-03-28 11:17:27 -0400
committerJosh Boyer <jwboyer@redhat.com>2014-03-28 11:17:48 -0400
commit6676648289e1e6c790eb53c6535de8f4c92e1592 (patch)
tree8cb68444a65930435f7bb26cd065102e938bcd98
parent0fc5fab4f779681b264247626aa10004858ad556 (diff)
downloadkernel-6676648289e1e6c790eb53c6535de8f4c92e1592.tar.gz
kernel-6676648289e1e6c790eb53c6535de8f4c92e1592.tar.xz
kernel-6676648289e1e6c790eb53c6535de8f4c92e1592.zip
CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
-rw-r--r--kernel.spec7
-rw-r--r--net-vhost-validate-vhost_get_vq_desc-return-value.patch55
2 files changed, 62 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index 7c7842256..b9b52327c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -645,6 +645,9 @@ Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2568 rhbz 1079012 1079013
Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
+#CVE-2014-0055 rhbz 1062577 1081503
+Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1295,6 +1298,9 @@ ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
#CVE-2014-2568 rhbz 1079012 1079013
ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
+#CVE-2014-0055 rhbz 1062577 1081503
+ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2075,6 +2081,7 @@ fi
# || ||
%changelog
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
- CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013)
* Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc8.git1.1
diff --git a/net-vhost-validate-vhost_get_vq_desc-return-value.patch b/net-vhost-validate-vhost_get_vq_desc-return-value.patch
new file mode 100644
index 000000000..5ed9bdf0a
--- /dev/null
+++ b/net-vhost-validate-vhost_get_vq_desc-return-value.patch
@@ -0,0 +1,55 @@
+Bugzilla: 1081503
+Upstream-status: Sent to netdev
+
+From patchwork Thu Mar 27 10:53:37 2014
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [net] vhost: validate vhost_get_vq_desc return value
+From: "Michael S. Tsirkin" <mst@redhat.com>
+X-Patchwork-Id: 334291
+Message-Id: <1395917517-30937-1-git-send-email-mst@redhat.com>
+To: linux-kernel@vger.kernel.org
+Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org,
+ virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
+ David Miller <davem@davemloft.net>, Jason Wang <jasowang@redhat.com>
+Date: Thu, 27 Mar 2014 12:53:37 +0200
+
+vhost fails to validate negative error code
+from vhost_get_vq_desc causing
+a crash: we are using -EFAULT which is 0xfffffff2
+as vector size, which exceeds the allocated size.
+
+The code in question was introduced in commit
+8dd014adfea6f173c1ef6378f7e5e7924866c923
+ vhost-net: mergeable buffers support
+
+CVE-2014-0055
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+---
+This is needed in -stable.
+
+ drivers/vhost/net.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 026be58..e1e22e0 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -505,9 +505,13 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
+ r = -ENOBUFS;
+ goto err;
+ }
+- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+ ARRAY_SIZE(vq->iov) - seg, &out,
+ &in, log, log_num);
++ if (unlikely(r < 0))
++ goto err;
++
++ d = r;
+ if (d == vq->num) {
+ r = 0;
+ goto err;