diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2014-03-28 11:17:27 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2014-03-28 11:17:48 -0400 |
| commit | 6676648289e1e6c790eb53c6535de8f4c92e1592 (patch) | |
| tree | 8cb68444a65930435f7bb26cd065102e938bcd98 | |
| parent | 0fc5fab4f779681b264247626aa10004858ad556 (diff) | |
| download | kernel-6676648289e1e6c790eb53c6535de8f4c92e1592.tar.gz kernel-6676648289e1e6c790eb53c6535de8f4c92e1592.tar.xz kernel-6676648289e1e6c790eb53c6535de8f4c92e1592.zip | |
CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503)
| -rw-r--r-- | kernel.spec | 7 | ||||
| -rw-r--r-- | net-vhost-validate-vhost_get_vq_desc-return-value.patch | 55 |
2 files changed, 62 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 7c7842256..b9b52327c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -645,6 +645,9 @@ Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch #CVE-2014-2568 rhbz 1079012 1079013 Patch25049: core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +#CVE-2014-0055 rhbz 1062577 1081503 +Patch25050: net-vhost-validate-vhost_get_vq_desc-return-value.patch + # END OF PATCH DEFINITIONS %endif @@ -1295,6 +1298,9 @@ ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch #CVE-2014-2568 rhbz 1079012 1079013 ApplyPatch core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +#CVE-2014-0055 rhbz 1062577 1081503 +ApplyPatch net-vhost-validate-vhost_get_vq_desc-return-value.patch + # END OF PATCH APPLICATIONS %endif @@ -2075,6 +2081,7 @@ fi # || || %changelog * Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-0055 vhost-net: insufficent error handling in get_rx_bufs (rhbz 1062577 1081503) - CVE-2014-2568 net: potential info leak when ubuf backed skbs are zero copied (rhbz 1079012 1079013) * Fri Mar 28 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.0-0.rc8.git1.1 diff --git a/net-vhost-validate-vhost_get_vq_desc-return-value.patch b/net-vhost-validate-vhost_get_vq_desc-return-value.patch new file mode 100644 index 000000000..5ed9bdf0a --- /dev/null +++ b/net-vhost-validate-vhost_get_vq_desc-return-value.patch @@ -0,0 +1,55 @@ +Bugzilla: 1081503 +Upstream-status: Sent to netdev + +From patchwork Thu Mar 27 10:53:37 2014 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [net] vhost: validate vhost_get_vq_desc return value +From: "Michael S. Tsirkin" <mst@redhat.com> +X-Patchwork-Id: 334291 +Message-Id: <1395917517-30937-1-git-send-email-mst@redhat.com> +To: linux-kernel@vger.kernel.org +Cc: kvm@vger.kernel.org, virtio-dev@lists.oasis-open.org, + virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, + David Miller <davem@davemloft.net>, Jason Wang <jasowang@redhat.com> +Date: Thu, 27 Mar 2014 12:53:37 +0200 + +vhost fails to validate negative error code +from vhost_get_vq_desc causing +a crash: we are using -EFAULT which is 0xfffffff2 +as vector size, which exceeds the allocated size. + +The code in question was introduced in commit +8dd014adfea6f173c1ef6378f7e5e7924866c923 + vhost-net: mergeable buffers support + +CVE-2014-0055 + +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +--- +This is needed in -stable. + + drivers/vhost/net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 026be58..e1e22e0 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -505,9 +505,13 @@ static int get_rx_bufs(struct vhost_virtqueue *vq, + r = -ENOBUFS; + goto err; + } +- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num); ++ if (unlikely(r < 0)) ++ goto err; ++ ++ d = r; + if (d == vq->num) { + r = 0; + goto err; |