diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-20 09:00:59 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-20 09:00:59 -0500 |
commit | fc841cf8d3331bce61e5ee6fac3a0a9c2d38f33d (patch) | |
tree | 358b0408db9c8dedd875201f92bed72735ac3680 /xsa270.patch | |
parent | 1b0fe53452bc2c400333747a60d73642a110d897 (diff) | |
download | kernel-fc841cf8d3331bce61e5ee6fac3a0a9c2d38f33d.tar.gz kernel-fc841cf8d3331bce61e5ee6fac3a0a9c2d38f33d.tar.xz kernel-fc841cf8d3331bce61e5ee6fac3a0a9c2d38f33d.zip |
Fix CVE-2018-15471 (rhbz 1610555 1618414)
Diffstat (limited to 'xsa270.patch')
-rw-r--r-- | xsa270.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/xsa270.patch b/xsa270.patch new file mode 100644 index 000000000..867896f9d --- /dev/null +++ b/xsa270.patch @@ -0,0 +1,55 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() + +Both len and off are frontend specified values, so we need to make +sure there's no overflow when adding the two for the bounds check. We +also want to avoid undefined behavior and hence use off to index into +->hash.mapping[] only after bounds checking. This at the same time +allows to take care of not applying off twice for the bounds checking +against vif->num_queues. + +It is also insufficient to bounds check copy_op.len, as this is len +truncated to 16 bits. + +This is XSA-270. + +Reported-by: Felix Wilhelm <fwilhelm@google.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Paul Durrant <paul.durrant@citrix.com> +Tested-by: Paul Durrant <paul.durrant@citrix.com> +--- +The bounds checking against vif->num_queues also occurs too early afaict +(it should be done after the grant copy). I have patches ready as public +follow-ups for both this and the (at least latent) issue of the mapping +array crossing a page boundary. + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct + u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, + u32 off) + { +- u32 *mapping = &vif->hash.mapping[off]; ++ u32 *mapping = vif->hash.mapping; + struct gnttab_copy copy_op = { + .source.u.ref = gref, + .source.domid = vif->domid, +- .dest.u.gmfn = virt_to_gfn(mapping), + .dest.domid = DOMID_SELF, +- .dest.offset = xen_offset_in_page(mapping), +- .len = len * sizeof(u32), ++ .len = len * sizeof(*mapping), + .flags = GNTCOPY_source_gref + }; + +- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) ++ if ((off + len < off) || (off + len > vif->hash.size) || ++ len > XEN_PAGE_SIZE / sizeof(*mapping)) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; + ++ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); ++ copy_op.dest.offset = xen_offset_in_page(mapping + off); ++ + while (len-- != 0) + if (mapping[off++] >= vif->num_queues) + return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |