diff options
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
-rw-r--r-- | kernel.spec | 28 | ||||
-rw-r--r-- | kvm-vmx-more-complete-state-update-on-APICv-on-off.patch | 112 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | sp5100_tco-properly-check-for-new-register-layouts.patch | 75 | ||||
-rw-r--r-- | tipc-check-nl-sock-before-parsing-nested-attributes.patch | 36 |
6 files changed, 167 insertions, 135 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch deleted file mode 100644 index 8066b2e8f..000000000 --- a/KVM-MTRR-remove-MSR-0x2f8.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> -Date: Mon, 16 May 2016 09:45:35 -0400 -Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support -was introduced by 9ba075a664df ("KVM: MTRR support"). - -0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the -size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, -which made access to index 124 out of bounds. The surrounding code only -WARNs in this situation, thus the guest gained a limited read/write -access to struct kvm_arch_vcpu. - -0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR -MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 -was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was -not implemented in KVM, therefore 0x2f8 could never do anything useful -and getting rid of it is safe. - -This fixes CVE-2016-TBD. - -Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") -Cc: stable@vger.kernel.org -Reported-by: David Matlack <dmatlack@google.com> -Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> ---- - arch/x86/kvm/mtrr.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c -index 3f8c732117ec..c146f3c262c3 100644 ---- a/arch/x86/kvm/mtrr.c -+++ b/arch/x86/kvm/mtrr.c -@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) - case MSR_MTRRdefType: - case MSR_IA32_CR_PAT: - return true; -- case 0x2f8: -- return true; - } - return false; - } --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index 46b0a1da1..ea69f8061 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -663,9 +663,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#rhbz 1328633 -Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch - #CVE-2016-4569 rhbz 1334643 1334645 Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -674,8 +671,11 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch -#CVE-2016-3713 rhbz 1332139 1336410 -Patch718: KVM-MTRR-remove-MSR-0x2f8.patch +#CVE-2016-4440 rhbz 1337806 1337807 +Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch + +#CVE-2016-4951 rhbz 1338625 1338626 +Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch # END OF PATCH DEFINITIONS @@ -751,7 +751,6 @@ files combining both kernel and initial ramdisk. %package debuginfo-common-%{_target_cpu} Summary: Kernel source files used by %{name}-debuginfo packages Group: Development/Debug -Provides: installonlypkg(kernel) %description debuginfo-common-%{_target_cpu} This package is required by %{name}-debuginfo subpackages. It provides the kernel source files common to all builds. @@ -868,7 +867,6 @@ Summary: Debug information for package %{name}%{?1:-%{1}}\ Group: Development/Debug\ Requires: %{name}-debuginfo-common-%{_target_cpu} = %{version}-%{release}\ Provides: %{name}%{?1:-%{1}}-debuginfo-%{_target_cpu} = %{version}-%{release}\ -Provides: installonlypkg(kernel)\ AutoReqProv: no\ %description %{?1:%{1}-}debuginfo\ This package provides debug information for package %{name}%{?1:-%{1}}.\ @@ -948,7 +946,6 @@ summary: kernel meta-package for the %{1} kernel\ group: system environment/kernel\ Requires: kernel-%{1}-core-uname-r = %{KVERREL}%{?variant}+%{1}\ Requires: kernel-%{1}-modules-uname-r = %{KVERREL}%{?variant}+%{1}\ -Provides: installonlypkg(kernel)\ %description %{1}\ The meta-package for the %{1} kernel\ %{nil} @@ -963,7 +960,6 @@ The meta-package for the %{1} kernel\ Summary: %{variant_summary}\ Group: System Environment/Kernel\ Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ -Provides: installonlypkg(kernel)\ %{expand:%%kernel_reqprovconf}\ %if %{?1:1} %{!?1:0} \ %{expand:%%kernel_meta_package %{?1:%{1}}}\ @@ -2201,6 +2197,18 @@ fi # # %changelog +* Wed Jun 01 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.6-200 +- Linux v4.5.6 + +* Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626) + +* Fri May 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.5-201 +- Remove the installonly additions until dnf can handle the transition + +* Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807) + * Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.5-200 - Linux v4.5.5 - CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) diff --git a/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch new file mode 100644 index 000000000..67043300c --- /dev/null +++ b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch @@ -0,0 +1,112 @@ +From: Roman Kagan <rkagan@virtuozzo.com> +Subject: [PATCH v3] kvm:vmx: more complete state update on APICv on/off +Date: 2016-05-18 14:48:20 GMT (1 day, 21 hours and 23 minutes ago) + +The function to update APICv on/off state (in particular, to deactivate +it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust +APICv-related fields among secondary processor-based VM-execution +controls. + +As a result, Windows 2012 guests would get stuck when SynIC-based +auto-EOI interrupt intersected with e.g. an IPI in the guest. + +In addition, the MSR intercept bitmap wasn't updated to correspond to +whether "virtualize x2APIC mode" was enabled. This path used not to be +triggered, since Windows didn't use x2APIC but rather their own +synthetic APIC access MSRs; however it represented a security risk +because the guest running in a SynIC-enabled VM could switch to x2APIC +and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang +<yang.zhang.wz@gmail.com> for spotting this). + +The patch fixes those omissions. + +Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> +Cc: Steve Rutherford <srutherford@google.com> +Cc: Yang Zhang <yang.zhang.wz@gmail.com> +--- +v2 -> v3: + - only switch to x2apic msr bitmap if virtualize x2apic mode is on in vmcs + +v1 -> v2: + - only update relevant bits in the secondary exec control + - update msr intercept bitmap (also make x2apic msr bitmap always + correspond to APICv) + + arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index ee1c8a9..cef741a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2418,7 +2418,9 @@ static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu) + + if (is_guest_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_nested; +- else if (vcpu->arch.apic_base & X2APIC_ENABLE) { ++ else if (cpu_has_secondary_exec_ctrls() && ++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & ++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { + if (is_long_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_longmode_x2apic; + else +@@ -4783,6 +4785,19 @@ static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu) + struct vcpu_vmx *vmx = to_vmx(vcpu); + + vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx)); ++ if (cpu_has_secondary_exec_ctrls()) { ++ if (kvm_vcpu_apicv_active(vcpu)) ++ vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ else ++ vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ } ++ ++ if (cpu_has_vmx_msr_bitmap()) ++ vmx_set_msr_bitmap(vcpu); + } + + static u32 vmx_exec_control(struct vcpu_vmx *vmx) +@@ -6329,23 +6344,20 @@ static __init int hardware_setup(void) + + set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ + +- if (enable_apicv) { +- for (msr = 0x800; msr <= 0x8ff; msr++) +- vmx_disable_intercept_msr_read_x2apic(msr); +- +- /* According SDM, in x2apic mode, the whole id reg is used. +- * But in KVM, it only use the highest eight bits. Need to +- * intercept it */ +- vmx_enable_intercept_msr_read_x2apic(0x802); +- /* TMCCT */ +- vmx_enable_intercept_msr_read_x2apic(0x839); +- /* TPR */ +- vmx_disable_intercept_msr_write_x2apic(0x808); +- /* EOI */ +- vmx_disable_intercept_msr_write_x2apic(0x80b); +- /* SELF-IPI */ +- vmx_disable_intercept_msr_write_x2apic(0x83f); +- } ++ for (msr = 0x800; msr <= 0x8ff; msr++) ++ vmx_disable_intercept_msr_read_x2apic(msr); ++ ++ /* According SDM, in x2apic mode, the whole id reg is used. But in ++ * KVM, it only use the highest eight bits. Need to intercept it */ ++ vmx_enable_intercept_msr_read_x2apic(0x802); ++ /* TMCCT */ ++ vmx_enable_intercept_msr_read_x2apic(0x839); ++ /* TPR */ ++ vmx_disable_intercept_msr_write_x2apic(0x808); ++ /* EOI */ ++ vmx_disable_intercept_msr_write_x2apic(0x80b); ++ /* SELF-IPI */ ++ vmx_disable_intercept_msr_write_x2apic(0x83f); + + if (enable_ept) { + kvm_mmu_set_mask_ptes(0ull, +-- +2.5.5 @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -fe89010925304f6f07713741f0c8e811 patch-4.5.5.xz +165ea1f74c34d264f11be8c25d97635b patch-4.5.6.xz diff --git a/sp5100_tco-properly-check-for-new-register-layouts.patch b/sp5100_tco-properly-check-for-new-register-layouts.patch deleted file mode 100644 index 83c86d151..000000000 --- a/sp5100_tco-properly-check-for-new-register-layouts.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 5896a59895689db447e888c1714022bbb9526ede Mon Sep 17 00:00:00 2001 -From: Lucas Stach <dev@lynxeye.de> -Date: Tue, 3 May 2016 19:15:58 +0200 -Subject: [PATCH] sp5100_tco: properly check for new register layouts - -Commits 190aa4304de6 (Add AMD Mullins platform support) and -cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the -driver on a lot more devices, but the following commit missed -a single location in the code when checking if the SB800 register -offsets should be used. This leads to the wrong register being -written which in turn causes ACPI to go haywire. - -Fix this by introducing a helper function to check for the new -register layout and use this consistently. - -https://bugzilla.kernel.org/show_bug.cgi?id=114201 -https://bugzilla.redhat.com/show_bug.cgi?id=1329910 -Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800 -and later chipsets) -Cc: stable@vger.kernel.org (4.5+) -Signed-off-by: Lucas Stach <dev@lynxeye.de> ---- - drivers/watchdog/sp5100_tco.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c -index 6467b91..028618c 100644 ---- a/drivers/watchdog/sp5100_tco.c -+++ b/drivers/watchdog/sp5100_tco.c -@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started." - /* - * Some TCO specific functions - */ -+ -+static bool tco_has_sp5100_reg_layout(struct pci_dev *dev) -+{ -+ return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -+ dev->revision < 0x40; -+} -+ - static void tco_timer_start(void) - { - u32 val; -@@ -129,7 +136,7 @@ static void tco_timer_enable(void) - { - int val; - -- if (sp5100_tco_pci->revision >= 0x40) { -+ if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* For SB800 or later */ - /* Set the Watchdog timer resolution to 1 sec */ - outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG); -@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdevice(void) - /* - * Determine type of southbridge chipset. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - dev_name = SP5100_DEVNAME; - index_reg = SP5100_IO_PM_INDEX_REG; - data_reg = SP5100_IO_PM_DATA_REG; -@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdevice(void) - * Secondly, Find the watchdog timer MMIO address - * from SBResource_MMIO register. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */ - pci_read_config_dword(sp5100_tco_pci, - SP5100_SB_RESOURCE_MMIO_BASE, &val); --- -2.7.4 - diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch new file mode 100644 index 000000000..09bfe1485 --- /dev/null +++ b/tipc-check-nl-sock-before-parsing-nested-attributes.patch @@ -0,0 +1,36 @@ +From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001 +From: Richard Alpe <richard.alpe@ericsson.com> +Date: Mon, 16 May 2016 11:14:54 +0200 +Subject: [PATCH] tipc: check nl sock before parsing nested attributes + +Make sure the socket for which the user is listing publication exists +before parsing the socket netlink attributes. + +Prior to this patch a call without any socket caused a NULL pointer +dereference in tipc_nl_publ_dump(). + +Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com> +Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> +Acked-by: Jon Maloy <jon.maloy@ericsson.cm> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/tipc/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 12628890c219..3b7a79991d55 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) + if (err) + return err; + ++ if (!attrs[TIPC_NLA_SOCK]) ++ return -EINVAL; ++ + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, + attrs[TIPC_NLA_SOCK], + tipc_nl_sock_policy); +-- +2.5.5 + |