diff options
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 11 | ||||
-rw-r--r-- | kvm-fix-page-struct-leak-in-handle_vmon.patch | 49 | ||||
-rw-r--r-- | sources | 1 |
4 files changed, 57 insertions, 6 deletions
@@ -1 +1 @@ -566cf877a1fcb6d6dc0126b076aad062054c2637 +f1774f46d49f806614d81854321ee9e5138135e5 diff --git a/kernel.spec b/kernel.spec index 5a01c4f3c..6bee6c87f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 6 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -596,7 +596,7 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch # See http://lists.infradead.org/pipermail/linux-arm-kernel/2016-October/461597.html Patch853: 0001-Work-around-for-gcc7-and-arm64.patch -# CVE-2017-2596 rhbz 1417812 1417813 +#CVE-2017-2596 rhbz 1417812 1417813 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch # END OF PATCH DEFINITIONS @@ -2169,9 +2169,10 @@ fi # # %changelog -* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.2 +* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git1.1 +- Linux v4.10-rc6-24-gf1774f4 - Reenable debugging options. -- Fix kvm nested virt CVE-2017-2596 rhbz (1417812 1417813) +- Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813) * Mon Jan 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.1 - Linux v4.10-rc6 diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch new file mode 100644 index 000000000..b29bcea03 --- /dev/null +++ b/kvm-fix-page-struct-leak-in-handle_vmon.patch @@ -0,0 +1,49 @@ +From patchwork Tue Jan 24 10:56:21 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: kvm: fix page struct leak in handle_vmon +From: Paolo Bonzini <pbonzini@redhat.com> +X-Patchwork-Id: 9534885 +Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com> +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: dvyukov@google.com +Date: Tue, 24 Jan 2017 11:56:21 +0100 + +handle_vmon gets a reference on VMXON region page, +but does not release it. Release the reference. + +Found by syzkaller; based on a patch by Dmitry. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +--- + arch/x86/kvm/vmx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 42cc3d6f4d20..0f7345035210 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, + } + + page = nested_get_page(vcpu, vmptr); +- if (page == NULL || +- *(u32 *)kmap(page) != VMCS12_REVISION) { ++ if (page == NULL) { + nested_vmx_failInvalid(vcpu); ++ return kvm_skip_emulated_instruction(vcpu); ++ } ++ if (*(u32 *)kmap(page) != VMCS12_REVISION) { + kunmap(page); ++ nested_release_page_clean(page); ++ nested_vmx_failInvalid(vcpu); + return kvm_skip_emulated_instruction(vcpu); + } + kunmap(page); ++ nested_release_page_clean(page); + vmx->nested.vmxon_ptr = vmptr; + break; + case EXIT_REASON_VMCLEAR: @@ -1,3 +1,4 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 SHA512 (patch-4.10-rc6.xz) = eb6dfcdcb427d198d955b6c2146abd5c6a74d01ab10855d713f33b9c87df05f20f2688cb354d5881dfb82ebdcf4ecac37b36956ff3645977f967f021b52ad507 +SHA512 (patch-4.10-rc6-git1.xz) = 78244cdca47da41b35ddf6d8573e4ce4c6a42af9ec99a3bb9b725fe9934b4880de3d29500ba99a471d86eb78f8c1587a98013998140381c9885cc11016a294da |