summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--gitrev2
-rw-r--r--kernel.spec11
-rw-r--r--kvm-fix-page-struct-leak-in-handle_vmon.patch49
-rw-r--r--sources1
4 files changed, 57 insertions, 6 deletions
diff --git a/gitrev b/gitrev
index add76466d..ceb80fb31 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-566cf877a1fcb6d6dc0126b076aad062054c2637
+f1774f46d49f806614d81854321ee9e5138135e5
diff --git a/kernel.spec b/kernel.spec
index 5a01c4f3c..6bee6c87f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 2
+%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 6
# The git snapshot level
-%define gitrev 0
+%define gitrev 1
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -596,7 +596,7 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
# See http://lists.infradead.org/pipermail/linux-arm-kernel/2016-October/461597.html
Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
-# CVE-2017-2596 rhbz 1417812 1417813
+#CVE-2017-2596 rhbz 1417812 1417813
Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
# END OF PATCH DEFINITIONS
@@ -2169,9 +2169,10 @@ fi
#
#
%changelog
-* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.2
+* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git1.1
+- Linux v4.10-rc6-24-gf1774f4
- Reenable debugging options.
-- Fix kvm nested virt CVE-2017-2596 rhbz (1417812 1417813)
+- Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813)
* Mon Jan 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.1
- Linux v4.10-rc6
diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch
new file mode 100644
index 000000000..b29bcea03
--- /dev/null
+++ b/kvm-fix-page-struct-leak-in-handle_vmon.patch
@@ -0,0 +1,49 @@
+From patchwork Tue Jan 24 10:56:21 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: kvm: fix page struct leak in handle_vmon
+From: Paolo Bonzini <pbonzini@redhat.com>
+X-Patchwork-Id: 9534885
+Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com>
+To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
+Cc: dvyukov@google.com
+Date: Tue, 24 Jan 2017 11:56:21 +0100
+
+handle_vmon gets a reference on VMXON region page,
+but does not release it. Release the reference.
+
+Found by syzkaller; based on a patch by Dmitry.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 42cc3d6f4d20..0f7345035210 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
+ }
+
+ page = nested_get_page(vcpu, vmptr);
+- if (page == NULL ||
+- *(u32 *)kmap(page) != VMCS12_REVISION) {
++ if (page == NULL) {
+ nested_vmx_failInvalid(vcpu);
++ return kvm_skip_emulated_instruction(vcpu);
++ }
++ if (*(u32 *)kmap(page) != VMCS12_REVISION) {
+ kunmap(page);
++ nested_release_page_clean(page);
++ nested_vmx_failInvalid(vcpu);
+ return kvm_skip_emulated_instruction(vcpu);
+ }
+ kunmap(page);
++ nested_release_page_clean(page);
+ vmx->nested.vmxon_ptr = vmptr;
+ break;
+ case EXIT_REASON_VMCLEAR:
diff --git a/sources b/sources
index 103528e23..87d1948c3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
SHA512 (patch-4.10-rc6.xz) = eb6dfcdcb427d198d955b6c2146abd5c6a74d01ab10855d713f33b9c87df05f20f2688cb354d5881dfb82ebdcf4ecac37b36956ff3645977f967f021b52ad507
+SHA512 (patch-4.10-rc6-git1.xz) = 78244cdca47da41b35ddf6d8573e4ce4c6a42af9ec99a3bb9b725fe9934b4880de3d29500ba99a471d86eb78f8c1587a98013998140381c9885cc11016a294da