From df15d2b71a4373c57da73a58848ef607d25611a1 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 4 Jun 2019 11:15:33 -0500 Subject: Linux v5.2-rc3-24-g788a024921c4 --- gitrev | 2 +- kernel.spec | 11 +- net-vhost_net-fix-possible-infinite-loop.patch | 200 ------------------------- sources | 1 + 4 files changed, 8 insertions(+), 206 deletions(-) delete mode 100644 net-vhost_net-fix-possible-infinite-loop.patch diff --git a/gitrev b/gitrev index 0725ee7fd..6c288f164 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -f2c7c76c5d0a443053e94adb9f0918fa2fb85c3a +788a024921c48985939f8241c1ff862a7374d8f9 diff --git a/kernel.spec b/kernel.spec index 0be5c763d..946964cd8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 3 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -122,7 +122,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Kernel headers are being split out into a separate package %if 0%{?fedora} @@ -572,9 +572,6 @@ Patch507: 0001-Drop-that-for-now.patch # Submitted upstream at https://lkml.org/lkml/2019/4/23/89 Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch -# CVE-2019-3900 rhbz 1698757 1702940 -Patch524: net-vhost_net-fix-possible-infinite-loop.patch - # build fix Patch527: v2-powerpc-mm-mark-more-tlb-functions-as-__always_inline.patch @@ -1818,6 +1815,10 @@ fi # # %changelog +* Tue Jun 04 2019 Justin M. Forbes - 5.2.0-0.rc3.git1.1 +- Linux v5.2-rc3-24-g788a024921c4 +- Reenable debugging options. + * Mon Jun 03 2019 Justin M. Forbes - 5.2.0-0.rc3.git0.1 - Linux v5.2-rc3 diff --git a/net-vhost_net-fix-possible-infinite-loop.patch b/net-vhost_net-fix-possible-infinite-loop.patch deleted file mode 100644 index f45d84bb2..000000000 --- a/net-vhost_net-fix-possible-infinite-loop.patch +++ /dev/null @@ -1,200 +0,0 @@ -From patchwork Thu Apr 25 07:33:19 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jason Wang -X-Patchwork-Id: 10916185 -Return-Path: -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4F501575 - for ; - Thu, 25 Apr 2019 07:33:33 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D276828BD7 - for ; - Thu, 25 Apr 2019 07:33:33 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id C64AC28BE1; Thu, 25 Apr 2019 07:33:33 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 590B228BD7 - for ; - Thu, 25 Apr 2019 07:33:33 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726957AbfDYHd1 (ORCPT - ); - Thu, 25 Apr 2019 03:33:27 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:60130 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1726317AbfDYHd1 (ORCPT ); - Thu, 25 Apr 2019 03:33:27 -0400 -Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com - [10.5.11.22]) - (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) - (No client certificate requested) - by mx1.redhat.com (Postfix) with ESMTPS id C2BCE3002619; - Thu, 25 Apr 2019 07:33:26 +0000 (UTC) -Received: from hp-dl380pg8-02.lab.eng.pek2.redhat.com - (hp-dl380pg8-02.lab.eng.pek2.redhat.com [10.73.8.12]) - by smtp.corp.redhat.com (Postfix) with ESMTP id 5DA021001DDB; - Thu, 25 Apr 2019 07:33:21 +0000 (UTC) -From: Jason Wang -To: mst@redhat.com, jasowang@redhat.com, kvm@vger.kernel.org, - virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, - linux-kernel@vger.kernel.org -Cc: ppandit@redhat.com -Subject: [PATCH net] vhost_net: fix possible infinite loop -Date: Thu, 25 Apr 2019 03:33:19 -0400 -Message-Id: <1556177599-56248-1-git-send-email-jasowang@redhat.com> -X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 -X-Greylist: Sender IP whitelisted, - not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); - Thu, 25 Apr 2019 07:33:26 +0000 (UTC) -Sender: kvm-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: kvm@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -When the rx buffer is too small for a packet, we will discard the vq -descriptor and retry it for the next packet: - -while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, - &busyloop_intr))) { -... - /* On overrun, truncate and discard */ - if (unlikely(headcount > UIO_MAXIOV)) { - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); - err = sock->ops->recvmsg(sock, &msg, - 1, MSG_DONTWAIT | MSG_TRUNC); - pr_debug("Discarded rx packet: len %zd\n", sock_len); - continue; - } -... -} - -This makes it possible to trigger a infinite while..continue loop -through the co-opreation of two VMs like: - -1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the - vhost process as much as possible e.g using indirect descriptors or - other. -2) Malicious VM2 generate packets to VM1 as fast as possible - -Fixing this by checking against weight at the end of RX and TX -loop. This also eliminate other similar cases when: - -- userspace is consuming the packets in the meanwhile -- theoretical TOCTOU attack if guest moving avail index back and forth - to hit the continue after vhost find guest just add new buffers - -This addresses CVE-2019-3900. - -Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") -Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") -Signed-off-by: Jason Wang ---- - drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- - 1 file changed, 21 insertions(+), 20 deletions(-) - -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index df51a35..fb46e6b 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -778,8 +778,9 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) - int err; - int sent_pkts = 0; - bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX); -+ bool next_round = false; - -- for (;;) { -+ do { - bool busyloop_intr = false; - - if (nvq->done_idx == VHOST_NET_BATCH) -@@ -845,11 +846,10 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) - vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head); - vq->heads[nvq->done_idx].len = 0; - ++nvq->done_idx; -- if (vhost_exceeds_weight(++sent_pkts, total_len)) { -- vhost_poll_queue(&vq->poll); -- break; -- } -- } -+ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len))); -+ -+ if (next_round) -+ vhost_poll_queue(&vq->poll); - - vhost_tx_batch(net, nvq, sock, &msg); - } -@@ -873,8 +873,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) - struct vhost_net_ubuf_ref *uninitialized_var(ubufs); - bool zcopy_used; - int sent_pkts = 0; -+ bool next_round = false; - -- for (;;) { -+ do { - bool busyloop_intr; - - /* Release DMAs done buffers first */ -@@ -951,11 +952,10 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) - else - vhost_zerocopy_signal_used(net, vq); - vhost_net_tx_packet(net); -- if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) { -- vhost_poll_queue(&vq->poll); -- break; -- } -- } -+ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len))); -+ -+ if (next_round) -+ vhost_poll_queue(&vq->poll); - } - - /* Expects to be always run from workqueue - which acts as -@@ -1134,6 +1134,7 @@ static void handle_rx(struct vhost_net *net) - struct iov_iter fixup; - __virtio16 num_buffers; - int recv_pkts = 0; -+ bool next_round = false; - - mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX); - sock = vq->private_data; -@@ -1153,8 +1154,11 @@ static void handle_rx(struct vhost_net *net) - vq->log : NULL; - mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF); - -- while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, -- &busyloop_intr))) { -+ do { -+ sock_len = vhost_net_rx_peek_head_len(net, sock->sk, -+ &busyloop_intr); -+ if (!sock_len) -+ break; - sock_len += sock_hlen; - vhost_len = sock_len + vhost_hlen; - headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx, -@@ -1239,12 +1243,9 @@ static void handle_rx(struct vhost_net *net) - vhost_log_write(vq, vq_log, log, vhost_len, - vq->iov, in); - total_len += vhost_len; -- if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) { -- vhost_poll_queue(&vq->poll); -- goto out; -- } -- } -- if (unlikely(busyloop_intr)) -+ } while (!(next_round = vhost_exceeds_weight(++recv_pkts, total_len))); -+ -+ if (unlikely(busyloop_intr || next_round)) - vhost_poll_queue(&vq->poll); - else - vhost_net_enable_vq(net, vq); diff --git a/sources b/sources index 087b775c4..6e58a0626 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236 SHA512 (patch-5.2-rc3.xz) = 0d412178769defc6f4da5bba057a0e4f1330b2d87fd08b8554598d8cd802c1edbc68d58acf5af1c2d4777609feb25aee1963d7154572ec4b2a30ca36b9d07adc +SHA512 (patch-5.2-rc3-git1.xz) = ebedd563211cc20d7afe3919123580f92af21abaa1c49b5f8c96154bb68ebbec115b107977b7d613e4fb2db04c33b2be029e55730ce81e7dfe4a6707037d720d -- cgit