From 3fd5815625bef048d0f06672e54b985f0e23a70f Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 3 Apr 2019 08:27:40 -0500 Subject: Fix CVE-2019-3882 (rhbz 1689426 1695571) --- kernel.spec | 6 + vfio-type1-limit-dma-mappings-per-container.patch | 130 ++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 vfio-type1-limit-dma-mappings-per-container.patch diff --git a/kernel.spec b/kernel.spec index 8d2c03cbf..383d4fde4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -622,6 +622,9 @@ Patch515: nfsv4.1-avoid-false-retries.patch # CVE-2019-9857 rhbz 1694758 1694759 Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch +# CVE-2019-3882 rhbz 1689426 1695571 +Patch517: vfio-type1-limit-dma-mappings-per-container.patch + # END OF PATCH DEFINITIONS %endif @@ -1909,6 +1912,9 @@ fi # # %changelog +* Wed Apr 03 2019 Justin M. Forbes +- Fix CVE-2019-3882 (rhbz 1689426 1695571) + * Mon Apr 01 2019 Justin M. Forbes - Fix CVE-2019-9857 (rhbz 1694758 1694759) diff --git a/vfio-type1-limit-dma-mappings-per-container.patch b/vfio-type1-limit-dma-mappings-per-container.patch new file mode 100644 index 000000000..da814fa0e --- /dev/null +++ b/vfio-type1-limit-dma-mappings-per-container.patch @@ -0,0 +1,130 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, + INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham + autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 5BCBAC43381 + for ; Mon, 1 Apr 2019 20:16:59 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id 31C4F20896 + for ; Mon, 1 Apr 2019 20:16:59 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726867AbfDAUQ5 (ORCPT + ); + Mon, 1 Apr 2019 16:16:57 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:52924 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1726284AbfDAUQ5 (ORCPT ); + Mon, 1 Apr 2019 16:16:57 -0400 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mx1.redhat.com (Postfix) with ESMTPS id 6BC20307D933; + Mon, 1 Apr 2019 20:16:57 +0000 (UTC) +Received: from gimli.home (ovpn-116-99.phx2.redhat.com [10.3.116.99]) + by smtp.corp.redhat.com (Postfix) with ESMTP id AF2DC104C53F; + Mon, 1 Apr 2019 20:16:52 +0000 (UTC) +Subject: [PATCH] vfio/type1: Limit DMA mappings per container +From: Alex Williamson +To: alex.williamson@redhat.com +Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, + eric.auger@redhat.com, cohuck@redhat.com +Date: Mon, 01 Apr 2019 14:16:52 -0600 +Message-ID: <155414977872.12780.13728555131525362206.stgit@gimli.home> +User-Agent: StGit/0.19-dirty +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 01 Apr 2019 20:16:57 +0000 (UTC) +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Archived-At: +List-Archive: +List-Post: + +Memory backed DMA mappings are accounted against a user's locked +memory limit, including multiple mappings of the same memory. This +accounting bounds the number of such mappings that a user can create. +However, DMA mappings that are not backed by memory, such as DMA +mappings of device MMIO via mmaps, do not make use of page pinning +and therefore do not count against the user's locked memory limit. +These mappings still consume memory, but the memory is not well +associated to the process for the purpose of oom killing a task. + +To add bounding on this use case, we introduce a limit to the total +number of concurrent DMA mappings that a user is allowed to create. +This limit is exposed as a tunable module option where the default +value of 64K is expected to be well in excess of any reasonable use +case (a large virtual machine configuration would typically only make +use of tens of concurrent mappings). + +This fixes CVE-2019-3882. + +Signed-off-by: Alex Williamson +--- + drivers/vfio/vfio_iommu_type1.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 73652e21efec..7fc8fd7d4dc7 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -58,12 +58,18 @@ module_param_named(disable_hugepages, + MODULE_PARM_DESC(disable_hugepages, + "Disable VFIO IOMMU support for IOMMU hugepages."); + ++static int dma_entry_limit __read_mostly = U16_MAX; ++module_param_named(dma_entry_limit, dma_entry_limit, int, 0644); ++MODULE_PARM_DESC(dma_entry_limit, ++ "Maximum number of user DMA mappings per container (65535)."); ++ + struct vfio_iommu { + struct list_head domain_list; + struct vfio_domain *external_domain; /* domain for external user */ + struct mutex lock; + struct rb_root dma_list; + struct blocking_notifier_head notifier; ++ atomic_t dma_avail; + bool v2; + bool nesting; + }; +@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma) + vfio_unlink_dma(iommu, dma); + put_task_struct(dma->task); + kfree(dma); ++ atomic_inc(&iommu->dma_avail); + } + + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) +@@ -1081,8 +1088,14 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu, + goto out_unlock; + } + ++ if (!atomic_add_unless(&iommu->dma_avail, -1, 0)) { ++ ret = -ENOSPC; ++ goto out_unlock; ++ } ++ + dma = kzalloc(sizeof(*dma), GFP_KERNEL); + if (!dma) { ++ atomic_inc(&iommu->dma_avail); + ret = -ENOMEM; + goto out_unlock; + } +@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg) + + INIT_LIST_HEAD(&iommu->domain_list); + iommu->dma_list = RB_ROOT; ++ atomic_set(&iommu->dma_avail, dma_entry_limit); + mutex_init(&iommu->lock); + BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier); + + + -- cgit From b1a75b2c48528c10847234b8765e8ce093653cc2 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 3 Apr 2019 07:23:28 -0700 Subject: Linux v5.0.6 --- kernel.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 383d4fde4..450d6a9e4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -1912,6 +1912,9 @@ fi # # %changelog +* Wed Apr 03 2019 Laura Abbott - 5.0.6-100 +- Linux v5.0.6 + * Wed Apr 03 2019 Justin M. Forbes - Fix CVE-2019-3882 (rhbz 1689426 1695571) diff --git a/sources b/sources index 301a1b068..de4c9e9c7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0 -SHA512 (patch-5.0.5.xz) = 97e22c7c88b57c14bcd4baa11794b502a17ef4affd0caaadd4d694f11ffa99edb938b7dfaaa760dc3bfef13de7b6f612b4090d04b65cd2101b0f90058b0d56bd +SHA512 (patch-5.0.6.xz) = 01375634c3d670b64d8e920176378d61a47e48571a37964c56abec8c0f80c791b75551eef137b05c5c647436cf63e692fe30391b5da14daeb8f5af39c12dcbfd -- cgit