[kernel] r14543 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Dann Frazier dannf at alioth.debian.org
Wed Nov 4 16:54:46 UTC 2009 

Author: dannf
Date: Wed Nov  4 16:54:45 2009
New Revision: 14543

Log:
KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/19lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Nov  4 16:29:33 2009	(r14542)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Nov  4 16:54:45 2009	(r14543)
@@ -7,6 +7,7 @@
     (CVE-2009-3620)
   * AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
   * fs: pipe.c null pointer dereference (CVE-2009-3547)
+  * KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)
 
  -- dann frazier <dannf at debian.org>  Tue, 27 Oct 2009 21:33:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch	Wed Nov  4 16:54:45 2009	(r14543)
@@ -0,0 +1,26 @@
+commit 6a54435560efdab1a08f429a954df4d6c740bddf
+Author: Avi Kivity <avi at redhat.com>
+Date:   Sun Oct 4 16:45:13 2009 +0200
+
+    KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID
+    
+    The number of entries is multiplied by the entry size, which can
+    overflow on 32-bit hosts.  Bound the entry count instead.
+    
+    Reported-by: David Wagner <daw at cs.berkeley.edu>
+    Cc: stable at kernel.org
+    Signed-off-by: Avi Kivity <avi at redhat.com>
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index be451ee..9b96953 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
+ 
+ 	if (cpuid->nent < 1)
+ 		goto out;
++	if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
++		cpuid->nent = KVM_MAX_CPUID_ENTRIES;
+ 	r = -ENOMEM;
+ 	cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
+ 	if (!cpuid_entries)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny2	Wed Nov  4 16:29:33 2009	(r14542)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny2	Wed Nov  4 16:54:45 2009	(r14543)
@@ -4,3 +4,4 @@
 + bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
 + bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
 + bugfix/all/fs-pipe-null-pointer-dereference.patch
++ bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch

More information about the Kernel-svn-changes mailing list