[kernel] r18465 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Sun Jan 8 10:34:05 UTC 2012

Author: dannf
Date: Sun Jan  8 10:34:04 2012
New Revision: 18465

Log:
[x86] KVM: Prevent starting PIT timers in the absence of irqchip support (CVE-2011-4622)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:00 2012	(r18464)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:04 2012	(r18465)
@@ -3,6 +3,8 @@
   * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
   * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
   * KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)
+  * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support
+    (CVE-2011-4622)
 
  -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 18:46:21 -0700
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch	Sun Jan  8 10:34:04 2012	(r18465)
@@ -0,0 +1,64 @@
+commit 0924ab2cfa98b1ece26c033d696651fd62896c69
+Author: Jan Kiszka <jan.kiszka at siemens.com>
+Date:   Wed Dec 14 19:25:13 2011 +0100
+
+    KVM: x86: Prevent starting PIT timers in the absence of irqchip support
+    
+    User space may create the PIT and forgets about setting up the irqchips.
+    In that case, firing PIT IRQs will crash the host:
+    
+    BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
+    IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
+    ...
+    Call Trace:
+     [<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
+     [<ffffffff81071431>] process_one_work+0x111/0x4d0
+     [<ffffffff81071bb2>] worker_thread+0x152/0x340
+     [<ffffffff81075c8e>] kthread+0x7e/0x90
+     [<ffffffff815a4474>] kernel_thread_helper+0x4/0x10
+    
+    Prevent this by checking the irqchip mode before starting a timer. We
+    can't deny creating the PIT if the irqchips aren't set up yet as
+    current user land expects this order to work.
+    
+    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 88ad162..7e361b4 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -277,11 +277,15 @@ static struct kvm_timer_ops kpit_ops = {
+ 	.is_periodic = kpit_is_periodic,
+ };
+ 
+-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++	struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
+ 	struct kvm_timer *pt = &ps->pit_timer;
+ 	s64 interval;
+ 
++	if (!irqchip_in_kernel(kvm))
++		return;
++
+ 	interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+ 
+ 	pr_debug("pit: create pit timer, interval is %llu nsec\n", interval);
+@@ -333,13 +337,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+         /* FIXME: enhance mode 4 precision */
+ 	case 4:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
+-			create_pit_timer(ps, val, 0);
++			create_pit_timer(kvm, val, 0);
+ 		}
+ 		break;
+ 	case 2:
+ 	case 3:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
+-			create_pit_timer(ps, val, 1);
++			create_pit_timer(kvm, val, 1);
+ 		}
+ 		break;
+ 	default:

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3	Sun Jan  8 10:34:00 2012	(r18464)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3	Sun Jan  8 10:34:04 2012	(r18465)
@@ -3,3 +3,4 @@
 + bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
 + bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
 + bugfix/all/KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-key-type.patch
++ bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch

