[kernel] r18549 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jan 17 17:36:37 UTC 2012
Author: dannf
Date: Tue Jan 17 17:36:35 2012
New Revision: 18549
Log:
[x86] KVM: Prevent starting PIT timers in the absence of irqchip support (CVE-2011-4622)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Jan 17 17:36:27 2012 (r18548)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Jan 17 17:36:35 2012 (r18549)
@@ -5,6 +5,8 @@
* KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110)
* futex: clear robust_list on execve (CVE-2012-0028)
* rose: Add length checks to CALL_REQUEST parsing (CVE-2011-4914)
+ * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support
+ (CVE-2011-4622)
-- dann frazier <dannf at debian.org> Fri, 06 Jan 2012 21:15:07 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch Tue Jan 17 17:36:35 2012 (r18549)
@@ -0,0 +1,59 @@
+commit 0924ab2cfa98b1ece26c033d696651fd62896c69
+Author: Jan Kiszka <jan.kiszka at siemens.com>
+Date: Wed Dec 14 19:25:13 2011 +0100
+
+ KVM: x86: Prevent starting PIT timers in the absence of irqchip support
+
+ User space may create the PIT and forgets about setting up the irqchips.
+ In that case, firing PIT IRQs will crash the host:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
+ IP: [<ffffffffa10f6280>] kvm_set_irq+0x30/0x170 [kvm]
+ ...
+ Call Trace:
+ [<ffffffffa11228c1>] pit_do_work+0x51/0xd0 [kvm]
+ [<ffffffff81071431>] process_one_work+0x111/0x4d0
+ [<ffffffff81071bb2>] worker_thread+0x152/0x340
+ [<ffffffff81075c8e>] kthread+0x7e/0x90
+ [<ffffffff815a4474>] kernel_thread_helper+0x4/0x10
+
+ Prevent this by checking the irqchip mode before starting a timer. We
+ can't deny creating the PIT if the irqchips aren't set up yet as
+ current user land expects this order to work.
+
+ Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+ [dannf: backported to Debian's 2.6.26]
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -258,10 +258,14 @@ static void destroy_pit_timer(struct kvm_kpit_timer *pt)
+ hrtimer_cancel(&pt->timer);
+ }
+
+-static void create_pit_timer(struct kvm_kpit_timer *pt, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++ struct kvm_kpit_timer *pt = &kvm->arch.vpit->pit_state.pit_timer;
+ s64 interval;
+
++ if (!irqchip_in_kernel(kvm))
++ return;
++
+ interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+
+ pr_debug("pit: create pit timer, interval is %llu nsec\n", interval);
+@@ -305,11 +309,11 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+ case 1:
+ /* FIXME: enhance mode 4 precision */
+ case 4:
+- create_pit_timer(&ps->pit_timer, val, 0);
++ create_pit_timer(kvm, val, 0);
+ break;
+ case 2:
+ case 3:
+- create_pit_timer(&ps->pit_timer, val, 1);
++ create_pit_timer(kvm, val, 1);
+ break;
+ default:
+ destroy_pit_timer(&ps->pit_timer);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/27lenny1 Tue Jan 17 17:36:27 2012 (r18548)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1 Tue Jan 17 17:36:35 2012 (r18549)
@@ -4,3 +4,4 @@
+ bugfix/all/move-exit_robust_list-into-mm_release.patch
+ bugfix/all/futex-nullify-robust-lists-after-cleanup.patch
+ bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
++ bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
More information about the Kernel-svn-changes
mailing list