[kernel] r19122 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Mon Jun 11 01:45:26 UTC 2012 

Author: benh
Date: Mon Jun 11 01:45:24 2012
New Revision: 19122

Log:
KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)

Added:
   dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Mon Jun 11 01:40:02 2012	(r19121)
+++ dists/sid/linux/debian/changelog	Mon Jun 11 01:45:24 2012	(r19122)
@@ -57,6 +57,7 @@
   * macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built
     successfully
   * macvtap: zerocopy: validate vectors before building skb (CVE-2012-2119)
+  * KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)
 
   [ Bastian Blank ]
   * [s390/s390x,s390x/s390x] Build debugging symbols.

Added: dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch	Mon Jun 11 01:45:24 2012	(r19122)
@@ -0,0 +1,33 @@
+From: Avi Kivity <avi at redhat.com>
+Date: Sun, 22 Apr 2012 17:02:11 +0300
+Subject: [PATCH] KVM: Fix buffer overflow in kvm_set_irq()
+
+commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed upstream.
+
+kvm_set_irq() has an internal buffer of three irq routing entries, allowing
+connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
+does not properly enforce this, allowing three irqchip routes followed by
+an MSI route to overflow the buffer.
+
+Fix by ensuring that an MSI entry is added to an empty list.
+
+Signed-off-by: Avi Kivity <avi at redhat.com>
+---
+ virt/kvm/irq_comm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
+index a6a0365..5afb431 100644
+--- a/virt/kvm/irq_comm.c
++++ b/virt/kvm/irq_comm.c
+@@ -332,6 +332,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
+ 	 */
+ 	hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
+ 		if (ei->type == KVM_IRQ_ROUTING_MSI ||
++		    ue->type == KVM_IRQ_ROUTING_MSI ||
+ 		    ue->u.irqchip.irqchip == ei->irqchip.irqchip)
+ 			return r;
+ 
+-- 
+1.7.10
+

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Mon Jun 11 01:40:02 2012	(r19121)
+++ dists/sid/linux/debian/patches/series	Mon Jun 11 01:45:24 2012	(r19122)
@@ -324,3 +324,5 @@
 bugfix/all/macvtap-zerocopy-put-page-when-fail-to-get-all-reque.patch
 bugfix/all/macvtap-zerocopy-set-SKBTX_DEV_ZEROCOPY-only-when-sk.patch
 bugfix/all/macvtap-zerocopy-validate-vectors-before-building-sk.patch
+
+bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch

More information about the Kernel-svn-changes mailing list