[kernel] r19122 - in dists/sid/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at alioth.debian.org
Mon Jun 11 01:45:26 UTC 2012
Author: benh
Date: Mon Jun 11 01:45:24 2012
New Revision: 19122
Log:
KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)
Added:
dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Mon Jun 11 01:40:02 2012 (r19121)
+++ dists/sid/linux/debian/changelog Mon Jun 11 01:45:24 2012 (r19122)
@@ -57,6 +57,7 @@
* macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built
successfully
* macvtap: zerocopy: validate vectors before building skb (CVE-2012-2119)
+ * KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)
[ Bastian Blank ]
* [s390/s390x,s390x/s390x] Build debugging symbols.
Added: dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch Mon Jun 11 01:45:24 2012 (r19122)
@@ -0,0 +1,33 @@
+From: Avi Kivity <avi at redhat.com>
+Date: Sun, 22 Apr 2012 17:02:11 +0300
+Subject: [PATCH] KVM: Fix buffer overflow in kvm_set_irq()
+
+commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed upstream.
+
+kvm_set_irq() has an internal buffer of three irq routing entries, allowing
+connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry()
+does not properly enforce this, allowing three irqchip routes followed by
+an MSI route to overflow the buffer.
+
+Fix by ensuring that an MSI entry is added to an empty list.
+
+Signed-off-by: Avi Kivity <avi at redhat.com>
+---
+ virt/kvm/irq_comm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
+index a6a0365..5afb431 100644
+--- a/virt/kvm/irq_comm.c
++++ b/virt/kvm/irq_comm.c
+@@ -332,6 +332,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
+ */
+ hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
+ if (ei->type == KVM_IRQ_ROUTING_MSI ||
++ ue->type == KVM_IRQ_ROUTING_MSI ||
+ ue->u.irqchip.irqchip == ei->irqchip.irqchip)
+ return r;
+
+--
+1.7.10
+
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Mon Jun 11 01:40:02 2012 (r19121)
+++ dists/sid/linux/debian/patches/series Mon Jun 11 01:45:24 2012 (r19122)
@@ -324,3 +324,5 @@
bugfix/all/macvtap-zerocopy-put-page-when-fail-to-get-all-reque.patch
bugfix/all/macvtap-zerocopy-set-SKBTX_DEV_ZEROCOPY-only-when-sk.patch
bugfix/all/macvtap-zerocopy-validate-vectors-before-building-sk.patch
+
+bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
More information about the Kernel-svn-changes
mailing list