[kernel] r22115 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Sun Dec 7 00:19:34 UTC 2014
Author: benh
Date: Sun Dec 7 00:19:34 2014
New Revision: 22115
Log:
Add various security fixes
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Sat Dec 6 23:53:31 2014 (r22114)
+++ dists/wheezy-security/linux/debian/changelog Sun Dec 7 00:19:34 2014 (r22115)
@@ -5,6 +5,11 @@
host.
* ip: Fix backport of "ip: make IP identifiers less predictable"
(regression in 3.2.63) (thanks to Jeffrey Knockel)
+ * net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet (CVE-2014-7841)
+ * kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+ (CVE-2014-8369)
+ * media: ttusb-dec: buffer overflow in ioctl (CVE-2014-8884)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 06 Dec 2014 23:32:07 +0000
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch Sun Dec 7 00:19:34 2014 (r22115)
@@ -0,0 +1,74 @@
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+Origin: https://git.kernel.org/linus/3d32e4dbe71374a6780eaf51d719d76f9a9bf22f
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Cc: stable at vger.kernel.org
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles at oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.2: kvm_pin_pages() also takes a struct kvm *kvm param]
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm *kvm, struct kvm_memory_slot *slot,
+- gfn_t gfn, unsigned long size)
++ gfn_t gfn, unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(kvm, slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_pfn(pfn))
+@@ -117,7 +117,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(kvm, slot, gfn, page_size);
++ pfn = kvm_pin_pages(kvm, slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -129,7 +129,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch Sun Dec 7 00:19:34 2014 (r22115)
@@ -0,0 +1,26 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 5 Sep 2014 09:09:28 -0300
+Subject: [media] ttusb-dec: buffer overflow in ioctl
+Origin: https://git.kernel.org/linus/f2e323ec96077642d397bb1c355def536d489d16
+
+We need to add a limit check here so we don't overflow the buffer.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
++++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
+@@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_m
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00 };
+
++ if (cmd->msg_len > sizeof(b) - 4)
++ return -EINVAL;
++
+ memcpy(&b[4], cmd->msg, cmd->msg_len);
+
+ state->config->send_command(fe, 0x72,
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch Sun Dec 7 00:19:34 2014 (r22115)
@@ -0,0 +1,73 @@
+From: Daniel Borkmann <dborkman at redhat.com>
+Date: Mon, 10 Nov 2014 17:54:26 +0100
+Subject: net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet
+Origin: https://git.kernel.org/linus/e40607cbe270a9e8360907cb1e62ddf0736e4864
+
+An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
+in the form of:
+
+ ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
+
+While the INIT chunk parameter verification dissects through many things
+in order to detect malformed input, it misses to actually check parameters
+inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
+IP address' parameter in ASCONF, which has as a subparameter an address
+parameter.
+
+So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
+or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
+and thus sctp_get_af_specific() returns NULL, too, which we then happily
+dereference unconditionally through af->from_addr_param().
+
+The trace for the log:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+PGD 0
+Oops: 0000 [#1] SMP
+[...]
+Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
+RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
+ [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
+ [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
+ [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
+ [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
+ [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
+ [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
+ [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
+ [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+ [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+[...]
+
+A minimal way to address this is to check for NULL as we do on all
+other such occasions where we know sctp_get_af_specific() could
+possibly return with NULL.
+
+Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Cc: Vlad Yasevich <vyasevich at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/sm_make_chunk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2570,6 +2570,9 @@ do_addr_param:
+ addr_param = param.v + sizeof(sctp_addip_param_t);
+
+ af = sctp_get_af_specific(param_type2af(param.p->type));
++ if (af == NULL)
++ break;
++
+ af->from_addr_param(&addr, addr_param,
+ htons(asoc->peer.port), 0);
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Sat Dec 6 23:53:31 2014 (r22114)
+++ dists/wheezy-security/linux/debian/patches/series Sun Dec 7 00:19:34 2014 (r22115)
@@ -1156,3 +1156,6 @@
bugfix/x86/x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
+bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
+bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
More information about the Kernel-svn-changes
mailing list