[kernel] r22232 - in dists/wheezy/linux/debian: . patches patches/bugfix/all patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Mon Dec 29 01:50:34 UTC 2014
Author: benh
Date: Mon Dec 29 01:50:33 2014
New Revision: 22232
Log:
Add some fairly low-risk security fixes
Added:
dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
Modified:
dists/wheezy/linux/debian/changelog
dists/wheezy/linux/debian/patches/series
Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog Sat Dec 27 18:11:54 2014 (r22231)
+++ dists/wheezy/linux/debian/changelog Mon Dec 29 01:50:33 2014 (r22232)
@@ -119,6 +119,11 @@
- drm/i915: Remove bogus __init annotation from DMI callbacks
- drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle
- drm/radeon: add connector quirk for fujitsu board
+ * [x86] KVM: Don't report guest userspace emulation error to userspace
+ (CVE-2014-7842)
+ * [x86] kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+ (CVE-2014-8134)
+ * isofs: Fix infinite looping over CE entries (CVE-2014-9420)
-- Ben Hutchings <ben at decadent.org.uk> Thu, 13 Nov 2014 19:16:28 +0000
Added: dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch Mon Dec 29 01:50:33 2014 (r22232)
@@ -0,0 +1,52 @@
+From: Jan Kara <jack at suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: isofs: Fix infinite looping over CE entries
+Origin: https://git.kernel.org/linus/f54e18f1b831c92f6512d2eedb224cd63d607d3d
+
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+
+Reported-by: P J P <ppandit at redhat.com>
+CC: stable at vger.kernel.org
+Signed-off-by: Jan Kara <jack at suse.cz>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bba..bb63254 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ int cont_size;
+ int cont_extent;
+ int cont_offset;
++ int cont_loops;
+ struct inode *inode;
+ };
+
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ rs->inode = inode;
+ }
+
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+ * Returns 0 if the caller should continue scanning, 1 if the scan must end
+ * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ goto out;
+ }
+ ret = -EIO;
++ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++ goto out;
+ bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ if (bh) {
+ memcpy(rs->buffer, bh->b_data + rs->cont_offset,
Added: dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch Mon Dec 29 01:50:33 2014 (r22232)
@@ -0,0 +1,32 @@
+From: Nadav Amit <namit at cs.technion.ac.il>
+Date: Wed, 17 Sep 2014 02:50:50 +0300
+Subject: KVM: x86: Don't report guest userspace emulation error to userspace
+Origin: https://git.kernel.org/linus/2b9e6c1a35afcc0973acb72e591c714e78885ff
+
+Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
+user-space") disabled the reporting of L2 (nested guest) emulation failures to
+userspace due to race-condition between a vmexit and the instruction emulator.
+The same rational applies also to userspace applications that are permitted by
+the guest OS to access MMIO area or perform PIO.
+
+This patch extends the current behavior - of injecting a #UD instead of
+reporting it to userspace - also for guest userspace code.
+
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4846,7 +4846,7 @@ static int handle_emulation_failure(stru
+
+ ++vcpu->stat.insn_emulation_fail;
+ trace_kvm_emulate_insn_failed(vcpu);
+- if (!is_guest_mode(vcpu)) {
++ if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ vcpu->run->internal.ndata = 0;
Added: dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch Mon Dec 29 01:50:33 2014 (r22232)
@@ -0,0 +1,63 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+Origin: https://git.kernel.org/linus/29fa6825463c97e5157284db80107d1bfac5d77b
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning. There is no F00F bug
+ workaround any more because Linux's standard IDT handling already
+ works around the F00F bug, but the warning still exists. This
+ is only cosmetic, and, in any event, there is no such thing as
+ KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection. On a KVM paravirt system,
+ there should be no APM BIOS anyway.
+
+ - Disables tboot. I think that the tboot code should check the
+ CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32. espfix32 should *not* be
+ disabled under KVM paravirt.
+
+The last point is the purpose of this patch. It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests. Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/kvm.c | 9 ++++++++-
+ arch/x86/kernel/kvmclock.c | 1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -419,7 +419,14 @@ static void kvm_leave_lazy_mmu(void)
+ static void __init paravirt_ops_setup(void)
+ {
+ pv_info.name = "KVM";
+- pv_info.paravirt_enabled = 1;
++
++ /*
++ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM
++ * guest kernel works like a bare metal kernel with additional
++ * features, and paravirt_enabled is about features that are
++ * missing.
++ */
++ pv_info.paravirt_enabled = 0;
+
+ if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+ pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -203,7 +203,6 @@ void __init kvmclock_init(void)
+ #endif
+ kvm_get_preset_lpj();
+ clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
+- pv_info.paravirt_enabled = 1;
+ pv_info.name = "KVM";
+
+ if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))
Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series Sat Dec 27 18:11:54 2014 (r22231)
+++ dists/wheezy/linux/debian/patches/series Mon Dec 29 01:50:33 2014 (r22232)
@@ -1143,3 +1143,6 @@
debian/ceph-avoid-abi-change-in-3.2.64.patch
debian/perf-avoid-abi-change-in-3.2.65.patch
debian/mm-truncate-avoid-abi-change-in-3.2.65.patch
+bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
+bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
+bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
More information about the Kernel-svn-changes
mailing list