[kernel] r22232 - in dists/wheezy/linux/debian: . patches patches/bugfix/all patches/bugfix/x86

Ben Hutchings benh at moszumanska.debian.org
Mon Dec 29 01:50:34 UTC 2014 

Author: benh
Date: Mon Dec 29 01:50:33 2014
New Revision: 22232

Log:
Add some fairly low-risk security fixes

Added:
   dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
   dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
   dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
Modified:
   dists/wheezy/linux/debian/changelog
   dists/wheezy/linux/debian/patches/series

Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog	Sat Dec 27 18:11:54 2014	(r22231)
+++ dists/wheezy/linux/debian/changelog	Mon Dec 29 01:50:33 2014	(r22232)
@@ -119,6 +119,11 @@
     - drm/i915: Remove bogus __init annotation from DMI callbacks
     - drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle
     - drm/radeon: add connector quirk for fujitsu board
+   * [x86] KVM: Don't report guest userspace emulation error to userspace
+     (CVE-2014-7842)
+   * [x86] kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+     (CVE-2014-8134)
+   * isofs: Fix infinite looping over CE entries (CVE-2014-9420)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 13 Nov 2014 19:16:28 +0000
 

Added: dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch	Mon Dec 29 01:50:33 2014	(r22232)
@@ -0,0 +1,52 @@
+From: Jan Kara <jack at suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: isofs: Fix infinite looping over CE entries
+Origin: https://git.kernel.org/linus/f54e18f1b831c92f6512d2eedb224cd63d607d3d
+
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+
+Reported-by: P J P <ppandit at redhat.com>
+CC: stable at vger.kernel.org
+Signed-off-by: Jan Kara <jack at suse.cz>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bba..bb63254 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ 	int cont_size;
+ 	int cont_extent;
+ 	int cont_offset;
++	int cont_loops;
+ 	struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ 	rs->inode = inode;
+ }
+ 
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ 			goto out;
+ 		}
+ 		ret = -EIO;
++		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++			goto out;
+ 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ 		if (bh) {
+ 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,

Added: dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch	Mon Dec 29 01:50:33 2014	(r22232)
@@ -0,0 +1,32 @@
+From: Nadav Amit <namit at cs.technion.ac.il>
+Date: Wed, 17 Sep 2014 02:50:50 +0300
+Subject: KVM: x86: Don't report guest userspace emulation error to userspace
+Origin: https://git.kernel.org/linus/2b9e6c1a35afcc0973acb72e591c714e78885ff
+
+Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
+user-space") disabled the reporting of L2 (nested guest) emulation failures to
+userspace due to race-condition between a vmexit and the instruction emulator.
+The same rational applies also to userspace applications that are permitted by
+the guest OS to access MMIO area or perform PIO.
+
+This patch extends the current behavior - of injecting a #UD instead of
+reporting it to userspace - also for guest userspace code.
+
+Signed-off-by: Nadav Amit <namit at cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4846,7 +4846,7 @@ static int handle_emulation_failure(stru
+ 
+ 	++vcpu->stat.insn_emulation_fail;
+ 	trace_kvm_emulate_insn_failed(vcpu);
+-	if (!is_guest_mode(vcpu)) {
++	if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
+ 		vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ 		vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+ 		vcpu->run->internal.ndata = 0;

Added: dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch	Mon Dec 29 01:50:33 2014	(r22232)
@@ -0,0 +1,63 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+Origin: https://git.kernel.org/linus/29fa6825463c97e5157284db80107d1bfac5d77b
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning.  There is no F00F bug
+   workaround any more because Linux's standard IDT handling already
+   works around the F00F bug, but the warning still exists.  This
+   is only cosmetic, and, in any event, there is no such thing as
+   KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
+   there should be no APM BIOS anyway.
+
+ - Disables tboot.  I think that the tboot code should check the
+   CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32.  espfix32 should *not* be
+   disabled under KVM paravirt.
+
+The last point is the purpose of this patch.  It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests.  Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/kvm.c      | 9 ++++++++-
+ arch/x86/kernel/kvmclock.c | 1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -419,7 +419,14 @@ static void kvm_leave_lazy_mmu(void)
+ static void __init paravirt_ops_setup(void)
+ {
+ 	pv_info.name = "KVM";
+-	pv_info.paravirt_enabled = 1;
++
++	/*
++	 * KVM isn't paravirt in the sense of paravirt_enabled.  A KVM
++	 * guest kernel works like a bare metal kernel with additional
++	 * features, and paravirt_enabled is about features that are
++	 * missing.
++	 */
++	pv_info.paravirt_enabled = 0;
+ 
+ 	if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+ 		pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -203,7 +203,6 @@ void __init kvmclock_init(void)
+ #endif
+ 	kvm_get_preset_lpj();
+ 	clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
+-	pv_info.paravirt_enabled = 1;
+ 	pv_info.name = "KVM";
+ 
+ 	if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))

Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series	Sat Dec 27 18:11:54 2014	(r22231)
+++ dists/wheezy/linux/debian/patches/series	Mon Dec 29 01:50:33 2014	(r22232)
@@ -1143,3 +1143,6 @@
 debian/ceph-avoid-abi-change-in-3.2.64.patch
 debian/perf-avoid-abi-change-in-3.2.65.patch
 debian/mm-truncate-avoid-abi-change-in-3.2.65.patch
+bugfix/x86/kvm-x86-don-t-report-guest-userspace-emulation-error-to-userspace.patch
+bugfix/x86/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
+bugfix/all/isofs-fix-infinite-looping-over-ce-entries.patch

More information about the Kernel-svn-changes mailing list