[linux] 09/09: vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083, CVE-2016-9084)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 1 00:23:48 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 7f5c484df74315774e41e16c00a9309e87214fce
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Nov 30 20:53:47 2016 +0000
vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083, CVE-2016-9084)
---
debian/changelog | 2 +
...o-pci-fix-integer-overflows-bitmask-check.patch | 94 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 97 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index fab542f..53e1f6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ linux (3.16.36-1+deb8u3) UNRELEASED; urgency=medium
* firewire: net: guard against rx buffer overflows (CVE-2016-8633)
* brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
(CVE-2016-8658)
+ * vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083,
+ CVE-2016-9084)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Nov 2016 04:06:41 +0000
diff --git a/debian/patches/bugfix/all/vfio-pci-fix-integer-overflows-bitmask-check.patch b/debian/patches/bugfix/all/vfio-pci-fix-integer-overflows-bitmask-check.patch
new file mode 100644
index 0000000..b5801ed
--- /dev/null
+++ b/debian/patches/bugfix/all/vfio-pci-fix-integer-overflows-bitmask-check.patch
@@ -0,0 +1,94 @@
+From: Vlad Tsyrklevich <vlad at tsyrklevich.net>
+Date: Wed, 12 Oct 2016 18:51:24 +0200
+Subject: vfio/pci: Fix integer overflows, bitmask check
+Origin: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a
+
+The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
+user-supplied integers, potentially allowing memory corruption. This
+patch adds appropriate integer overflow checks, checks the range bounds
+for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
+in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
+VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
+vfio_pci_set_irqs_ioctl().
+
+Furthermore, a kzalloc is changed to a kcalloc because the use of a
+kzalloc with an integer multiplication allowed an integer overflow
+condition to be reached without this patch. kcalloc checks for overflow
+and should prevent a similar occurrence.
+
+Signed-off-by: Vlad Tsyrklevich <vlad at tsyrklevich.net>
+Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------
+ drivers/vfio/pci/vfio_pci_intrs.c | 2 +-
+ 2 files changed, 22 insertions(+), 13 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -460,8 +460,9 @@ static long vfio_pci_ioctl(void *device_
+
+ } else if (cmd == VFIO_DEVICE_SET_IRQS) {
+ struct vfio_irq_set hdr;
++ size_t size;
+ u8 *data = NULL;
+- int ret = 0;
++ int max, ret = 0;
+
+ minsz = offsetofend(struct vfio_irq_set, count);
+
+@@ -469,23 +470,31 @@ static long vfio_pci_ioctl(void *device_
+ return -EFAULT;
+
+ if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
++ hdr.count >= (U32_MAX - hdr.start) ||
+ hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
+ VFIO_IRQ_SET_ACTION_TYPE_MASK))
+ return -EINVAL;
+
+- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
+- size_t size;
+- int max = vfio_pci_get_irq_count(vdev, hdr.index);
+-
+- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
+- size = sizeof(uint8_t);
+- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
+- size = sizeof(int32_t);
+- else
+- return -EINVAL;
++ max = vfio_pci_get_irq_count(vdev, hdr.index);
++ if (hdr.start >= max || hdr.start + hdr.count > max)
++ return -EINVAL;
++
++ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
++ case VFIO_IRQ_SET_DATA_NONE:
++ size = 0;
++ break;
++ case VFIO_IRQ_SET_DATA_BOOL:
++ size = sizeof(uint8_t);
++ break;
++ case VFIO_IRQ_SET_DATA_EVENTFD:
++ size = sizeof(int32_t);
++ break;
++ default:
++ return -EINVAL;
++ }
+
+- if (hdr.argsz - minsz < hdr.count * size ||
+- hdr.start >= max || hdr.start + hdr.count > max)
++ if (size) {
++ if (hdr.argsz - minsz < hdr.count * size)
+ return -EINVAL;
+
+ data = memdup_user((void __user *)(arg + minsz),
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -465,7 +465,7 @@ static int vfio_msi_enable(struct vfio_p
+ if (!is_irq_none(vdev))
+ return -EINVAL;
+
+- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
++ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
+ if (!vdev->ctx)
+ return -ENOMEM;
+
diff --git a/debian/patches/series b/debian/patches/series
index 19f9761..e4dcfb5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -694,6 +694,7 @@ bugfix/all/block-fix-use-after-free-in-seq-file.patch
bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
bugfix/all/firewire-net-guard-against-rx-buffer-overflows.patch
bugfix/all/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch
+bugfix/all/vfio-pci-fix-integer-overflows-bitmask-check.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list