[linux] 01/01: [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu May 5 04:44:46 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 9a5ea14b58a2448e21b7f4c4b0436948c4422e03
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu May 5 06:37:54 2016 +0200

    [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)
---
 debian/changelog                                   |  1 +
 ...86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 74 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d84fe48..ba711c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
+  * [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 30 Mar 2016 16:32:07 +0100
 
diff --git a/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch b/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
new file mode 100644
index 0000000..afb4920
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
@@ -0,0 +1,72 @@
+From: Jan Beulich <JBeulich at suse.com>
+Date: Thu, 21 Apr 2016 00:27:04 -0600
+Subject: x86/mm/xen: Suppress hugetlbfs in PV guests
+Origin: https://git.kernel.org/linus/103f6112f253017d7062cd74d17f4a514ed4485c
+
+Huge pages are not normally available to PV guests. Not suppressing
+hugetlbfs use results in an endless loop of page faults when user mode
+code tries to access a hugetlbfs mapped area (since the hypervisor
+denies such PTEs to be created, but error indications can't be
+propagated out of xen_set_pte_at(), just like for various of its
+siblings), and - once killed in an oops like this:
+
+  kernel BUG at .../fs/hugetlbfs/inode.c:428!
+  invalid opcode: 0000 [#1] SMP
+  ...
+  RIP: e030:[<ffffffff811c333b>]  [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
+  ...
+  Call Trace:
+   [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
+   [<ffffffff81167b3d>] evict+0xbd/0x1b0
+   [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
+   [<ffffffff81165b0e>] dput+0x1fe/0x220
+   [<ffffffff81150535>] __fput+0x155/0x200
+   [<ffffffff81079fc0>] task_work_run+0x60/0xa0
+   [<ffffffff81063510>] do_exit+0x160/0x400
+   [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
+   [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
+   [<ffffffff8100f854>] do_signal+0x14/0x110
+   [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
+   [<ffffffff814178a5>] retint_user+0x8/0x13
+
+This is CVE-2016-3961 / XSA-174.
+
+Reported-by: Vitaly Kuznetsov <vkuznets at redhat.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: Boris Ostrovsky <boris.ostrovsky at oracle.com>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: Brian Gerst <brgerst at gmail.com>
+Cc: David Vrabel <david.vrabel at citrix.com>
+Cc: Denys Vlasenko <dvlasenk at redhat.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Juergen Gross <JGross at suse.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof at suse.com>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Toshi Kani <toshi.kani at hp.com>
+Cc: stable at vger.kernel.org
+Cc: xen-devel <xen-devel at lists.xenproject.org>
+Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/include/asm/hugetlb.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h
+index f8a29d2..e6a8613 100644
+--- a/arch/x86/include/asm/hugetlb.h
++++ b/arch/x86/include/asm/hugetlb.h
+@@ -4,6 +4,7 @@
+ #include <asm/page.h>
+ #include <asm-generic/hugetlb.h>
+ 
++#define hugepages_supported() cpu_has_pse
+ 
+ static inline int is_hugepage_only_range(struct mm_struct *mm,
+ 					 unsigned long addr,
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 3dbacba..6b0d4b3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -673,3 +673,4 @@ bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
 bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
 bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
 bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
+bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list