[linux] 04/06: xen-blkback: don't leak stack data via response ring (CVE-2017-10911)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Jul 26 21:37:27 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch stretch-security
in repository linux.

commit 6fa619c3871ea16557cad4dcd51f4fd3ab41c419
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Jul 26 23:14:18 2017 +0200

    xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
---
 debian/changelog                                   |   1 +
 ...k-don-t-leak-stack-data-via-response-ring.patch | 130 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 132 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9a406cd..784c2b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ linux (4.9.30-2+deb9u3) UNRELEASED; urgency=medium
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
   * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
   * drm/virtio: don't leak bo on drm_gem_object_init failure (CVE-2017-10810)
+  * xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 26 Jul 2017 22:08:32 +0200
 
diff --git a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
new file mode 100644
index 0000000..88a08a7
--- /dev/null
+++ b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
@@ -0,0 +1,130 @@
+From: Jan Beulich <jbeulich at suse.com>
+Date: Tue, 13 Jun 2017 16:28:27 -0400
+Subject: xen-blkback: don't leak stack data via response ring
+Origin: https://git.kernel.org/linus/089bc0143f489bd3a4578bdff5f4ca68fb26f341
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Rather than constructing a local structure instance on the stack, fill
+the fields directly on the shared ring, just like other backends do.
+Build on the fact that all response structure flavors are actually
+identical (the old code did make this assumption too).
+
+This is XSA-216.
+
+Cc: stable at vger.kernel.org
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+ drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
+ drivers/block/xen-blkback/common.h  | 25 +++++--------------------
+ 2 files changed, 17 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
+index 6b14c509f3c7..0e824091a12f 100644
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -1433,34 +1433,35 @@ static int dispatch_rw_block_io(struct xen_blkif_ring *ring,
+ static void make_response(struct xen_blkif_ring *ring, u64 id,
+ 			  unsigned short op, int st)
+ {
+-	struct blkif_response  resp;
++	struct blkif_response *resp;
+ 	unsigned long     flags;
+ 	union blkif_back_rings *blk_rings;
+ 	int notify;
+ 
+-	resp.id        = id;
+-	resp.operation = op;
+-	resp.status    = st;
+-
+ 	spin_lock_irqsave(&ring->blk_ring_lock, flags);
+ 	blk_rings = &ring->blk_rings;
+ 	/* Place on the response ring for the relevant domain. */
+ 	switch (ring->blkif->blk_protocol) {
+ 	case BLKIF_PROTOCOL_NATIVE:
+-		memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
+-		       &resp, sizeof(resp));
++		resp = RING_GET_RESPONSE(&blk_rings->native,
++					 blk_rings->native.rsp_prod_pvt);
+ 		break;
+ 	case BLKIF_PROTOCOL_X86_32:
+-		memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
+-		       &resp, sizeof(resp));
++		resp = RING_GET_RESPONSE(&blk_rings->x86_32,
++					 blk_rings->x86_32.rsp_prod_pvt);
+ 		break;
+ 	case BLKIF_PROTOCOL_X86_64:
+-		memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
+-		       &resp, sizeof(resp));
++		resp = RING_GET_RESPONSE(&blk_rings->x86_64,
++					 blk_rings->x86_64.rsp_prod_pvt);
+ 		break;
+ 	default:
+ 		BUG();
+ 	}
++
++	resp->id        = id;
++	resp->operation = op;
++	resp->status    = st;
++
+ 	blk_rings->common.rsp_prod_pvt++;
+ 	RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
+ 	spin_unlock_irqrestore(&ring->blk_ring_lock, flags);
+diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
+index 638597b17a38..ecb35fe8ca8d 100644
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues;
+ struct blkif_common_request {
+ 	char dummy;
+ };
+-struct blkif_common_response {
+-	char dummy;
+-};
++
++/* i386 protocol version */
+ 
+ struct blkif_x86_32_request_rw {
+ 	uint8_t        nr_segments;  /* number of segments                   */
+@@ -129,14 +128,6 @@ struct blkif_x86_32_request {
+ 	} u;
+ } __attribute__((__packed__));
+ 
+-/* i386 protocol version */
+-#pragma pack(push, 4)
+-struct blkif_x86_32_response {
+-	uint64_t        id;              /* copied from request */
+-	uint8_t         operation;       /* copied from request */
+-	int16_t         status;          /* BLKIF_RSP_???       */
+-};
+-#pragma pack(pop)
+ /* x86_64 protocol version */
+ 
+ struct blkif_x86_64_request_rw {
+@@ -193,18 +184,12 @@ struct blkif_x86_64_request {
+ 	} u;
+ } __attribute__((__packed__));
+ 
+-struct blkif_x86_64_response {
+-	uint64_t       __attribute__((__aligned__(8))) id;
+-	uint8_t         operation;       /* copied from request */
+-	int16_t         status;          /* BLKIF_RSP_???       */
+-};
+-
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+-		  struct blkif_common_response);
++		  struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+-		  struct blkif_x86_32_response);
++		  struct blkif_response __packed);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+-		  struct blkif_x86_64_response);
++		  struct blkif_response);
+ 
+ union blkif_back_rings {
+ 	struct blkif_back_ring        native;
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index aec8e49..0c1bdb4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -128,6 +128,7 @@ bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
 bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
 bugfix/all/drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch
+bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list