[linux] 04/07: xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jul 28 08:16:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit f95e90029fe00ef9b3fd320b37d3451e5fc92c6a
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Jul 28 09:03:09 2017 +0200
xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
---
debian/changelog | 1 +
...k-don-t-leak-stack-data-via-response-ring.patch | 130 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 132 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d8d4b1f..f37d940 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
* [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889)
* [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
+ * xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
-- Salvatore Bonaccorso <carnil at debian.org> Thu, 27 Jul 2017 22:02:24 +0200
diff --git a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
new file mode 100644
index 0000000..e2f89e0
--- /dev/null
+++ b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
@@ -0,0 +1,130 @@
+From: Jan Beulich <jbeulich at suse.com>
+Date: Tue, 13 Jun 2017 16:28:27 -0400
+Subject: xen-blkback: don't leak stack data via response ring
+Origin: https://git.kernel.org/linus/089bc0143f489bd3a4578bdff5f4ca68fb26f341
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Rather than constructing a local structure instance on the stack, fill
+the fields directly on the shared ring, just like other backends do.
+Build on the fact that all response structure flavors are actually
+identical (the old code did make this assumption too).
+
+This is XSA-216.
+
+Cc: stable at vger.kernel.org
+
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+[bwh: Backported to 3.16: adjust context]
+---
+ drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
+ drivers/block/xen-blkback/common.h | 25 +++++--------------------
+ 2 files changed, 17 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
+index c42c22e778d8..5bc220aefdd2 100644
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -1346,33 +1346,34 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
+ static void make_response(struct xen_blkif *blkif, u64 id,
+ unsigned short op, int st)
+ {
+- struct blkif_response resp;
++ struct blkif_response *resp;
+ unsigned long flags;
+ union blkif_back_rings *blk_rings = &blkif->blk_rings;
+ int notify;
+
+- resp.id = id;
+- resp.operation = op;
+- resp.status = st;
+-
+ spin_lock_irqsave(&blkif->blk_ring_lock, flags);
+ /* Place on the response ring for the relevant domain. */
+ switch (blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->native,
++ blk_rings->native.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_32:
+- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
++ blk_rings->x86_32.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_64:
+- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
++ blk_rings->x86_64.rsp_prod_pvt);
+ break;
+ default:
+ BUG();
+ }
++
++ resp->id = id;
++ resp->operation = op;
++ resp->status = st;
++
+ blk_rings->common.rsp_prod_pvt++;
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
+ spin_unlock_irqrestore(&blkif->blk_ring_lock, flags);
+diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
+index ef64f59921a7..62f6067f8f83 100644
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -70,9 +70,8 @@
+ struct blkif_common_request {
+ char dummy;
+ };
+-struct blkif_common_response {
+- char dummy;
+-};
++
++/* i386 protocol version */
+
+ struct blkif_x86_32_request_rw {
+ uint8_t nr_segments; /* number of segments */
+@@ -124,14 +123,6 @@ struct blkif_x86_32_request {
+ } u;
+ } __attribute__((__packed__));
+
+-/* i386 protocol version */
+-#pragma pack(push, 4)
+-struct blkif_x86_32_response {
+- uint64_t id; /* copied from request */
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+-#pragma pack(pop)
+ /* x86_64 protocol version */
+
+ struct blkif_x86_64_request_rw {
+@@ -188,18 +179,12 @@ struct blkif_x86_64_request {
+ } u;
+ } __attribute__((__packed__));
+
+-struct blkif_x86_64_response {
+- uint64_t __attribute__((__aligned__(8))) id;
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+-
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+- struct blkif_common_response);
++ struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+- struct blkif_x86_32_response);
++ struct blkif_response __packed);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+- struct blkif_x86_64_response);
++ struct blkif_response);
+
+ union blkif_back_rings {
+ struct blkif_back_ring native;
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 31b90a9..75e403e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -719,6 +719,7 @@ bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
+bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list