[kernel/f15] CVE-2012-2119 macvtap: zerocopy: vector length is not validated before pinning user pages (rhbz 8142
Justin M. Forbes
jforbes at fedoraproject.org
Thu Apr 19 21:26:30 UTC 2012
commit c54adc8eef24dda29209d52a9f382b1680fba4a3
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Thu Apr 19 16:27:40 2012 -0500
CVE-2012-2119 macvtap: zerocopy: vector length is not validated before pinning user pages (rhbz 814278 814289)
kernel.spec | 14 ++++++++++++--
macvtap-zerocopy-validate-vector-length.patch | 25 +++++++++++++++++++++++++
2 files changed, 37 insertions(+), 2 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index f99aac7..9b390bc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -713,9 +713,12 @@ Patch21710: disable-hid-battery.patch
Patch22000: weird-root-dentry-name-debug.patch
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
+#rhbz 814278 814289 CVE-2012-2119
+Patch22007: macvtap-zerocopy-validate-vector-length.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1322,9 +1325,12 @@ ApplyPatch x86-microcode-Ensure-that-module-is-only-loaded-for-supported-AMD-CPU
#rhbz 806295
ApplyPatch disable-hid-battery.patch
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
+#rhbz 814278 814289 CVE-2012-2119
+ApplyPatch macvtap-zerocopy-validate-vector-length.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1977,6 +1983,10 @@ fi
# and build.
%changelog
+* Thu Apr 19 2012 Justin M. Forbes <jforbes at redhat.com> 2.6.43.2-4
+- CVE-2012-2119 macvtap: zerocopy: vector length is not validated before
+ pinning user pages (rhbz 814278 814289)
+
* Thu Apr 19 2012 Justin M. Forbes <jforbes at redhat.com>
- Fix KVM device assignment page leak (rhbz 814149 814155)
diff --git a/macvtap-zerocopy-validate-vector-length.patch b/macvtap-zerocopy-validate-vector-length.patch
new file mode 100644
index 0000000..3ac31e4
--- /dev/null
+++ b/macvtap-zerocopy-validate-vector-length.patch
@@ -0,0 +1,25 @@
+Currently we do not validate the vector length before calling
+get_user_pages_fast(), host stack would be easily overflowed by
+malicious guest driver who give us a descriptor with length greater
+than MAX_SKB_FRAGS. Solve this problem by checking the free entries
+before trying to pin user pages.
+
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ drivers/net/macvtap.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 7cb2684..d197a78 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
+ }
+ base = (unsigned long)from->iov_base + offset1;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
++ if (i + size >= MAX_SKB_FRAGS)
++ return -EFAULT;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ if ((num_pages != size) ||
+ (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags))
+
More information about the scm-commits
mailing list