[kernel/f16] CVE-2012-2119 macvtap: zerocopy: vector length is not validated before pinning user pages (rhbz 8142
Justin M. Forbes
jforbes at fedoraproject.org
Thu Apr 19 21:22:04 UTC 2012
commit 92b55943d6b20b0f4eb2a86cbc3b6567494f2da9
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Thu Apr 19 16:23:18 2012 -0500
CVE-2012-2119 macvtap: zerocopy: vector length is not validated before pinning user pages (rhbz 814278 814289)
kernel.spec | 14 ++++++++++++--
macvtap-zerocopy-validate-vector-length.patch | 25 +++++++++++++++++++++++++
2 files changed, 37 insertions(+), 2 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index a881137..433e1cd 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -804,9 +804,12 @@ Patch21710: disable-hid-battery.patch
Patch30000: weird-root-dentry-name-debug.patch
Patch30010: debug-808990.patch
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
+#rhbz 814278 814289 CVE-2012-2119
+Patch22007: macvtap-zerocopy-validate-vector-length.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1502,9 +1505,12 @@ ApplyPatch x86-microcode-Ensure-that-module-is-only-loaded-for-supported-AMD-CPU
#rhbz 806295
ApplyPatch disable-hid-battery.patch
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
+#rhbz 814278 814289 CVE-2012-2119
+ApplyPatch macvtap-zerocopy-validate-vector-length.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2243,6 +2249,10 @@ fi
# and build.
%changelog
+* Thu Apr 19 2012 Justin M. Forbes <jforbes at redhat.com> - 3.3.2-4
+- CVE-2012-2119 macvtap: zerocopy: vector length is not validated before
+ pinning user pages (rhbz 814278 814289)
+
* Thu Apr 19 2012 Justin M. Forbes <jforbes at redhat.com>
- Fix KVM device assignment page leak (rhbz 814149 814155)
diff --git a/macvtap-zerocopy-validate-vector-length.patch b/macvtap-zerocopy-validate-vector-length.patch
new file mode 100644
index 0000000..3ac31e4
--- /dev/null
+++ b/macvtap-zerocopy-validate-vector-length.patch
@@ -0,0 +1,25 @@
+Currently we do not validate the vector length before calling
+get_user_pages_fast(), host stack would be easily overflowed by
+malicious guest driver who give us a descriptor with length greater
+than MAX_SKB_FRAGS. Solve this problem by checking the free entries
+before trying to pin user pages.
+
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ drivers/net/macvtap.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 7cb2684..d197a78 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
+ }
+ base = (unsigned long)from->iov_base + offset1;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
++ if (i + size >= MAX_SKB_FRAGS)
++ return -EFAULT;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ if ((num_pages != size) ||
+ (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags))
+
More information about the scm-commits
mailing list