From 6b2afc5cf7337f2374b05afd7bf89a57584aa8ba Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Mar 2013 18:12:41 +0000 Subject: [PATCH 1/9] [ia64] udeb: Remove efi-modules package; make kernel-image provide efi-modules (fixes FTBFS) svn path=/dists/sid/linux/; revision=19941 --- debian/changelog | 7 +++++++ debian/installer/ia64/modules/ia64/efi-modules | 1 - debian/installer/ia64/package-list | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) delete mode 100644 debian/installer/ia64/modules/ia64/efi-modules diff --git a/debian/changelog b/debian/changelog index 10497ff57..015f886f6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (3.2.41-2) UNRELEASED; urgency=low + + * [ia64] udeb: Remove efi-modules package; make kernel-image provide + efi-modules (fixes FTBFS) + + -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 + linux (3.2.41-1) unstable; urgency=low * New upstream stable update: diff --git a/debian/installer/ia64/modules/ia64/efi-modules b/debian/installer/ia64/modules/ia64/efi-modules deleted file mode 100644 index e1dc05e8f..000000000 --- a/debian/installer/ia64/modules/ia64/efi-modules +++ /dev/null @@ -1 +0,0 @@ -#include diff --git a/debian/installer/ia64/package-list b/debian/installer/ia64/package-list index c0591794a..84637be08 100644 --- a/debian/installer/ia64/package-list +++ b/debian/installer/ia64/package-list @@ -32,3 +32,6 @@ Depends: kernel-image, core-modules Package: nbd-modules Depends: kernel-image + +Package: kernel-image +Provides: efi-modules From 000a73ec79989bc45f79678a0ff0660dafb4fd88 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Mar 2013 23:22:08 +0000 Subject: [PATCH 2/9] linux-headers: Fix file installation on architectures without Kbuild.platforms (Closes: #703800) svn path=/dists/sid/linux/; revision=19942 --- debian/changelog | 2 ++ debian/rules.real | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 015f886f6..17673a2e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ linux (3.2.41-2) UNRELEASED; urgency=low * [ia64] udeb: Remove efi-modules package; make kernel-image provide efi-modules (fixes FTBFS) + * linux-headers: Fix file installation on architectures without + Kbuild.platforms (Closes: #703800) -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 diff --git a/debian/rules.real b/debian/rules.real index 9c36624c8..586851936 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -235,9 +235,7 @@ install-headers_$(ARCH)_$(FEATURESET): $(STAMPS_DIR)/source_$(FEATURESET) ( \ echo Makefile; \ find arch/$(KERNEL_ARCH) -maxdepth 1 -name 'Makefile*' -print; \ - find arch/$(KERNEL_ARCH) -name 'module.lds' -print; \ - find arch/$(KERNEL_ARCH)/Kbuild.platforms -print; \ - find arch/$(KERNEL_ARCH) -name 'Platform' -print; \ + find arch/$(KERNEL_ARCH) -name 'module.lds' -o -name 'Kbuild.platforms' -print -o -name 'Platform' -print; \ find $$(find arch/$(KERNEL_ARCH) \( -name include -o -name scripts \) -type d -print) -print; \ find include -name 'asm*' -prune -o -print; \ find include/asm-generic -print; \ From 2378c6285877d979d52e4de1ab8c6c2480661985 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Mar 2013 23:29:38 +0000 Subject: [PATCH 3/9] linux-headers: Fix find syntax so module.lds is included again svn path=/dists/sid/linux/; revision=19943 --- debian/rules.real | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules.real b/debian/rules.real index 586851936..4ce7908ac 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -235,7 +235,7 @@ install-headers_$(ARCH)_$(FEATURESET): $(STAMPS_DIR)/source_$(FEATURESET) ( \ echo Makefile; \ find arch/$(KERNEL_ARCH) -maxdepth 1 -name 'Makefile*' -print; \ - find arch/$(KERNEL_ARCH) -name 'module.lds' -o -name 'Kbuild.platforms' -print -o -name 'Platform' -print; \ + find arch/$(KERNEL_ARCH) \( -name 'module.lds' -o -name 'Kbuild.platforms' -o -name 'Platform' \) -print; \ find $$(find arch/$(KERNEL_ARCH) \( -name include -o -name scripts \) -type d -print) -print; \ find include -name 'asm*' -prune -o -print; \ find include/asm-generic -print; \ From 15cc7e2b4af752ac2c15288858ae59f89410af63 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 24 Mar 2013 02:28:11 +0000 Subject: [PATCH 4/9] Add 'set -o pipefail' in front of find pipelines to catch regressions like #703800 svn path=/dists/sid/linux/; revision=19944 --- debian/rules.real | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/rules.real b/debian/rules.real index 4ce7908ac..b40218c2f 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -198,6 +198,7 @@ install-doc: $(STAMPS_DIR)/build-doc mkdir -p $(OUT_DIR) cp -a CREDITS MAINTAINERS README REPORTING-BUGS Documentation $(OUT_DIR) rm -rf $(OUT_DIR)/Documentation/DocBook + set -o pipefail; \ cd $(DIR)/Documentation/DocBook; \ find * -name '*.html' -print \ | \ @@ -210,6 +211,7 @@ install-manual: DIR=$(BUILD_DIR)/build-doc install-manual: DH_OPTIONS = -p$(PACKAGE_NAME) install-manual: $(STAMPS_DIR)/build-doc dh_prep + set -o pipefail; \ find $(DIR)/Documentation/DocBook/man/ -name '*.9' | xargs dh_installman +$(MAKE_SELF) install-base GENCONTROL_ARGS='$(call DEFINE_MULTIARCH,foreign)' @@ -231,6 +233,7 @@ install-headers_$(ARCH)_$(FEATURESET): $(STAMPS_DIR)/source_$(FEATURESET) dh_testroot dh_prep + set -o pipefail; \ cd $(SOURCE_DIR); \ ( \ echo Makefile; \ @@ -362,6 +365,7 @@ ifeq ($(MODULES),True) chmod a+x $(CURDIR)/debian/bin/no-depmod +$(MAKE_CLEAN) -C $(DIR) modules_install DEPMOD='$(CURDIR)/debian/bin/no-depmod' INSTALL_MOD_PATH='$(CURDIR)'/$(PACKAGE_DIR) INSTALL_MOD_STRIP=1 ifeq ($(DEBUG),True) + set -o pipefail; \ find $(PACKAGE_DIR) -name '*.ko' | sed 's|$(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/||' | while read module ; do \ objcopy --add-gnu-debuglink=$(DIR)/$$module $(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/$$module || exit; \ done From 8274377d913f817e5a498b3c0d22d28d88e867b2 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Mar 2013 13:13:14 +0000 Subject: [PATCH 5/9] [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913) svn path=/dists/sid/linux/; revision=19945 --- debian/changelog | 1 + ...ds-check-execbuffer-relocation-count.patch | 49 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 51 insertions(+) create mode 100644 debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch diff --git a/debian/changelog b/debian/changelog index 17673a2e3..9d9f2a8be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ linux (3.2.41-2) UNRELEASED; urgency=low efi-modules (fixes FTBFS) * linux-headers: Fix file installation on architectures without Kbuild.platforms (Closes: #703800) + * [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913) -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 diff --git a/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch b/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 000000000..ed579154f --- /dev/null +++ b/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,49 @@ +From: Kees Cook +Date: Mon, 11 Mar 2013 17:31:45 -0700 +Subject: drm/i915: bounds check execbuffer relocation count + +commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream. + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook +Reported-by: Pinkie Pie +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Signed-off-by: Ben Hutchings +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_e + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); diff --git a/debian/patches/series b/debian/patches/series index 42e733afd..7e2aa2d56 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -635,3 +635,4 @@ bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch debian/efivars-remove-check-for-50-full-on-write.patch +bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch From 658db8593e12b36f303f46086e444639c5837be1 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Mar 2013 13:37:43 +0000 Subject: [PATCH 6/9] [x86] drm: Enable DRM_GMA500 as module, replacing DRM_PSB (Closes: #703506) svn path=/dists/sid/linux/; revision=19946 --- debian/changelog | 2 ++ debian/config/kernelarch-x86/config | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 9d9f2a8be..c4f339ea3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ linux (3.2.41-2) UNRELEASED; urgency=low * linux-headers: Fix file installation on architectures without Kbuild.platforms (Closes: #703800) * [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913) + * [x86] drm: Enable DRM_GMA500 as module, replacing DRM_PSB (Closes: #703506) + - Enable DRM_GMA600, DRM_GMA3600, DRM_MEDFIELD -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index e9dd1bdf6..cc1559425 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -417,6 +417,14 @@ CONFIG_DRM_I915_KMS=y CONFIG_DRM_MGA=m CONFIG_DRM_SIS=m +## +## file: drivers/staging/gma500/Kconfig +## +CONFIG_DRM_GMA500=m +CONFIG_DRM_GMA600=y +CONFIG_DRM_GMA3600=y +CONFIG_DRM_MEDFIELD=y + ## ## file: drivers/gpu/drm/nouveau/Kconfig ## @@ -1269,11 +1277,6 @@ CONFIG_COMEDI_FC=m ## CONFIG_ET131X=m -## -## file: drivers/staging/gma500/Kconfig -## -CONFIG_DRM_PSB=m - ## ## file: drivers/staging/hv/Kconfig ## From 7f76905aeaee4bc826808e753e68571b42574af8 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Mar 2013 14:30:20 +0000 Subject: [PATCH 7/9] Apply KVM security fixes svn path=/dists/sid/linux/; revision=19947 --- debian/changelog | 5 + ...hecking-in-ioapic-indirect-register-.patch | 42 ++++++ ...MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch | 134 ++++++++++++++++++ ...buffer-overflow-in-handling-of-MSR_K.patch | 39 +++++ debian/patches/series | 3 + 5 files changed, 223 insertions(+) create mode 100644 debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch create mode 100644 debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch create mode 100644 debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch diff --git a/debian/changelog b/debian/changelog index c4f339ea3..98f79458a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,11 @@ linux (3.2.41-2) UNRELEASED; urgency=low * [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913) * [x86] drm: Enable DRM_GMA500 as module, replacing DRM_PSB (Closes: #703506) - Enable DRM_GMA600, DRM_GMA3600, DRM_MEDFIELD + * [x86] KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME + (CVE-2013-1796) + * [x86] KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache + functions (CVE-2013-1797) + * KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 diff --git a/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch b/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch new file mode 100644 index 000000000..1fec3af2c --- /dev/null +++ b/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch @@ -0,0 +1,42 @@ +From: Andy Honig +Date: Wed, 20 Feb 2013 14:49:16 -0800 +Subject: KVM: Fix bounds checking in ioapic indirect register reads + (CVE-2013-1798) + +commit a2c118bfab8bc6b8bb213abfc35201e441693d55 upstream. + +If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows +that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate +that request. ioapic_read_indirect contains an +ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in +non-debug builds. In recent kernels this allows a guest to cause a kernel +oops by reading invalid memory. In older kernels (pre-3.3) this allows a +guest to read from large ranges of host memory. + +Tested: tested against apic unit tests. + +Signed-off-by: Andrew Honig +Signed-off-by: Marcelo Tosatti +--- + virt/kvm/ioapic.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index ce82b94..5ba005c 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -74,9 +74,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; + u64 redir_content; + +- ASSERT(redir_index < IOAPIC_NUM_PINS); ++ if (redir_index < IOAPIC_NUM_PINS) ++ redir_content = ++ ioapic->redirtbl[redir_index].bits; ++ else ++ redir_content = ~0ULL; + +- redir_content = ioapic->redirtbl[redir_index].bits; + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : + redir_content & 0xffffffff; diff --git a/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch b/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch new file mode 100644 index 000000000..eb10e2cde --- /dev/null +++ b/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch @@ -0,0 +1,134 @@ +From: Andy Honig +Date: Wed, 20 Feb 2013 14:48:10 -0800 +Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache + functions (CVE-2013-1797) + +commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream. + +There is a potential use after free issue with the handling of +MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable +memory such as frame buffers then KVM might continue to write to that +address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins +the page in memory so it's unlikely to cause an issue, but if the user +space component re-purposes the memory previously used for the guest, then +the guest will be able to corrupt that memory. + +Tested: Tested against kvmclock unit test + +Signed-off-by: Andrew Honig +Signed-off-by: Marcelo Tosatti +[bwh: Backported to 3.2: + - Adjust context + - We do not implement the PVCLOCK_GUEST_STOPPED flag] +--- + arch/x86/include/asm/kvm_host.h | 4 ++-- + arch/x86/kvm/x86.c | 47 +++++++++++++++++---------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -393,8 +393,8 @@ struct kvm_vcpu_arch { + gpa_t time; + struct pvclock_vcpu_time_info hv_clock; + unsigned int hw_tsc_khz; +- unsigned int time_offset; +- struct page *time_page; ++ struct gfn_to_hva_cache pv_time; ++ bool pv_time_enabled; + + struct { + u64 msr_val; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1105,7 +1105,6 @@ static int kvm_guest_time_update(struct + { + unsigned long flags; + struct kvm_vcpu_arch *vcpu = &v->arch; +- void *shared_kaddr; + unsigned long this_tsc_khz; + s64 kernel_ns, max_kernel_ns; + u64 tsc_timestamp; +@@ -1141,7 +1140,7 @@ static int kvm_guest_time_update(struct + + local_irq_restore(flags); + +- if (!vcpu->time_page) ++ if (!vcpu->pv_time_enabled) + return 0; + + /* +@@ -1199,14 +1198,9 @@ static int kvm_guest_time_update(struct + */ + vcpu->hv_clock.version += 2; + +- shared_kaddr = kmap_atomic(vcpu->time_page, KM_USER0); +- +- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock, +- sizeof(vcpu->hv_clock)); +- +- kunmap_atomic(shared_kaddr, KM_USER0); +- +- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT); ++ kvm_write_guest_cached(v->kvm, &vcpu->pv_time, ++ &vcpu->hv_clock, ++ sizeof(vcpu->hv_clock)); + return 0; + } + +@@ -1496,10 +1490,7 @@ static int kvm_pv_enable_async_pf(struct + + static void kvmclock_reset(struct kvm_vcpu *vcpu) + { +- if (vcpu->arch.time_page) { +- kvm_release_page_dirty(vcpu->arch.time_page); +- vcpu->arch.time_page = NULL; +- } ++ vcpu->arch.pv_time_enabled = false; + } + + static void accumulate_steal_time(struct kvm_vcpu *vcpu) +@@ -1591,6 +1582,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + break; + case MSR_KVM_SYSTEM_TIME_NEW: + case MSR_KVM_SYSTEM_TIME: { ++ u64 gpa_offset; + kvmclock_reset(vcpu); + + vcpu->arch.time = data; +@@ -1600,21 +1592,17 @@ int kvm_set_msr_common(struct kvm_vcpu * + if (!(data & 1)) + break; + +- /* ...but clean it before doing the actual write */ +- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); ++ gpa_offset = data & ~(PAGE_MASK | 1); + + /* Check that the address is 32-byte aligned. */ +- if (vcpu->arch.time_offset & +- (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) + break; + +- vcpu->arch.time_page = +- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); +- +- if (is_error_page(vcpu->arch.time_page)) { +- kvm_release_page_clean(vcpu->arch.time_page); +- vcpu->arch.time_page = NULL; +- } ++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ++ &vcpu->arch.pv_time, data & ~1ULL)) ++ vcpu->arch.pv_time_enabled = false; ++ else ++ vcpu->arch.pv_time_enabled = true; + break; + } + case MSR_KVM_ASYNC_PF_EN: +@@ -6559,6 +6547,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu * + if (!zalloc_cpumask_var(&vcpu->arch.wbinvd_dirty_mask, GFP_KERNEL)) + goto fail_free_mce_banks; + ++ vcpu->arch.pv_time_enabled = false; + kvm_async_pf_hash_reset(vcpu); + + return 0; diff --git a/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch b/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch new file mode 100644 index 000000000..444989428 --- /dev/null +++ b/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch @@ -0,0 +1,39 @@ +From: Andy Honig +Date: Mon, 11 Mar 2013 09:34:52 -0700 +Subject: KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME + (CVE-2013-1796) + +commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream. + +If the guest sets the GPA of the time_page so that the request to update the +time straddles a page then KVM will write onto an incorrect page. The +write is done byusing kmap atomic to get a pointer to the page for the time +structure and then performing a memcpy to that page starting at an offset +that the guest controls. Well behaved guests always provide a 32-byte aligned +address, however a malicious guest could use this to corrupt host kernel +memory. + +Tested: Tested against kvmclock unit test. + +Signed-off-by: Andrew Honig +Signed-off-by: Marcelo Tosatti +--- + arch/x86/kvm/x86.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index f7c850b..2ade60c 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + /* ...but clean it before doing the actual write */ + vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + ++ /* Check that the address is 32-byte aligned. */ ++ if (vcpu->arch.time_offset & ++ (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ break; ++ + vcpu->arch.time_page = + gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); + diff --git a/debian/patches/series b/debian/patches/series index 7e2aa2d56..ff7d9078d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -636,3 +636,6 @@ bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch debian/efivars-remove-check-for-50-full-on-write.patch bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch +bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch +bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch +bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch From 45df0a762b4756eecb6875047a1b111e8bb5217f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Mar 2013 15:17:32 +0000 Subject: [PATCH 8/9] [x86] Ignore KVM ABI changes svn path=/dists/sid/linux/; revision=19948 --- debian/config/amd64/defines | 5 +++++ debian/config/i386/defines | 2 ++ 2 files changed, 7 insertions(+) diff --git a/debian/config/amd64/defines b/debian/config/amd64/defines index 28a324ab7..1a32371e8 100644 --- a/debian/config/amd64/defines +++ b/debian/config/amd64/defines @@ -1,3 +1,8 @@ +[abi] +ignore-changes: +# Only for use by the vendor-specific KVM modules + module:arch/x86/kvm/kvm + [base] featuresets: none diff --git a/debian/config/i386/defines b/debian/config/i386/defines index 48e321b5d..80b97e7d3 100644 --- a/debian/config/i386/defines +++ b/debian/config/i386/defines @@ -2,6 +2,8 @@ ignore-changes: disable_hlt enable_hlt +# Only for use by the vendor-specific KVM modules + module:arch/x86/kvm/kvm [base] featuresets: From d3d3caa09f22542b92c58b534244e029268554b7 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Mar 2013 02:38:41 +0000 Subject: [PATCH 9/9] Prepare to release linux (3.2.41-2). svn path=/dists/sid/linux/; revision=19949 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 98f79458a..370bbca2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.2.41-2) UNRELEASED; urgency=low +linux (3.2.41-2) unstable; urgency=low * [ia64] udeb: Remove efi-modules package; make kernel-image provide efi-modules (fixes FTBFS) @@ -13,7 +13,7 @@ linux (3.2.41-2) UNRELEASED; urgency=low functions (CVE-2013-1797) * KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) - -- Ben Hutchings Sat, 23 Mar 2013 17:45:03 +0000 + -- Ben Hutchings Mon, 25 Mar 2013 15:17:44 +0000 linux (3.2.41-1) unstable; urgency=low