vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083 CVE-2016-9084)
This commit is contained in:
parent
609f818472
commit
b67bd212fa
|
@ -234,6 +234,8 @@ linux (4.8.11-1) UNRELEASED; urgency=medium
|
|||
* fs: Avoid premature clearing of capabilities (CVE-2015-1350)
|
||||
(Closes: #770492)
|
||||
* mpi: Fix NULL ptr dereference in mpi_powm() (CVE-2016-8650)
|
||||
* vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083
|
||||
CVE-2016-9084)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [arm64] Enable more drivers for X-Gene (Really closes: #840061):
|
||||
|
|
99
debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
vendored
Normal file
99
debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
vendored
Normal file
|
@ -0,0 +1,99 @@
|
|||
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
|
||||
Date: Wed, 12 Oct 2016 18:51:24 +0200
|
||||
Subject: vfio/pci: Fix integer overflows, bitmask check
|
||||
Origin: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a
|
||||
|
||||
The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
|
||||
user-supplied integers, potentially allowing memory corruption. This
|
||||
patch adds appropriate integer overflow checks, checks the range bounds
|
||||
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
|
||||
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
|
||||
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
|
||||
vfio_pci_set_irqs_ioctl().
|
||||
|
||||
Furthermore, a kzalloc is changed to a kcalloc because the use of a
|
||||
kzalloc with an integer multiplication allowed an integer overflow
|
||||
condition to be reached without this patch. kcalloc checks for overflow
|
||||
and should prevent a similar occurrence.
|
||||
|
||||
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
|
||||
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
||||
---
|
||||
drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------
|
||||
drivers/vfio/pci/vfio_pci_intrs.c | 2 +-
|
||||
2 files changed, 22 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
|
||||
index d624a52..031bc08 100644
|
||||
--- a/drivers/vfio/pci/vfio_pci.c
|
||||
+++ b/drivers/vfio/pci/vfio_pci.c
|
||||
@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data,
|
||||
|
||||
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
|
||||
struct vfio_irq_set hdr;
|
||||
+ size_t size;
|
||||
u8 *data = NULL;
|
||||
- int ret = 0;
|
||||
+ int max, ret = 0;
|
||||
|
||||
minsz = offsetofend(struct vfio_irq_set, count);
|
||||
|
||||
@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data,
|
||||
return -EFAULT;
|
||||
|
||||
if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
|
||||
+ hdr.count >= (U32_MAX - hdr.start) ||
|
||||
hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
|
||||
VFIO_IRQ_SET_ACTION_TYPE_MASK))
|
||||
return -EINVAL;
|
||||
|
||||
- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
|
||||
- size_t size;
|
||||
- int max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||
+ max = vfio_pci_get_irq_count(vdev, hdr.index);
|
||||
+ if (hdr.start >= max || hdr.start + hdr.count > max)
|
||||
+ return -EINVAL;
|
||||
|
||||
- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
|
||||
- size = sizeof(uint8_t);
|
||||
- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
|
||||
- size = sizeof(int32_t);
|
||||
- else
|
||||
- return -EINVAL;
|
||||
+ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
|
||||
+ case VFIO_IRQ_SET_DATA_NONE:
|
||||
+ size = 0;
|
||||
+ break;
|
||||
+ case VFIO_IRQ_SET_DATA_BOOL:
|
||||
+ size = sizeof(uint8_t);
|
||||
+ break;
|
||||
+ case VFIO_IRQ_SET_DATA_EVENTFD:
|
||||
+ size = sizeof(int32_t);
|
||||
+ break;
|
||||
+ default:
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
|
||||
- if (hdr.argsz - minsz < hdr.count * size ||
|
||||
- hdr.start >= max || hdr.start + hdr.count > max)
|
||||
+ if (size) {
|
||||
+ if (hdr.argsz - minsz < hdr.count * size)
|
||||
return -EINVAL;
|
||||
|
||||
data = memdup_user((void __user *)(arg + minsz),
|
||||
diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
|
||||
index c2e6089..1c46045 100644
|
||||
--- a/drivers/vfio/pci/vfio_pci_intrs.c
|
||||
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
|
||||
@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
|
||||
if (!is_irq_none(vdev))
|
||||
return -EINVAL;
|
||||
|
||||
- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||
+ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
|
||||
if (!vdev->ctx)
|
||||
return -ENOMEM;
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -99,6 +99,7 @@ bugfix/all/fuse-Propagate-dentry-down-to-inode_change_ok.patch
|
|||
bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
|
||||
bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
|
||||
bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch
|
||||
bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
|
|
Loading…
Reference in New Issue