diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2016-11-30 09:11:39 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2016-11-30 09:15:19 +0100 |
commit | b67bd212fad858d8a6a1fff0c555c018df8684ff (patch) | |
tree | 522c069e1b51c3cfb170b536a76c18fe569b590b | |
parent | 609f818472358bc4b2ee797ba7c89036c99d7945 (diff) |
vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083 CVE-2016-9084)
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch | 99 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 102 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 6bab68293..f1125d32f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -234,6 +234,8 @@ linux (4.8.11-1) UNRELEASED; urgency=medium * fs: Avoid premature clearing of capabilities (CVE-2015-1350) (Closes: #770492) * mpi: Fix NULL ptr dereference in mpi_powm() (CVE-2016-8650) + * vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083 + CVE-2016-9084) [ Ben Hutchings ] * [arm64] Enable more drivers for X-Gene (Really closes: #840061): diff --git a/debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch b/debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch new file mode 100644 index 000000000..5bb21177a --- /dev/null +++ b/debian/patches/bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch @@ -0,0 +1,99 @@ +From: Vlad Tsyrklevich <vlad@tsyrklevich.net> +Date: Wed, 12 Oct 2016 18:51:24 +0200 +Subject: vfio/pci: Fix integer overflows, bitmask check +Origin: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a + +The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize +user-supplied integers, potentially allowing memory corruption. This +patch adds appropriate integer overflow checks, checks the range bounds +for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element +in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set. +VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in +vfio_pci_set_irqs_ioctl(). + +Furthermore, a kzalloc is changed to a kcalloc because the use of a +kzalloc with an integer multiplication allowed an integer overflow +condition to be reached without this patch. kcalloc checks for overflow +and should prevent a similar occurrence. + +Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> +Signed-off-by: Alex Williamson <alex.williamson@redhat.com> +--- + drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------ + drivers/vfio/pci/vfio_pci_intrs.c | 2 +- + 2 files changed, 22 insertions(+), 13 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index d624a52..031bc08 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -829,8 +829,9 @@ static long vfio_pci_ioctl(void *device_data, + + } else if (cmd == VFIO_DEVICE_SET_IRQS) { + struct vfio_irq_set hdr; ++ size_t size; + u8 *data = NULL; +- int ret = 0; ++ int max, ret = 0; + + minsz = offsetofend(struct vfio_irq_set, count); + +@@ -838,23 +839,31 @@ static long vfio_pci_ioctl(void *device_data, + return -EFAULT; + + if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS || ++ hdr.count >= (U32_MAX - hdr.start) || + hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK | + VFIO_IRQ_SET_ACTION_TYPE_MASK)) + return -EINVAL; + +- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) { +- size_t size; +- int max = vfio_pci_get_irq_count(vdev, hdr.index); ++ max = vfio_pci_get_irq_count(vdev, hdr.index); ++ if (hdr.start >= max || hdr.start + hdr.count > max) ++ return -EINVAL; + +- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL) +- size = sizeof(uint8_t); +- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD) +- size = sizeof(int32_t); +- else +- return -EINVAL; ++ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) { ++ case VFIO_IRQ_SET_DATA_NONE: ++ size = 0; ++ break; ++ case VFIO_IRQ_SET_DATA_BOOL: ++ size = sizeof(uint8_t); ++ break; ++ case VFIO_IRQ_SET_DATA_EVENTFD: ++ size = sizeof(int32_t); ++ break; ++ default: ++ return -EINVAL; ++ } + +- if (hdr.argsz - minsz < hdr.count * size || +- hdr.start >= max || hdr.start + hdr.count > max) ++ if (size) { ++ if (hdr.argsz - minsz < hdr.count * size) + return -EINVAL; + + data = memdup_user((void __user *)(arg + minsz), +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index c2e6089..1c46045 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -256,7 +256,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix) + if (!is_irq_none(vdev)) + return -EINVAL; + +- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); ++ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); + if (!vdev->ctx) + return -ENOMEM; + +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index f09c1db61..d09d09e7f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -99,6 +99,7 @@ bugfix/all/fuse-Propagate-dentry-down-to-inode_change_ok.patch bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch +bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch # ABI maintenance |