vhost driver: CVE-2015-6252

Fixes a flaw in the Linux kernel's vhost driver. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack. References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-6252 http://www.openwall.com/lists/oss-security/2015/08/18/3 Upstream patch: =============== https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-29 10:00:21 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-12-29 23:36:20 +0100
commit: 112edaf87ad6789f56dde1aafb4ce61a14757705 (patch)
tree: d9adfda721e6158daa1cb38d850077738aa67466
parent: cc381727c4a4c38cc0697c8f96b6e36e670c2cb7 (diff)
download: meta-enea-112edaf87ad6789f56dde1aafb4ce61a14757705.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch
new file mode 100644
index 0000000..658fed1
--- /dev/null
+++ b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch
@@ -0,0 +1,33 @@
+From 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Mon Sep 17 00:00:00 2001
+Date: Fri, 17 Jul 2015 15:32:03 +0200
+Subject: vhost: actually track log eventfd file
+While reviewing vhost log code, I found out that log_file is never
+set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
+Fixes CVE-2015-6252.
+Upstream-Status: Backport
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/vhost/vhost.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index a9fe859..95bdb90 100644
+--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
+@@ -995,6 +995,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
+                }
+                if (eventfp != d->log_file) {
+                        filep = d->log_file;
+                       d->log_file = eventfp;
+                        ctx = d->log_ctx;
+                        d->log_ctx = eventfp ?
+                                eventfd_ctx_fileget(eventfp) : NULL;
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 90bb462..f865fcb 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -10,4 +10,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
            file://fs-CVE-2015-5706.patch \
            file://drivers-scsi-CVE-2015-5707.patch \
            file://md-CVE-2015-5697.patch \
+            file://vhost-CVE-2015-6252.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-29 10:00:21 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-12-29 23:36:20 +0100
commit	112edaf87ad6789f56dde1aafb4ce61a14757705 (patch)
tree	d9adfda721e6158daa1cb38d850077738aa67466
parent	cc381727c4a4c38cc0697c8f96b6e36e670c2cb7 (diff)
download	meta-enea-112edaf87ad6789f56dde1aafb4ce61a14757705.tar.gz

diff --git a/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch new file mode 100644 index 0000000..658fed1 --- /dev/null +++ b/recipes-kernel/linux/files/vhost-CVE-2015-6252.patch
@@ -0,0 +1,33 @@
		1	From 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Mon Sep 17 00:00:00 2001
		2	Date: Fri, 17 Jul 2015 15:32:03 +0200
		3	Subject: vhost: actually track log eventfd file
		4
		5	While reviewing vhost log code, I found out that log_file is never
		6	set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
		7
		8	Fixes CVE-2015-6252.
		9	Upstream-Status: Backport
		10
		11	Cc: stable@vger.kernel.org
		12	Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		13	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15	---
		16	drivers/vhost/vhost.c \| 1 +
		17	1 file changed, 1 insertion(+)
		18
		19	diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
		20	index a9fe859..95bdb90 100644
		21	--- a/drivers/vhost/vhost.c
		22	+++ b/drivers/vhost/vhost.c
		23	@@ -995,6 +995,7 @@ long vhost_dev_ioctl(struct vhost_dev d, unsigned int ioctl, void __user argp)
		24	}
		25	if (eventfp != d->log_file) {
		26	filep = d->log_file;
		27	+ d->log_file = eventfp;
		28	ctx = d->log_ctx;
		29	d->log_ctx = eventfp ?
		30	eventfd_ctx_fileget(eventfp) : NULL;
		31	--
		32	cgit v0.11.2
		33


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 90bb462..f865fcb 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -10,4 +10,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
10	file://fs-CVE-2015-5706.patch \	10	file://fs-CVE-2015-5706.patch \
11	file://drivers-scsi-CVE-2015-5707.patch \	11	file://drivers-scsi-CVE-2015-5707.patch \
12	file://md-CVE-2015-5697.patch \	12	file://md-CVE-2015-5697.patch \
		13	file://vhost-CVE-2015-6252.patch \
13	"	14	"