vhost driver: CVE-2015-6252

Fixes a flaw in the Linux kernel's vhost driver. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack. References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-6252 http://www.openwall.com/lists/oss-security/2015/08/18/3 Upstream patch: =============== https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=a5b3343b05e58b8f8ce7481426f89c048229b50d Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-02-09 07:12:44 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-02-10 01:14:30 +0100
commit: 7e15834edfd7f1a4bed0555440b7db97c2b1198e (patch)
tree: e7860b89b9de87a7fab41a6ba89b91d05e87ce85
parent: 743d7ed8232663977b19c0887561a6204bea3e5b (diff)
download: meta-enea-7e15834edfd7f1a4bed0555440b7db97c2b1198e.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch
new file mode 100644
index 0000000..068b8ad
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch
@@ -0,0 +1,39 @@
+From a5b3343b05e58b8f8ce7481426f89c048229b50d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Fri, 17 Jul 2015 15:32:03 +0200
+Subject: vhost: actually track log eventfd file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+commit 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 upstream.
+While reviewing vhost log code, I found out that log_file is never
+set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
+Fixes CVE-2015-6252.
+Upstream-Status: Backport
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/vhost/vhost.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 69068e0..384bcc8 100644
+--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
+@@ -878,6 +878,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
+                }
+                if (eventfp != d->log_file) {
+                        filep = d->log_file;
+                       d->log_file = eventfp;
+                        ctx = d->log_ctx;
+                        d->log_ctx = eventfp ?
+                                eventfd_ctx_fileget(eventfp) : NULL;
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 3b4a203..9052358 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -22,6 +22,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
    file://ipc-CVE-2015-7613.patch \
    file://net-rds-CVE-2015-2042.patch \
    file://drivers-scsi-CVE-2015-5707.patch \
+    file://vhost-CVE-2015-6252.patch \
    "
 SRC_URI += "file://cfg/00013-localversion.cfg \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-02-09 07:12:44 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-02-10 01:14:30 +0100
commit	7e15834edfd7f1a4bed0555440b7db97c2b1198e (patch)
tree	e7860b89b9de87a7fab41a6ba89b91d05e87ce85
parent	743d7ed8232663977b19c0887561a6204bea3e5b (diff)
download	meta-enea-7e15834edfd7f1a4bed0555440b7db97c2b1198e.tar.gz

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch new file mode 100644 index 0000000..068b8ad --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/vhost-CVE-2015-6252.patch
@@ -0,0 +1,39 @@
		1	From a5b3343b05e58b8f8ce7481426f89c048229b50d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
		3	Date: Fri, 17 Jul 2015 15:32:03 +0200
		4	Subject: vhost: actually track log eventfd file
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	commit 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 upstream.
		10
		11	While reviewing vhost log code, I found out that log_file is never
		12	set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
		13
		14	Fixes CVE-2015-6252.
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
		18	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
		19	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	drivers/vhost/vhost.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
		26	index 69068e0..384bcc8 100644
		27	--- a/drivers/vhost/vhost.c
		28	+++ b/drivers/vhost/vhost.c
		29	@@ -878,6 +878,7 @@ long vhost_dev_ioctl(struct vhost_dev d, unsigned int ioctl, void __user argp)
		30	}
		31	if (eventfp != d->log_file) {
		32	filep = d->log_file;
		33	+ d->log_file = eventfp;
		34	ctx = d->log_ctx;
		35	d->log_ctx = eventfp ?
		36	eventfd_ctx_fileget(eventfp) : NULL;
		37	--
		38	cgit v0.12
		39


diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 3b4a203..9052358 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -22,6 +22,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
22	file://ipc-CVE-2015-7613.patch \	22	file://ipc-CVE-2015-7613.patch \
23	file://net-rds-CVE-2015-2042.patch \	23	file://net-rds-CVE-2015-2042.patch \
24	file://drivers-scsi-CVE-2015-5707.patch \	24	file://drivers-scsi-CVE-2015-5707.patch \
		25	file://vhost-CVE-2015-6252.patch \
25	"	26	"
26		27
27	SRC_URI += "file://cfg/00013-localversion.cfg \	28	SRC_URI += "file://cfg/00013-localversion.cfg \