From 037538df5521a1a963b30fa01e9ac854a0ee431b Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 30 Dec 2015 10:05:09 +0100 Subject: kernel-vhost: CVE-2015-6252 Fixes vhost fd leak in ioctl VHOST_SET_LOG_FD References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252 http://www.openwall.com/lists/oss-security/2015/08/18/3 Upstream fix: ============= https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../linux-hierofalcon/vhost-CVE-2015-6252.patch | 33 ++++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 + 3 files changed, 35 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon/vhost-CVE-2015-6252.patch (limited to 'recipes-kernel') diff --git a/recipes-kernel/linux/linux-hierofalcon/vhost-CVE-2015-6252.patch b/recipes-kernel/linux/linux-hierofalcon/vhost-CVE-2015-6252.patch new file mode 100644 index 0000000..658fed1 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/vhost-CVE-2015-6252.patch @@ -0,0 +1,33 @@ +From 7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 Mon Sep 17 00:00:00 2001 +Date: Fri, 17 Jul 2015 15:32:03 +0200 +Subject: vhost: actually track log eventfd file + +While reviewing vhost log code, I found out that log_file is never +set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet). + +Fixes CVE-2015-6252. +Upstream-Status: Backport + +Cc: stable@vger.kernel.org +Signed-off-by: Marc-André Lureau +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sona Sarmadi +--- + drivers/vhost/vhost.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index a9fe859..95bdb90 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -995,6 +995,7 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp) + } + if (eventfp != d->log_file) { + filep = d->log_file; ++ d->log_file = eventfp; + ctx = d->log_ctx; + d->log_ctx = eventfp ? + eventfd_ctx_fileget(eventfp) : NULL; +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index bc0dff0..26dfa6d 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -24,6 +24,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://fs_pin-CVE-2015-4178.patch \ file://fs-CVE-2015-5706.patch \ file://md-CVE-2015-5697.patch \ + file://vhost-CVE-2015-6252.patch \ " S = "${WORKDIR}/git" diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index c4e87a1..6b160d8 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb @@ -25,6 +25,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 file://RDS-CVE-2015-6937.patch \ file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ file://md-CVE-2015-5697.patch \ + file://vhost-CVE-2015-6252.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf