From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.4 10/27] vhost: validate vhost_get_vq_desc return value
Date: Thu, 24 Apr 2014 14:55:44 -0700 [thread overview]
Message-ID: <20140424215552.262522955@linuxfoundation.org> (raw)
In-Reply-To: <20140424215551.942390050@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
[ Upstream commit a39ee449f96a2cd44ce056d8a0a112211a9b1a1f ]
vhost fails to validate negative error code
from vhost_get_vq_desc causing
a crash: we are using -EFAULT which is 0xfffffff2
as vector size, which exceeds the allocated size.
The code in question was introduced in commit
8dd014adfea6f173c1ef6378f7e5e7924866c923
vhost-net: mergeable buffers support
CVE-2014-0055
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/net.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -324,9 +324,13 @@ static int get_rx_bufs(struct vhost_virt
r = -ENOBUFS;
goto err;
}
- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
+ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg,
ARRAY_SIZE(vq->iov) - seg, &out,
&in, log, log_num);
+ if (unlikely(r < 0))
+ goto err;
+
+ d = r;
if (d == vq->num) {
r = 0;
goto err;
next prev parent reply other threads:[~2014-04-24 21:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-24 21:55 [PATCH 3.4 00/27] 3.4.88-stable review Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 01/27] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 03/27] net: unix: non blocking recvmsg() should not return -EINTR Greg Kroah-Hartman
2014-04-24 22:01 ` Rainer Weikusat
2014-04-24 22:19 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 04/27] ipv6: dont set DST_NOCOUNT for remotely added routes Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 06/27] net: socket: error on a negative msg_namelen Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 07/27] ipv6: Avoid unnecessary temporary addresses being generated Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 08/27] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 09/27] vhost: fix total length when packets are too short Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman [this message]
2014-04-24 21:55 ` [PATCH 3.4 11/27] xen-netback: remove pointless clause from if statement Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 12/27] ipv6: some ipv6 statistic counters failed to disable bh Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 13/27] netlink: dont compare the nul-termination in nla_strcmp Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 14/27] isdnloop: Validate NUL-terminated strings from user Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 15/27] isdnloop: several buffer overflows Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 16/27] rds: prevent dereference of a NULL device in rds_iw_laddr_check Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 17/27] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 18/27] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 19/27] sparc32: fix build failure for arch_jump_label_transform Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 20/27] sparc64: dont treat 64-bit syscall return codes as 32-bit Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 21/27] Char: ipmi_bt_sm, fix infinite loop Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 22/27] Bluetooth: Fix removing Long Term Key Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 23/27] jffs2: Fix segmentation fault found in stress test Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 24/27] jffs2: Fix crash due to truncation of csize Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 25/27] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 26/27] jffs2: remove from wait queue after schedule() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 27/27] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Greg Kroah-Hartman
2014-04-25 0:12 ` [PATCH 3.4 00/27] 3.4.88-stable review Guenter Roeck
2014-04-25 17:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140424215552.262522955@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).