From patchwork Wed Jun 1 14:06:45 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Bader X-Patchwork-Id: 98190 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id A9BC3B6F7D for ; Thu, 2 Jun 2011 00:07:05 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QRm4Q-0003z3-1h; Wed, 01 Jun 2011 14:06:50 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QRm4N-0003yx-Qj for kernel-team@lists.ubuntu.com; Wed, 01 Jun 2011 14:06:47 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QRm4N-0003GY-Ll for ; Wed, 01 Jun 2011 14:06:47 +0000 Received: from p5b2e514b.dip.t-dialin.net ([91.46.81.75] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1QRm4N-0002wA-AT for kernel-team@lists.ubuntu.com; Wed, 01 Jun 2011 14:06:47 +0000 From: Stefan Bader To: kernel-team@lists.ubuntu.com Subject: [Hardy] CVE-2010-4247: XEN: Add yield points to blktap and blkback Date: Wed, 1 Jun 2011 16:06:45 +0200 Message-Id: <1306937205-11184-1-git-send-email-stefan.bader@canonical.com> X-Mailer: git-send-email 1.7.4.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com As far as I can see this only affects Hardy as that is the only place that creates a dom0 kernel. The code itself seems to be present in the lucid-ec2 tree, but as we do not support dom0 and those are drivers for that. So I set the Lucid-ec2 status to not-affected, but I am thinking of adding the changes anyway, just in case... -Stefan From 7610b848ef18bd8db8471b450f09bc24f7c5cf7e Mon Sep 17 00:00:00 2001 From: Stefan Bader Date: Wed, 1 Jun 2011 11:54:40 +0200 Subject: [PATCH] UBUNTU: XEN: Add yield points to blktap and blkback CVE-2010-4247 BugLink: http://bugs.launchpad.net/bugs/791212 This adds a combined patch that consists of http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/77f831cbb91d blkback: Request-processing loop is unbounded and hence requires a yield point. Also, bad request type is a good cause to sleep for a short while as the frontend has probably gone mad. Patch by Steven Smith Signed-off-by: Keir Fraser and http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/7070d34f251c blkback/blktap: Check for kthread_should_stop() in inner loop, mdelaay() should be msleep(), and these changes belong in blktap as well as blkback. Based on comments and patches from Jan Beulich and Steven Smith. Signed-off-by: Keir Fraser Signed-off-by: Stefan Bader Acked-by: Tim Gardner Acked-by: John Johansen --- .../xen/patchset/021-xen-CVE-2010-4247.patch | 127 ++++++++++++++++++++ 1 files changed, 127 insertions(+), 0 deletions(-) create mode 100644 debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch diff --git a/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch new file mode 100644 index 0000000..95a24b7 --- /dev/null +++ b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch @@ -0,0 +1,127 @@ +Fixes for CVE-2010-4247 + +blkback: Request-processing loop is unbounded and hence requires a +yield point. Also, bad request type is a good cause to sleep for a +short while as the frontend has probably gone mad. + +Patch by Steven Smith + +Signed-off-by: Keir Fraser + +blkback/blktap: Check for kthread_should_stop() in inner loop, +mdelaay() should be msleep(), and these changes belong in blktap as +well as blkback. +Based on comments and patches from Jan Beulich and Steven Smith. +Signed-off-by: Keir Fraser + +Signed-off-by: Stefan Bader + +diff -Nurp custom-source-xen.orig/drivers/xen/blkback/blkback.c custom-source-xen/drivers/xen/blkback/blkback.c +--- custom-source-xen.orig/drivers/xen/blkback/blkback.c 2011-06-01 09:35:13.180006000 +0000 ++++ custom-source-xen/drivers/xen/blkback/blkback.c 2011-06-01 09:46:55.470006001 +0000 +@@ -309,7 +309,7 @@ static int do_block_io_op(blkif_t *blkif + rp = blk_rings->common.sring->req_prod; + rmb(); /* Ensure we see queued requests up to 'rp'. */ + +- while ((rc != rp)) { ++ while (rc != rp) { + + if (RING_REQUEST_CONS_OVERFLOW(&blk_rings->common, rc)) + break; +@@ -321,6 +321,11 @@ static int do_block_io_op(blkif_t *blkif + break; + } + ++ if (kthread_should_stop()) { ++ more_to_do = 1; ++ break; ++ } ++ + switch (blkif->blk_protocol) { + case BLKIF_PROTOCOL_NATIVE: + memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc), sizeof(req)); +@@ -349,6 +354,9 @@ static int do_block_io_op(blkif_t *blkif + dispatch_rw_block_io(blkif, &req, pending_req); + break; + default: ++ /* A good sign something is wrong: sleep for a while to ++ * avoid excessive CPU consumption by a bad guest. */ ++ msleep(1); + DPRINTK("error: unknown block io operation [%d]\n", + req.operation); + make_response(blkif, req.id, req.operation, +@@ -356,7 +364,11 @@ static int do_block_io_op(blkif_t *blkif + free_req(pending_req); + break; + } ++ ++ /* Yield point for this unbounded loop. */ ++ cond_resched(); + } ++ + return more_to_do; + } + +@@ -507,7 +519,8 @@ static void dispatch_rw_block_io(blkif_t + fail_response: + make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR); + free_req(pending_req); +-} ++ msleep(1); /* back off a bit */ ++} + + + +diff -Nurp custom-source-xen.orig/drivers/xen/blktap/blktap.c custom-source-xen/drivers/xen/blktap/blktap.c +--- custom-source-xen.orig/drivers/xen/blktap/blktap.c 2011-06-01 09:35:13.190006000 +0000 ++++ custom-source-xen/drivers/xen/blktap/blktap.c 2011-06-01 09:45:50.870006001 +0000 +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #define MAX_TAP_DEV 256 /*the maximum number of tapdisk ring devices */ +@@ -1243,6 +1244,11 @@ static int do_block_io_op(blkif_t *blkif + break; + } + ++ if (kthread_should_stop()) { ++ more_to_do = 1; ++ break; ++ } ++ + switch (blkif->blk_protocol) { + case BLKIF_PROTOCOL_NATIVE: + memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc), +@@ -1271,6 +1277,9 @@ static int do_block_io_op(blkif_t *blkif + break; + + default: ++ /* A good sign something is wrong: sleep for a while to ++ * avoid excessive CPU consumption by a bad guest. */ ++ msleep(1); + WPRINTK("unknown operation [%d]\n", + req.operation); + make_response(blkif, req.id, req.operation, +@@ -1278,6 +1287,9 @@ static int do_block_io_op(blkif_t *blkif + free_req(pending_req); + break; + } ++ ++ /* Yield point for this unbounded loop. */ ++ cond_resched(); + } + + blktap_kick_user(blkif->dev_num); +@@ -1504,7 +1516,8 @@ static void dispatch_rw_block_io(blkif_t + fail_response: + make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR); + free_req(pending_req); +-} ++ msleep(1); /* back off a bit */ ++} + + +