--- /dev/null
+From f3747379accba8e95d70cec0eae0582c8c182050 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 1 Jan 2015 23:11:11 +0200
+Subject: KVM: x86: SYSENTER emulation is broken
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit f3747379accba8e95d70cec0eae0582c8c182050 upstream.
+
+SYSENTER emulation is broken in several ways:
+1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
+2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
+ still be set without causing #GP).
+3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
+ legacy-mode.
+4. There is some unneeded code.
+
+Fix it.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[zhangzhiqiang: backport to 3.10:
+ - adjust context
+ - in 3.10 context "ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF)" is replaced by
+ "ctxt->eflags &= ~(EFLG_VM | EFLG_IF)" in upstream, which was changed by another commit.
+ - After the above adjustments, becomes same to the original patch:
+ https://github.com/torvalds/linux/commit/f3747379accba8e95d70cec0eae0582c8c182050
+]
+Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2450,7 +2450,7 @@ static int em_sysenter(struct x86_emulat
+ * Not recognized on AMD in compat mode (but is recognized in legacy
+ * mode).
+ */
+- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
+ && !vendor_intel(ctxt))
+ return emulate_ud(ctxt);
+
+@@ -2463,25 +2463,13 @@ static int em_sysenter(struct x86_emulat
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+- switch (ctxt->mode) {
+- case X86EMUL_MODE_PROT32:
+- if ((msr_data & 0xfffc) == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- case X86EMUL_MODE_PROT64:
+- if (msr_data == 0x0)
+- return emulate_gp(ctxt, 0);
+- break;
+- default:
+- break;
+- }
++ if ((msr_data & 0xfffc) == 0x0)
++ return emulate_gp(ctxt, 0);
+
+ ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+- cs_sel = (u16)msr_data;
+- cs_sel &= ~SELECTOR_RPL_MASK;
++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ ss_sel = cs_sel + 8;
+- ss_sel &= ~SELECTOR_RPL_MASK;
+- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++ if (efer & EFER_LMA) {
+ cs.d = 0;
+ cs.l = 1;
+ }
+@@ -2490,10 +2478,11 @@ static int em_sysenter(struct x86_emulat
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+- ctxt->_eip = msr_data;
++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
++ (u32)msr_data;
+
+ return X86EMUL_CONTINUE;
+ }
+++ /dev/null
-From a8bda28d87c38c6aa93de28ba5d30cc18e865a11 Mon Sep 17 00:00:00 2001
-From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Date: Wed, 11 Feb 2015 15:25:28 -0800
-Subject: mm/hugetlb: add migration/hwpoisoned entry check in
- hugetlb_change_protection
-
-From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-
-commit a8bda28d87c38c6aa93de28ba5d30cc18e865a11 upstream.
-
-There is a race condition between hugepage migration and
-change_protection(), where hugetlb_change_protection() doesn't care about
-migration entries and wrongly overwrites them. That causes unexpected
-results like kernel crash. HWPoison entries also can cause the same
-problem.
-
-This patch adds is_hugetlb_entry_(migration|hwpoisoned) check in this
-function to do proper actions.
-
-[n-horiguchi@ah.jp.nec.com: resolve conflict to apply to v3.10.71]
-Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
-Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: James Hogan <james.hogan@imgtec.com>
-Cc: David Rientjes <rientjes@google.com>
-Cc: Mel Gorman <mel@csn.ul.ie>
-Cc: Johannes Weiner <hannes@cmpxchg.org>
-Cc: Michal Hocko <mhocko@suse.cz>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Luiz Capitulino <lcapitulino@redhat.com>
-Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
-Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
-Cc: Steve Capper <steve.capper@linaro.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/hugetlb.c | 21 ++++++++++++++++++++-
- 1 file changed, 20 insertions(+), 1 deletion(-)
-
---- a/mm/hugetlb.c
-+++ b/mm/hugetlb.c
-@@ -3117,7 +3117,26 @@ unsigned long hugetlb_change_protection(
- pages++;
- continue;
- }
-- if (!huge_pte_none(huge_ptep_get(ptep))) {
-+ pte = huge_ptep_get(ptep);
-+ if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) {
-+ spin_unlock(ptl);
-+ continue;
-+ }
-+ if (unlikely(is_hugetlb_entry_migration(pte))) {
-+ swp_entry_t entry = pte_to_swp_entry(pte);
-+
-+ if (is_write_migration_entry(entry)) {
-+ pte_t newpte;
-+
-+ make_migration_entry_read(&entry);
-+ newpte = swp_entry_to_pte(entry);
-+ set_huge_pte_at(mm, address, ptep, newpte);
-+ pages++;
-+ }
-+ spin_unlock(ptl);
-+ continue;
-+ }
-+ if (!huge_pte_none(pte)) {
- pte = huge_ptep_get_and_clear(mm, address, ptep);
- pte = pte_mkhuge(huge_pte_modify(pte, newprot));
- pte = arch_make_huge_pte(pte, vma, NULL, 0);
--- /dev/null
+From db29a9508a9246e77087c5531e45b2c88ec6988b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+
+From: Florian Westphal <fw@strlen.de>
+
+commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Fixes CVE-2014-8160.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+
++static bool nf_generic_should_process(u8 proto)
++{
++ switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++ case IPPROTO_SCTP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++ case IPPROTO_DCCP:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++ case IPPROTO_GRE:
++ return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++ case IPPROTO_UDPLITE:
++ return false;
++#endif
++ default:
++ return true;
++ }
++}
++
+ static inline struct nf_generic_net *generic_pernet(struct net *net)
+ {
+ return &net->ct.nf_ct_proto.generic;
+@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn
+ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
+ unsigned int dataoff, unsigned int *timeouts)
+ {
+- return true;
++ return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+
+ #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
bluetooth-btusb-add-imc-networks-broadcom-based.patch
bluetooth-add-support-for-intel-bootloader-devices.patch
bluetooth-ignore-isochronous-endpoints-for-intel-usb-bootloader.patch
-mm-hugetlb-add-migration-hwpoisoned-entry-check-in.patch
+netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch
+kvm-x86-sysenter-emulation-is-broken.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
