From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 13 Sep 2019 11:46:48 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.193~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a372a223299380fbae44db33355bce6d4479eac;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	vhost-make-sure-log_num-in_num.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index e98fe4bfe74..7afef165fbf 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -6,3 +6,4 @@ scripts-decode_stacktrace-match-basepath-using-shell.patch
 clk-s2mps11-add-used-attribute-to-s2mps11_dt_match.patch
 x86-boot-remove-multiple-copy-of-static-function-sanitize_boot_params.patch
 af_packet-tone-down-the-tx-ring-unsupported-spew.patch
+vhost-make-sure-log_num-in_num.patch
diff --git a/queue-4.4/vhost-make-sure-log_num-in_num.patch b/queue-4.4/vhost-make-sure-log_num-in_num.patch
new file mode 100644
index 00000000000..5318eb0ff27
--- /dev/null
+++ b/queue-4.4/vhost-make-sure-log_num-in_num.patch
@@ -0,0 +1,54 @@
+From 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 Mon Sep 17 00:00:00 2001
+From: yongduan <yongduan@tencent.com>
+Date: Wed, 11 Sep 2019 17:44:24 +0800
+Subject: vhost: make sure log_num < in_num
+
+From: yongduan <yongduan@tencent.com>
+
+commit 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 upstream.
+
+The code assumes log_num < in_num everywhere, and that is true as long as
+in_num is incremented by descriptor iov count, and log_num by 1. However
+this breaks if there's a zero sized descriptor.
+
+As a result, if a malicious guest creates a vring desc with desc.len = 0,
+it may cause the host kernel to crash by overflowing the log array. This
+bug can be triggered during the VM migration.
+
+There's no need to log when desc.len = 0, so just don't increment log_num
+in this case.
+
+Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
+Cc: stable@vger.kernel.org
+Reviewed-by: Lidong Chen <lidongchen@tencent.com>
+Signed-off-by: ruippan <ruippan@tencent.com>
+Signed-off-by: yongduan <yongduan@tencent.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1324,7 +1324,7 @@ static int get_indirect(struct vhost_vir
+ 		/* If this is an input descriptor, increment that count. */
+ 		if (desc.flags & cpu_to_vhost16(vq, VRING_DESC_F_WRITE)) {
+ 			*in_num += ret;
+-			if (unlikely(log)) {
++			if (unlikely(log && ret)) {
+ 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
+ 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
+ 				++*log_num;
+@@ -1453,7 +1453,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+ 			/* If this is an input descriptor,
+ 			 * increment that count. */
+ 			*in_num += ret;
+-			if (unlikely(log)) {
++			if (unlikely(log && ret)) {
+ 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
+ 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
+ 				++*log_num;