From: Greg Kroah-Hartman Date: Sun, 26 Apr 2015 10:05:25 +0000 (+0200) Subject: 3.10-stable patches X-Git-Tag: v4.0.1~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de04e8f6ce90932c7854ed825455b3be8ce269a3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: kvm-x86-sysenter-emulation-is-broken.patch netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch --- diff --git a/queue-3.10/kvm-x86-sysenter-emulation-is-broken.patch b/queue-3.10/kvm-x86-sysenter-emulation-is-broken.patch new file mode 100644 index 00000000000..6027c66f521 --- /dev/null +++ b/queue-3.10/kvm-x86-sysenter-emulation-is-broken.patch @@ -0,0 +1,89 @@ +From f3747379accba8e95d70cec0eae0582c8c182050 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 1 Jan 2015 23:11:11 +0200 +Subject: KVM: x86: SYSENTER emulation is broken + +From: Nadav Amit + +commit f3747379accba8e95d70cec0eae0582c8c182050 upstream. + +SYSENTER emulation is broken in several ways: +1. It misses the case of 16-bit code segments completely (CVE-2015-0239). +2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can + still be set without causing #GP). +3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in + legacy-mode. +4. There is some unneeded code. + +Fix it. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +[zhangzhiqiang: backport to 3.10: + - adjust context + - in 3.10 context "ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF)" is replaced by + "ctxt->eflags &= ~(EFLG_VM | EFLG_IF)" in upstream, which was changed by another commit. + - After the above adjustments, becomes same to the original patch: + https://github.com/torvalds/linux/commit/f3747379accba8e95d70cec0eae0582c8c182050 +] +Signed-off-by: Zhiqiang Zhang +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2450,7 +2450,7 @@ static int em_sysenter(struct x86_emulat + * Not recognized on AMD in compat mode (but is recognized in legacy + * mode). + */ +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) + && !vendor_intel(ctxt)) + return emulate_ud(ctxt); + +@@ -2463,25 +2463,13 @@ static int em_sysenter(struct x86_emulat + setup_syscalls_segments(ctxt, &cs, &ss); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +- switch (ctxt->mode) { +- case X86EMUL_MODE_PROT32: +- if ((msr_data & 0xfffc) == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- case X86EMUL_MODE_PROT64: +- if (msr_data == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- default: +- break; +- } ++ if ((msr_data & 0xfffc) == 0x0) ++ return emulate_gp(ctxt, 0); + + ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF); +- cs_sel = (u16)msr_data; +- cs_sel &= ~SELECTOR_RPL_MASK; ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; + ss_sel = cs_sel + 8; +- ss_sel &= ~SELECTOR_RPL_MASK; +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { ++ if (efer & EFER_LMA) { + cs.d = 0; + cs.l = 1; + } +@@ -2490,10 +2478,11 @@ static int em_sysenter(struct x86_emulat + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); +- ctxt->_eip = msr_data; ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : ++ (u32)msr_data; + + return X86EMUL_CONTINUE; + } diff --git a/queue-3.10/mm-hugetlb-add-migration-hwpoisoned-entry-check-in.patch b/queue-3.10/mm-hugetlb-add-migration-hwpoisoned-entry-check-in.patch deleted file mode 100644 index 78bbd827787..00000000000 --- a/queue-3.10/mm-hugetlb-add-migration-hwpoisoned-entry-check-in.patch +++ /dev/null @@ -1,71 +0,0 @@ -From a8bda28d87c38c6aa93de28ba5d30cc18e865a11 Mon Sep 17 00:00:00 2001 -From: Naoya Horiguchi -Date: Wed, 11 Feb 2015 15:25:28 -0800 -Subject: mm/hugetlb: add migration/hwpoisoned entry check in - hugetlb_change_protection - -From: Naoya Horiguchi - -commit a8bda28d87c38c6aa93de28ba5d30cc18e865a11 upstream. - -There is a race condition between hugepage migration and -change_protection(), where hugetlb_change_protection() doesn't care about -migration entries and wrongly overwrites them. That causes unexpected -results like kernel crash. HWPoison entries also can cause the same -problem. - -This patch adds is_hugetlb_entry_(migration|hwpoisoned) check in this -function to do proper actions. - -[n-horiguchi@ah.jp.nec.com: resolve conflict to apply to v3.10.71] -Fixes: 290408d4a2 ("hugetlb: hugepage migration core") -Signed-off-by: Naoya Horiguchi -Cc: Hugh Dickins -Cc: James Hogan -Cc: David Rientjes -Cc: Mel Gorman -Cc: Johannes Weiner -Cc: Michal Hocko -Cc: Rik van Riel -Cc: Andrea Arcangeli -Cc: Luiz Capitulino -Cc: Nishanth Aravamudan -Cc: Lee Schermerhorn -Cc: Steve Capper -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - mm/hugetlb.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -3117,7 +3117,26 @@ unsigned long hugetlb_change_protection( - pages++; - continue; - } -- if (!huge_pte_none(huge_ptep_get(ptep))) { -+ pte = huge_ptep_get(ptep); -+ if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) { -+ spin_unlock(ptl); -+ continue; -+ } -+ if (unlikely(is_hugetlb_entry_migration(pte))) { -+ swp_entry_t entry = pte_to_swp_entry(pte); -+ -+ if (is_write_migration_entry(entry)) { -+ pte_t newpte; -+ -+ make_migration_entry_read(&entry); -+ newpte = swp_entry_to_pte(entry); -+ set_huge_pte_at(mm, address, ptep, newpte); -+ pages++; -+ } -+ spin_unlock(ptl); -+ continue; -+ } -+ if (!huge_pte_none(pte)) { - pte = huge_ptep_get_and_clear(mm, address, ptep); - pte = pte_mkhuge(huge_pte_modify(pte, newprot)); - pte = arch_make_huge_pte(pte, vma, NULL, 0); diff --git a/queue-3.10/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch b/queue-3.10/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch new file mode 100644 index 00000000000..5c4bad8403a --- /dev/null +++ b/queue-3.10/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch @@ -0,0 +1,93 @@ +From db29a9508a9246e77087c5531e45b2c88ec6988b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 26 Sep 2014 11:35:42 +0200 +Subject: netfilter: conntrack: disable generic tracking for known protocols + +From: Florian Westphal + +commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream. + +Given following iptables ruleset: + +-P FORWARD DROP +-A FORWARD -m sctp --dport 9 -j ACCEPT +-A FORWARD -p tcp --dport 80 -j ACCEPT +-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT + +One would assume that this allows SCTP on port 9 and TCP on port 80. +Unfortunately, if the SCTP conntrack module is not loaded, this allows +*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, +which we think is a security issue. + +This is because on the first SCTP packet on port 9, we create a dummy +"generic l4" conntrack entry without any port information (since +conntrack doesn't know how to extract this information). + +All subsequent packets that are unknown will then be in established +state since they will fallback to proto_generic and will match the +'generic' entry. + +Our originally proposed version [1] completely disabled generic protocol +tracking, but Jozsef suggests to not track protocols for which a more +suitable helper is available, hence we now mitigate the issue for in +tree known ct protocol helpers only, so that at least NAT and direction +information will still be preserved for others. + + [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html + +Joint work with Daniel Borkmann. + +Fixes CVE-2014-8160. + +Signed-off-by: Florian Westphal +Signed-off-by: Daniel Borkmann +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Zhiqiang Zhang +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_proto_generic.c ++++ b/net/netfilter/nf_conntrack_proto_generic.c +@@ -14,6 +14,30 @@ + + static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ; + ++static bool nf_generic_should_process(u8 proto) ++{ ++ switch (proto) { ++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE ++ case IPPROTO_SCTP: ++ return false; ++#endif ++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE ++ case IPPROTO_DCCP: ++ return false; ++#endif ++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE ++ case IPPROTO_GRE: ++ return false; ++#endif ++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE ++ case IPPROTO_UDPLITE: ++ return false; ++#endif ++ default: ++ return true; ++ } ++} ++ + static inline struct nf_generic_net *generic_pernet(struct net *net) + { + return &net->ct.nf_ct_proto.generic; +@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn + static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb, + unsigned int dataoff, unsigned int *timeouts) + { +- return true; ++ return nf_generic_should_process(nf_ct_protonum(ct)); + } + + #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) diff --git a/queue-3.10/series b/queue-3.10/series index 04c022706a0..805351c8939 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -20,4 +20,5 @@ bluetooth-add-firmware-update-for-atheros-0cf3-311f.patch bluetooth-btusb-add-imc-networks-broadcom-based.patch bluetooth-add-support-for-intel-bootloader-devices.patch bluetooth-ignore-isochronous-endpoints-for-intel-usb-bootloader.patch -mm-hugetlb-add-migration-hwpoisoned-entry-check-in.patch +netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch +kvm-x86-sysenter-emulation-is-broken.patch