From 652de59d50b14f487797b1bafa1c25754216c883 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 15 Sep 2019 14:59:52 +0200 Subject: [PATCH] drop vhost-block-speculation-of-translated-descriptors.patch --- queue-4.14/series | 1 - ...peculation-of-translated-descriptors.patch | 46 ------------------- .../vhost-make-sure-log_num-in_num.patch | 4 +- queue-4.19/series | 1 - ...peculation-of-translated-descriptors.patch | 46 ------------------- .../vhost-make-sure-log_num-in_num.patch | 4 +- queue-4.9/series | 1 - ...peculation-of-translated-descriptors.patch | 46 ------------------- .../vhost-make-sure-log_num-in_num.patch | 4 +- queue-5.2/series | 1 - ...peculation-of-translated-descriptors.patch | 46 ------------------- .../vhost-make-sure-log_num-in_num.patch | 4 +- 12 files changed, 8 insertions(+), 196 deletions(-) delete mode 100644 queue-4.14/vhost-block-speculation-of-translated-descriptors.patch delete mode 100644 queue-4.19/vhost-block-speculation-of-translated-descriptors.patch delete mode 100644 queue-4.9/vhost-block-speculation-of-translated-descriptors.patch delete mode 100644 queue-5.2/vhost-block-speculation-of-translated-descriptors.patch diff --git a/queue-4.14/series b/queue-4.14/series index 93d3505b07b..d7f2388144f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,5 +17,4 @@ arm64-dts-rockchip-enable-usb-host-regulators-at-boo.patch scripts-decode_stacktrace-match-basepath-using-shell.patch clk-s2mps11-add-used-attribute-to-s2mps11_dt_match.patch kernel-module-fix-mem-leak-in-module_add_modinfo_att.patch -vhost-block-speculation-of-translated-descriptors.patch vhost-make-sure-log_num-in_num.patch diff --git a/queue-4.14/vhost-block-speculation-of-translated-descriptors.patch b/queue-4.14/vhost-block-speculation-of-translated-descriptors.patch deleted file mode 100644 index a1f9fb40577..00000000000 --- a/queue-4.14/vhost-block-speculation-of-translated-descriptors.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Sun, 8 Sep 2019 07:04:08 -0400 -Subject: vhost: block speculation of translated descriptors - -From: Michael S. Tsirkin - -commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream. - -iovec addresses coming from vhost are assumed to be -pre-validated, but in fact can be speculated to a value -out of range. - -Userspace address are later validated with array_index_nospec so we can -be sure kernel info does not leak through these addresses, but vhost -must also not leak userspace info outside the allowed memory table to -guests. - -Following the defence in depth principle, make sure -the address is not validated out of node range. - -Signed-off-by: Michael S. Tsirkin -Cc: stable@vger.kernel.org -Acked-by: Jason Wang -Tested-by: Jason Wang -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/vhost/vhost.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1954,8 +1954,10 @@ static int translate_desc(struct vhost_v - _iov = iov + ret; - size = node->size - addr + node->start; - _iov->iov_len = min((u64)len - s, size); -- _iov->iov_base = (void __user *)(unsigned long) -- (node->userspace_addr + addr - node->start); -+ _iov->iov_base = (void __user *) -+ ((unsigned long)node->userspace_addr + -+ array_index_nospec((unsigned long)(addr - node->start), -+ node->size)); - s += size; - addr += size; - ++ret; diff --git a/queue-4.14/vhost-make-sure-log_num-in_num.patch b/queue-4.14/vhost-make-sure-log_num-in_num.patch index d14b0599250..e647363d7ce 100644 --- a/queue-4.14/vhost-make-sure-log_num-in_num.patch +++ b/queue-4.14/vhost-make-sure-log_num-in_num.patch @@ -34,7 +34,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c -@@ -2068,7 +2068,7 @@ static int get_indirect(struct vhost_vir +@@ -2066,7 +2066,7 @@ static int get_indirect(struct vhost_vir /* If this is an input descriptor, increment that count. */ if (access == VHOST_ACCESS_WO) { *in_num += ret; @@ -43,7 +43,7 @@ Signed-off-by: Greg Kroah-Hartman log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); log[*log_num].len = vhost32_to_cpu(vq, desc.len); ++*log_num; -@@ -2211,7 +2211,7 @@ int vhost_get_vq_desc(struct vhost_virtq +@@ -2209,7 +2209,7 @@ int vhost_get_vq_desc(struct vhost_virtq /* If this is an input descriptor, * increment that count. */ *in_num += ret; diff --git a/queue-4.19/series b/queue-4.19/series index 85c8af2a357..4a1bb4c23fd 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -186,5 +186,4 @@ ext4-unsigned-int-compared-against-zero.patch pci-reset-both-nvidia-gpu-and-hda-in-thinkpad-p50-wo.patch powerpc-tm-remove-msr_tm_active.patch powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly.patch -vhost-block-speculation-of-translated-descriptors.patch vhost-make-sure-log_num-in_num.patch diff --git a/queue-4.19/vhost-block-speculation-of-translated-descriptors.patch b/queue-4.19/vhost-block-speculation-of-translated-descriptors.patch deleted file mode 100644 index 0984a7e71ed..00000000000 --- a/queue-4.19/vhost-block-speculation-of-translated-descriptors.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Sun, 8 Sep 2019 07:04:08 -0400 -Subject: vhost: block speculation of translated descriptors - -From: Michael S. Tsirkin - -commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream. - -iovec addresses coming from vhost are assumed to be -pre-validated, but in fact can be speculated to a value -out of range. - -Userspace address are later validated with array_index_nospec so we can -be sure kernel info does not leak through these addresses, but vhost -must also not leak userspace info outside the allowed memory table to -guests. - -Following the defence in depth principle, make sure -the address is not validated out of node range. - -Signed-off-by: Michael S. Tsirkin -Cc: stable@vger.kernel.org -Acked-by: Jason Wang -Tested-by: Jason Wang -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/vhost/vhost.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1966,8 +1966,10 @@ static int translate_desc(struct vhost_v - _iov = iov + ret; - size = node->size - addr + node->start; - _iov->iov_len = min((u64)len - s, size); -- _iov->iov_base = (void __user *)(unsigned long) -- (node->userspace_addr + addr - node->start); -+ _iov->iov_base = (void __user *) -+ ((unsigned long)node->userspace_addr + -+ array_index_nospec((unsigned long)(addr - node->start), -+ node->size)); - s += size; - addr += size; - ++ret; diff --git a/queue-4.19/vhost-make-sure-log_num-in_num.patch b/queue-4.19/vhost-make-sure-log_num-in_num.patch index 2a5a6284125..7d4bb1bb070 100644 --- a/queue-4.19/vhost-make-sure-log_num-in_num.patch +++ b/queue-4.19/vhost-make-sure-log_num-in_num.patch @@ -34,7 +34,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c -@@ -2075,7 +2075,7 @@ static int get_indirect(struct vhost_vir +@@ -2073,7 +2073,7 @@ static int get_indirect(struct vhost_vir /* If this is an input descriptor, increment that count. */ if (access == VHOST_ACCESS_WO) { *in_num += ret; @@ -43,7 +43,7 @@ Signed-off-by: Greg Kroah-Hartman log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); log[*log_num].len = vhost32_to_cpu(vq, desc.len); ++*log_num; -@@ -2218,7 +2218,7 @@ int vhost_get_vq_desc(struct vhost_virtq +@@ -2216,7 +2216,7 @@ int vhost_get_vq_desc(struct vhost_virtq /* If this is an input descriptor, * increment that count. */ *in_num += ret; diff --git a/queue-4.9/series b/queue-4.9/series index 33d1f296d9d..04b5a37ec97 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,5 +10,4 @@ batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch scripts-decode_stacktrace-match-basepath-using-shell.patch clk-s2mps11-add-used-attribute-to-s2mps11_dt_match.patch -vhost-block-speculation-of-translated-descriptors.patch vhost-make-sure-log_num-in_num.patch diff --git a/queue-4.9/vhost-block-speculation-of-translated-descriptors.patch b/queue-4.9/vhost-block-speculation-of-translated-descriptors.patch deleted file mode 100644 index b021e13b635..00000000000 --- a/queue-4.9/vhost-block-speculation-of-translated-descriptors.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Sun, 8 Sep 2019 07:04:08 -0400 -Subject: vhost: block speculation of translated descriptors - -From: Michael S. Tsirkin - -commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream. - -iovec addresses coming from vhost are assumed to be -pre-validated, but in fact can be speculated to a value -out of range. - -Userspace address are later validated with array_index_nospec so we can -be sure kernel info does not leak through these addresses, but vhost -must also not leak userspace info outside the allowed memory table to -guests. - -Following the defence in depth principle, make sure -the address is not validated out of node range. - -Signed-off-by: Michael S. Tsirkin -Cc: stable@vger.kernel.org -Acked-by: Jason Wang -Tested-by: Jason Wang -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/vhost/vhost.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1874,8 +1874,10 @@ static int translate_desc(struct vhost_v - _iov = iov + ret; - size = node->size - addr + node->start; - _iov->iov_len = min((u64)len - s, size); -- _iov->iov_base = (void __user *)(unsigned long) -- (node->userspace_addr + addr - node->start); -+ _iov->iov_base = (void __user *) -+ ((unsigned long)node->userspace_addr + -+ array_index_nospec((unsigned long)(addr - node->start), -+ node->size)); - s += size; - addr += size; - ++ret; diff --git a/queue-4.9/vhost-make-sure-log_num-in_num.patch b/queue-4.9/vhost-make-sure-log_num-in_num.patch index 2373c35e195..04125fc2e6b 100644 --- a/queue-4.9/vhost-make-sure-log_num-in_num.patch +++ b/queue-4.9/vhost-make-sure-log_num-in_num.patch @@ -34,7 +34,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c -@@ -1989,7 +1989,7 @@ static int get_indirect(struct vhost_vir +@@ -1987,7 +1987,7 @@ static int get_indirect(struct vhost_vir /* If this is an input descriptor, increment that count. */ if (access == VHOST_ACCESS_WO) { *in_num += ret; @@ -43,7 +43,7 @@ Signed-off-by: Greg Kroah-Hartman log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); log[*log_num].len = vhost32_to_cpu(vq, desc.len); ++*log_num; -@@ -2125,7 +2125,7 @@ int vhost_get_vq_desc(struct vhost_virtq +@@ -2123,7 +2123,7 @@ int vhost_get_vq_desc(struct vhost_virtq /* If this is an input descriptor, * increment that count. */ *in_num += ret; diff --git a/queue-5.2/series b/queue-5.2/series index 3ca110cdfc8..7c6af37dcff 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -33,5 +33,4 @@ drm-i915-whitelist-ps_-depth-invocation-_count.patch drm-i915-add-whitelist-workarounds-for-icl.patch drm-i915-icl-whitelist-ps_-depth-invocation-_count.patch btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch -vhost-block-speculation-of-translated-descriptors.patch vhost-make-sure-log_num-in_num.patch diff --git a/queue-5.2/vhost-block-speculation-of-translated-descriptors.patch b/queue-5.2/vhost-block-speculation-of-translated-descriptors.patch deleted file mode 100644 index 098ddca0c59..00000000000 --- a/queue-5.2/vhost-block-speculation-of-translated-descriptors.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Sun, 8 Sep 2019 07:04:08 -0400 -Subject: vhost: block speculation of translated descriptors - -From: Michael S. Tsirkin - -commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream. - -iovec addresses coming from vhost are assumed to be -pre-validated, but in fact can be speculated to a value -out of range. - -Userspace address are later validated with array_index_nospec so we can -be sure kernel info does not leak through these addresses, but vhost -must also not leak userspace info outside the allowed memory table to -guests. - -Following the defence in depth principle, make sure -the address is not validated out of node range. - -Signed-off-by: Michael S. Tsirkin -Cc: stable@vger.kernel.org -Acked-by: Jason Wang -Tested-by: Jason Wang -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/vhost/vhost.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1965,8 +1965,10 @@ static int translate_desc(struct vhost_v - _iov = iov + ret; - size = node->size - addr + node->start; - _iov->iov_len = min((u64)len - s, size); -- _iov->iov_base = (void __user *)(unsigned long) -- (node->userspace_addr + addr - node->start); -+ _iov->iov_base = (void __user *) -+ ((unsigned long)node->userspace_addr + -+ array_index_nospec((unsigned long)(addr - node->start), -+ node->size)); - s += size; - addr += size; - ++ret; diff --git a/queue-5.2/vhost-make-sure-log_num-in_num.patch b/queue-5.2/vhost-make-sure-log_num-in_num.patch index aaa4fc0d753..a243f942a85 100644 --- a/queue-5.2/vhost-make-sure-log_num-in_num.patch +++ b/queue-5.2/vhost-make-sure-log_num-in_num.patch @@ -34,7 +34,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c -@@ -2074,7 +2074,7 @@ static int get_indirect(struct vhost_vir +@@ -2072,7 +2072,7 @@ static int get_indirect(struct vhost_vir /* If this is an input descriptor, increment that count. */ if (access == VHOST_ACCESS_WO) { *in_num += ret; @@ -43,7 +43,7 @@ Signed-off-by: Greg Kroah-Hartman log[*log_num].addr = vhost64_to_cpu(vq, desc.addr); log[*log_num].len = vhost32_to_cpu(vq, desc.len); ++*log_num; -@@ -2217,7 +2217,7 @@ int vhost_get_vq_desc(struct vhost_virtq +@@ -2215,7 +2215,7 @@ int vhost_get_vq_desc(struct vhost_virtq /* If this is an input descriptor, * increment that count. */ *in_num += ret; -- 2.47.3