[kernel] r14809 - in dists/lenny/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 24 07:14:09 UTC 2009
Author: dannf
Date: Thu Dec 24 07:14:00 2009
New Revision: 14809
Log:
KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/21
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Dec 24 06:42:09 2009 (r14808)
+++ dists/lenny/linux-2.6/debian/changelog Thu Dec 24 07:14:00 2009 (r14809)
@@ -33,6 +33,7 @@
* Avoid /proc/$pid/maps visibility during initial setuid ELF loading
(CVE-2009-2691)
* hfs: fix a potential buffer overflow (CVE-2009-4020)
+ * KVM: x86 emulator: limit instructions to 15 bytes (CVE-2009-4031)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 24 Oct 2009 23:45:45 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-limit-instructions-to-15-bytes.patch Thu Dec 24 07:14:00 2009 (r14809)
@@ -0,0 +1,49 @@
+commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb
+Author: Avi Kivity <avi at redhat.com>
+Date: Tue Nov 24 15:20:15 2009 +0200
+
+ KVM: x86 emulator: limit instructions to 15 bytes
+
+ While we are never normally passed an instruction that exceeds 15 bytes,
+ smp games can cause us to attempt to interpret one, which will cause
+ large latencies in non-preempt hosts.
+
+ Cc: stable at kernel.org
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c linux-source-2.6.26/arch/x86/kvm/x86_emulate.c
+--- linux-source-2.6.26.orig/arch/x86/kvm/x86_emulate.c 2009-10-17 11:09:10.000000000 -0600
++++ linux-source-2.6.26/arch/x86/kvm/x86_emulate.c 2009-12-24 00:03:23.000000000 -0700
+@@ -544,6 +544,9 @@ static int do_insn_fetch(struct x86_emul
+ {
+ int rc = 0;
+
++ /* x86 instructions are limited to 15 bytes. */
++ if (eip + size - ctxt->decode.eip_orig > 15)
++ return X86EMUL_UNHANDLEABLE;
+ eip += ctxt->cs_base;
+ while (size--) {
+ rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
+@@ -837,7 +840,7 @@ x86_decode_insn(struct x86_emulate_ctxt
+ /* Shadow copy of register state. Committed on successful emulation. */
+
+ memset(c, 0, sizeof(struct decode_cache));
+- c->eip = ctxt->vcpu->arch.rip;
++ c->eip = c->eip_orig = ctxt->vcpu->arch.rip;
+ memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+
+ switch (mode) {
+diff -urpN linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h
+--- linux-source-2.6.26.orig/include/asm-x86/kvm_x86_emulate.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/asm-x86/kvm_x86_emulate.h 2009-12-24 00:02:04.000000000 -0700
+@@ -127,7 +127,7 @@ struct decode_cache {
+ unsigned long *override_base;
+ unsigned int d;
+ unsigned long regs[NR_VCPU_REGS];
+- unsigned long eip;
++ unsigned long eip, eip_orig;
+ /* modrm */
+ u8 modrm;
+ u8 modrm_mod;
Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 24 06:42:09 2009 (r14808)
+++ dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 24 07:14:00 2009 (r14809)
@@ -38,3 +38,4 @@
+ features/all/atl1e-allow-offload-disable.patch
+ bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
+ bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
++ bugfix/x86/kvm-limit-instructions-to-15-bytes.patch
More information about the Kernel-svn-changes
mailing list