[kernel] r19893 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Sun Mar 3 02:19:44 UTC 2013 

Author: benh
Date: Sun Mar  3 02:19:43 2013
New Revision: 19893

Log:
vhost: fix length for cross region descriptor (CVE-2013-0311)

Added:
   dists/sid/linux/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Sun Mar  3 01:41:04 2013	(r19892)
+++ dists/sid/linux/debian/changelog	Sun Mar  3 02:19:43 2013	(r19893)
@@ -11,6 +11,7 @@
   [ Ben Hutchings ]
   * [x86] ata_piix: reenable MS Virtual PC guests (fixes regression in
     3.2.19-1)
+  * vhost: fix length for cross region descriptor (CVE-2013-0311)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 27 Feb 2013 03:48:30 +0000
 

Added: dists/sid/linux/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch	Sun Mar  3 02:19:43 2013	(r19893)
@@ -0,0 +1,31 @@
+From: "Michael S. Tsirkin" <mst at redhat.com>
+Date: Mon, 26 Nov 2012 05:57:27 +0000
+Subject: vhost: fix length for cross region descriptor
+
+commit bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 upstream.
+
+If a single descriptor crosses a region, the
+second chunk length should be decremented
+by size translated so far, instead it includes
+the full descriptor length.
+
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+Acked-by: Jason Wang <jasowang at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/vhost/vhost.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 99ac2cb..dedaf81 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len,
+ 		}
+ 		_iov = iov + ret;
+ 		size = reg->memory_size - addr + reg->guest_phys_addr;
+-		_iov->iov_len = min((u64)len, size);
++		_iov->iov_len = min((u64)len - s, size);
+ 		_iov->iov_base = (void __user *)(unsigned long)
+ 			(reg->userspace_addr + addr - reg->guest_phys_addr);
+ 		s += size;

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Sun Mar  3 01:41:04 2013	(r19892)
+++ dists/sid/linux/debian/patches/series	Sun Mar  3 02:19:43 2013	(r19893)
@@ -630,3 +630,4 @@
 bugfix/all/mm-fix-pageblock-bitmap-allocation.patch
 bugfix/all/USB-usb-storage-unusual_devs-update-for-Super-TOP-SA.patch
 debian/x86-efi-avoid-abi-change-in-3.2.38.patch
+bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch

More information about the Kernel-svn-changes mailing list