Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiroslav Benes <mbenes@suse.cz>2018-08-23 13:31:21 +0200
committerMiroslav Benes <mbenes@suse.cz>2018-08-23 13:31:21 +0200
commitbeb8c52f44e902bbde08a29f9c01dbd7bd5a1e5b (patch)
tree58adfec88532f4521fbf24066e28dc3464122d2c
parent9b6cc2a73b400ce62da811aedda3378c4e00d191 (diff)
parent950d7d866a4f1484b586e8b073e740d08447a56d (diff)
Merge branch 'bsc#1105026' into SLE15_Update_0
-rw-r--r--bsc1105026/livepatch_bsc1105026.c184
-rw-r--r--bsc1105026/livepatch_bsc1105026.h12
-rw-r--r--bsc1105026/patched_funcs.csv1
3 files changed, 197 insertions, 0 deletions
diff --git a/bsc1105026/livepatch_bsc1105026.c b/bsc1105026/livepatch_bsc1105026.c
new file mode 100644
index 0000000..afbcbd5
--- /dev/null
+++ b/bsc1105026/livepatch_bsc1105026.c
@@ -0,0 +1,184 @@
+/*
+ * livepatch_bsc1105026
+ *
+ * Fix for XSA-270, bsc#1105026
+ *
+ * Upstream commits:
+ * none yet
+ *
+ * SLE12 commit:
+ * not affected
+ *
+ * SLE12-SP1 commit
+ * not affected
+ *
+ * SLE12-SP2 commit:
+ * not affected
+ *
+ * SLE12-SP3 commit:
+ * not affected
+ *
+ * SLE15 commit:
+ * 6d2d327ec35a326cb336dcbc4e5a8af4a2e59dfb
+ *
+ *
+ * Copyright (c) 2018 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * Based on the original Linux kernel code. Other copyrights apply.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#if IS_ENABLED(CONFIG_XEN_NETDEV_BACKEND)
+
+#include <linux/kernel.h>
+#include <xen/interface/xen.h>
+#include <xen/interface/io/netif.h>
+#include <xen/grant_table.h>
+#include <xen/xenbus.h>
+#include <xen/page.h>
+#include "livepatch_bsc1105026.h"
+
+
+#if !IS_MODULE(CONFIG_XEN_NETDEV_BACKEND)
+#error "Live patch supports only CONFIG_XEN_NETDEV_BACKEND=m."
+#endif
+
+/* from drivers/net/xen-netback/common.h */
+#define KLP_XEN_NETBK_MAX_HASH_KEY_SIZE 40
+#define KLP_XEN_NETBK_MAX_HASH_MAPPING_SIZE 128
+
+struct xenvif_hash_cache {
+ spinlock_t lock;
+ struct list_head list;
+ unsigned int count;
+ atomic_t seq;
+};
+
+struct xenvif_hash {
+ unsigned int alg;
+ u32 flags;
+ u8 key[KLP_XEN_NETBK_MAX_HASH_KEY_SIZE];
+ u32 mapping[KLP_XEN_NETBK_MAX_HASH_MAPPING_SIZE];
+ unsigned int size;
+ struct xenvif_hash_cache cache;
+};
+
+struct xenvif {
+ /* Unique identifier for this interface. */
+ domid_t domid;
+ unsigned int handle;
+
+ u8 fe_dev_addr[6];
+ struct list_head fe_mcast_addr;
+ unsigned int fe_mcast_count;
+
+ /* Frontend feature information. */
+ int gso_mask;
+
+ u8 can_sg:1;
+ u8 ip_csum:1;
+ u8 ipv6_csum:1;
+ u8 multicast_control:1;
+
+ /* Is this interface disabled? True when backend discovers
+ * frontend is rogue.
+ */
+ bool disabled;
+ unsigned long status;
+ unsigned long drain_timeout;
+ unsigned long stall_timeout;
+
+ /* Queues */
+ struct xenvif_queue *queues;
+ unsigned int num_queues; /* active queues, resource allocated */
+ unsigned int stalled_queues;
+
+ struct xenvif_hash hash;
+
+ struct xenbus_watch credit_watch;
+ struct xenbus_watch mcast_ctrl_watch;
+
+ spinlock_t lock;
+
+#ifdef CONFIG_DEBUG_FS
+ struct dentry *xenvif_dbg_root;
+#endif
+
+ struct xen_netif_ctrl_back_ring ctrl;
+ unsigned int ctrl_irq;
+
+ /* Miscellaneous private stuff. */
+ struct net_device *dev;
+};
+
+
+
+/* patched */
+u32 klp_xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
+ u32 off)
+{
+ /*
+ * Fix CVE-2018-15471
+ * -1 line, +1 line
+ */
+ u32 *mapping = vif->hash.mapping;
+ struct gnttab_copy copy_op = {
+ .source.u.ref = gref,
+ .source.domid = vif->domid,
+ /*
+ * Fix CVE-2018-15471
+ * -1 line
+ */
+ .dest.domid = DOMID_SELF,
+ /*
+ * Fix CVE-2018-15471
+ * -2 lines, +1 line
+ */
+ .len = len * sizeof(*mapping),
+ .flags = GNTCOPY_source_gref
+ };
+
+ /*
+ * Fix CVE-2018-15471
+ * -1 line, +2 lines
+ */
+ if ((off + len < off) || (off + len > vif->hash.size) ||
+ len > XEN_PAGE_SIZE / sizeof(*mapping))
+ return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
+
+ /*
+ * Fix CVE-2018-15471
+ * +3 lines
+ */
+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
+ copy_op.dest.offset = xen_offset_in_page(mapping + off);
+
+ while (len-- != 0)
+ if (mapping[off++] >= vif->num_queues)
+ return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
+
+ if (copy_op.len != 0) {
+ gnttab_batch_copy(&copy_op, 1);
+
+ if (copy_op.status != GNTST_okay)
+ return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
+ }
+
+ return XEN_NETIF_CTRL_STATUS_SUCCESS;
+}
+
+#endif /* IS_ENABLED(CONFIG_XEN_NETDEV_BACKEND) */
diff --git a/bsc1105026/livepatch_bsc1105026.h b/bsc1105026/livepatch_bsc1105026.h
new file mode 100644
index 0000000..40ac7f8
--- /dev/null
+++ b/bsc1105026/livepatch_bsc1105026.h
@@ -0,0 +1,12 @@
+#ifndef _LIVEPATCH_BSC1105026_H
+#define _LIVEPATCH_BSC1105026_H
+
+static inline int livepatch_bsc1105026_init(void) { return 0; }
+static inline void livepatch_bsc1105026_cleanup(void) {}
+
+
+struct xenvif;
+
+u32 klp_xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, u32 off);
+
+#endif /* _LIVEPATCH_BSC1105026_H */
diff --git a/bsc1105026/patched_funcs.csv b/bsc1105026/patched_funcs.csv
new file mode 100644
index 0000000..51888fc
--- /dev/null
+++ b/bsc1105026/patched_funcs.csv
@@ -0,0 +1 @@
+xen_netback xenvif_set_hash_mapping klp_xenvif_set_hash_mapping IS_ENABLED(CONFIG_XEN_NETDEV_BACKEND)