[Hardy] CVE-2010-4247: XEN: Add yield points to blktap and blkback
Stefan Bader
stefan.bader at canonical.com
Wed Jun 1 14:06:45 UTC 2011
As far as I can see this only affects Hardy as that is the only place
that creates a dom0 kernel. The code itself seems to be present in the
lucid-ec2 tree, but as we do not support dom0 and those are drivers
for that. So I set the Lucid-ec2 status to not-affected, but I am thinking
of adding the changes anyway, just in case...
-Stefan
>From 7610b848ef18bd8db8471b450f09bc24f7c5cf7e Mon Sep 17 00:00:00 2001
From: Stefan Bader <stefan.bader at canonical.com>
Date: Wed, 1 Jun 2011 11:54:40 +0200
Subject: [PATCH] UBUNTU: XEN: Add yield points to blktap and blkback
CVE-2010-4247
BugLink: http://bugs.launchpad.net/bugs/791212
This adds a combined patch that consists of
http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/77f831cbb91d
blkback: Request-processing loop is unbounded and hence requires a
yield point. Also, bad request type is a good cause to sleep for a
short while as the frontend has probably gone mad.
Patch by Steven Smith <steven.smith at eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
and
http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/7070d34f251c
blkback/blktap: Check for kthread_should_stop() in inner loop,
mdelaay() should be msleep(), and these changes belong in blktap as
well as blkback.
Based on comments and patches from Jan Beulich and Steven Smith.
Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
---
.../xen/patchset/021-xen-CVE-2010-4247.patch | 127 ++++++++++++++++++++
1 files changed, 127 insertions(+), 0 deletions(-)
create mode 100644 debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
diff --git a/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
new file mode 100644
index 0000000..95a24b7
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
@@ -0,0 +1,127 @@
+Fixes for CVE-2010-4247
+
+blkback: Request-processing loop is unbounded and hence requires a
+yield point. Also, bad request type is a good cause to sleep for a
+short while as the frontend has probably gone mad.
+
+Patch by Steven Smith <steven.smith at eu.citrix.com>
+
+Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
+
+blkback/blktap: Check for kthread_should_stop() in inner loop,
+mdelaay() should be msleep(), and these changes belong in blktap as
+well as blkback.
+Based on comments and patches from Jan Beulich and Steven Smith.
+Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
+
+Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
+
+diff -Nurp custom-source-xen.orig/drivers/xen/blkback/blkback.c custom-source-xen/drivers/xen/blkback/blkback.c
+--- custom-source-xen.orig/drivers/xen/blkback/blkback.c 2011-06-01 09:35:13.180006000 +0000
++++ custom-source-xen/drivers/xen/blkback/blkback.c 2011-06-01 09:46:55.470006001 +0000
+@@ -309,7 +309,7 @@ static int do_block_io_op(blkif_t *blkif
+ rp = blk_rings->common.sring->req_prod;
+ rmb(); /* Ensure we see queued requests up to 'rp'. */
+
+- while ((rc != rp)) {
++ while (rc != rp) {
+
+ if (RING_REQUEST_CONS_OVERFLOW(&blk_rings->common, rc))
+ break;
+@@ -321,6 +321,11 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+ }
+
++ if (kthread_should_stop()) {
++ more_to_do = 1;
++ break;
++ }
++
+ switch (blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+ memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc), sizeof(req));
+@@ -349,6 +354,9 @@ static int do_block_io_op(blkif_t *blkif
+ dispatch_rw_block_io(blkif, &req, pending_req);
+ break;
+ default:
++ /* A good sign something is wrong: sleep for a while to
++ * avoid excessive CPU consumption by a bad guest. */
++ msleep(1);
+ DPRINTK("error: unknown block io operation [%d]\n",
+ req.operation);
+ make_response(blkif, req.id, req.operation,
+@@ -356,7 +364,11 @@ static int do_block_io_op(blkif_t *blkif
+ free_req(pending_req);
+ break;
+ }
++
++ /* Yield point for this unbounded loop. */
++ cond_resched();
+ }
++
+ return more_to_do;
+ }
+
+@@ -507,7 +519,8 @@ static void dispatch_rw_block_io(blkif_t
+ fail_response:
+ make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
+ free_req(pending_req);
+-}
++ msleep(1); /* back off a bit */
++}
+
+
+
+diff -Nurp custom-source-xen.orig/drivers/xen/blktap/blktap.c custom-source-xen/drivers/xen/blktap/blktap.c
+--- custom-source-xen.orig/drivers/xen/blktap/blktap.c 2011-06-01 09:35:13.190006000 +0000
++++ custom-source-xen/drivers/xen/blktap/blktap.c 2011-06-01 09:45:50.870006001 +0000
+@@ -53,6 +53,7 @@
+ #include <linux/major.h>
+ #include <linux/gfp.h>
+ #include <linux/poll.h>
++#include <linux/delay.h>
+ #include <asm/tlbflush.h>
+
+ #define MAX_TAP_DEV 256 /*the maximum number of tapdisk ring devices */
+@@ -1243,6 +1244,11 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+ }
+
++ if (kthread_should_stop()) {
++ more_to_do = 1;
++ break;
++ }
++
+ switch (blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+ memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc),
+@@ -1271,6 +1277,9 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+
+ default:
++ /* A good sign something is wrong: sleep for a while to
++ * avoid excessive CPU consumption by a bad guest. */
++ msleep(1);
+ WPRINTK("unknown operation [%d]\n",
+ req.operation);
+ make_response(blkif, req.id, req.operation,
+@@ -1278,6 +1287,9 @@ static int do_block_io_op(blkif_t *blkif
+ free_req(pending_req);
+ break;
+ }
++
++ /* Yield point for this unbounded loop. */
++ cond_resched();
+ }
+
+ blktap_kick_user(blkif->dev_num);
+@@ -1504,7 +1516,8 @@ static void dispatch_rw_block_io(blkif_t
+ fail_response:
+ make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
+ free_req(pending_req);
+-}
++ msleep(1); /* back off a bit */
++}
+
+
+
--
1.7.4.1
More information about the kernel-team
mailing list