FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 06-01-2011, 09:54 AM
Stefan Bader
 
Default UBUNTU: XEN: Add yield points to blktap and blkback

CVE-2010-4247
BugLink: http://bugs.launchpad.net/bugs/791212

This adds a combined patch that consists of

http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/77f831cbb91d

blkback: Request-processing loop is unbounded and hence requires a
yield point. Also, bad request type is a good cause to sleep for a
short while as the frontend has probably gone mad.

Patch by Steven Smith <steven.smith@eu.citrix.com>

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

and

http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/7070d34f251c

blkback/blktap: Check for kthread_should_stop() in inner loop,
mdelaay() should be msleep(), and these changes belong in blktap as
well as blkback.
Based on comments and patches from Jan Beulich and Steven Smith.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
.../xen/patchset/021-xen-CVE-2010-4247.patch | 127 ++++++++++++++++++++
1 files changed, 127 insertions(+), 0 deletions(-)
create mode 100644 debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch

diff --git a/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
new file mode 100644
index 0000000..95a24b7
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
@@ -0,0 +1,127 @@
+Fixes for CVE-2010-4247
+
+blkback: Request-processing loop is unbounded and hence requires a
+yield point. Also, bad request type is a good cause to sleep for a
+short while as the frontend has probably gone mad.
+
+Patch by Steven Smith <steven.smith@eu.citrix.com>
+
+Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
+
+blkback/blktap: Check for kthread_should_stop() in inner loop,
+mdelaay() should be msleep(), and these changes belong in blktap as
+well as blkback.
+Based on comments and patches from Jan Beulich and Steven Smith.
+Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
+
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+
+diff -Nurp custom-source-xen.orig/drivers/xen/blkback/blkback.c custom-source-xen/drivers/xen/blkback/blkback.c
+--- custom-source-xen.orig/drivers/xen/blkback/blkback.c 2011-06-01 09:35:13.180006000 +0000
++++ custom-source-xen/drivers/xen/blkback/blkback.c 2011-06-01 09:46:55.470006001 +0000
+@@ -309,7 +309,7 @@ static int do_block_io_op(blkif_t *blkif
+ rp = blk_rings->common.sring->req_prod;
+ rmb(); /* Ensure we see queued requests up to 'rp'. */
+
+- while ((rc != rp)) {
++ while (rc != rp) {
+
+ if (RING_REQUEST_CONS_OVERFLOW(&blk_rings->common, rc))
+ break;
+@@ -321,6 +321,11 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+ }
+
++ if (kthread_should_stop()) {
++ more_to_do = 1;
++ break;
++ }
++
+ switch (blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+ memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc), sizeof(req));
+@@ -349,6 +354,9 @@ static int do_block_io_op(blkif_t *blkif
+ dispatch_rw_block_io(blkif, &req, pending_req);
+ break;
+ default:
++ /* A good sign something is wrong: sleep for a while to
++ * avoid excessive CPU consumption by a bad guest. */
++ msleep(1);
+ DPRINTK("error: unknown block io operation [%d]
",
+ req.operation);
+ make_response(blkif, req.id, req.operation,
+@@ -356,7 +364,11 @@ static int do_block_io_op(blkif_t *blkif
+ free_req(pending_req);
+ break;
+ }
++
++ /* Yield point for this unbounded loop. */
++ cond_resched();
+ }
++
+ return more_to_do;
+ }
+
+@@ -507,7 +519,8 @@ static void dispatch_rw_block_io(blkif_t
+ fail_response:
+ make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
+ free_req(pending_req);
+-}
++ msleep(1); /* back off a bit */
++}
+
+
+
+diff -Nurp custom-source-xen.orig/drivers/xen/blktap/blktap.c custom-source-xen/drivers/xen/blktap/blktap.c
+--- custom-source-xen.orig/drivers/xen/blktap/blktap.c 2011-06-01 09:35:13.190006000 +0000
++++ custom-source-xen/drivers/xen/blktap/blktap.c 2011-06-01 09:45:50.870006001 +0000
+@@ -53,6 +53,7 @@
+ #include <linux/major.h>
+ #include <linux/gfp.h>
+ #include <linux/poll.h>
++#include <linux/delay.h>
+ #include <asm/tlbflush.h>
+
+ #define MAX_TAP_DEV 256 /*the maximum number of tapdisk ring devices */
+@@ -1243,6 +1244,11 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+ }
+
++ if (kthread_should_stop()) {
++ more_to_do = 1;
++ break;
++ }
++
+ switch (blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+ memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc),
+@@ -1271,6 +1277,9 @@ static int do_block_io_op(blkif_t *blkif
+ break;
+
+ default:
++ /* A good sign something is wrong: sleep for a while to
++ * avoid excessive CPU consumption by a bad guest. */
++ msleep(1);
+ WPRINTK("unknown operation [%d]
",
+ req.operation);
+ make_response(blkif, req.id, req.operation,
+@@ -1278,6 +1287,9 @@ static int do_block_io_op(blkif_t *blkif
+ free_req(pending_req);
+ break;
+ }
++
++ /* Yield point for this unbounded loop. */
++ cond_resched();
+ }
+
+ blktap_kick_user(blkif->dev_num);
+@@ -1504,7 +1516,8 @@ static void dispatch_rw_block_io(blkif_t
+ fail_response:
+ make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
+ free_req(pending_req);
+-}
++ msleep(1); /* back off a bit */
++}
+
+
+
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 07:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org