diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-06-06 09:41:46 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-06-06 09:50:07 +0200 |
commit | 10caf0b1c78eca678037c0a3ef5010446b064858 (patch) | |
tree | ebf911b8ed98a84247a6b2864c7d7abd9e13a168 /debian/patches | |
parent | 0480ec98a81d197cf83fcd2f00dfc4346dd29226 (diff) | |
download | linux-debian-10caf0b1c78eca678037c0a3ef5010446b064858.tar.gz |
Update to 5.18.2
Add CVE id reference for CVE-2022-1852
Add CVE id reference for CVE-2022-1966
Add CVE id reference for CVE-2022-1972
Add reference to ZDI-CAN-17291
Drop patch applied upstream
Cleanup debian/changelog file
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch | 115 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 0 insertions, 116 deletions
diff --git a/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch b/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch deleted file mode 100644 index 156cf7434..000000000 --- a/debian/patches/bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: Sean Christopherson <seanjc@google.com> -Date: Wed, 4 May 2022 00:12:19 +0000 -Subject: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct - kvm_xsave) -Origin: https://git.kernel.org/linus/d187ba5312307d51818beafaad87d28a7d939adf -Bug-Debian: https://bugs.debian.org/1011168 - -Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave', -i.e. to KVM's historical uABI size. When saving FPU state for usersapce, -KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if -the host doesn't support XSAVE. Setting the XSAVE header allows the VM -to be migrated to a host that does support XSAVE without the new host -having to handle FPU state that may or may not be compatible with XSAVE. - -Setting the uABI size to the host's default size results in out-of-bounds -writes (setting the FP+SSE bits) and data corruption (that is thankfully -caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs. - -WARN if the default size is larger than KVM's historical uABI size; all -features that can push the FPU size beyond the historical size must be -opt-in. - - ================================================================== - BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130 - Read of size 8 at addr ffff888011e33a00 by task qemu-build/681 - CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1 - Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010 - Call Trace: - <TASK> - dump_stack_lvl+0x34/0x45 - print_report.cold+0x45/0x575 - kasan_report+0x9b/0xd0 - fpu_copy_uabi_to_guest_fpstate+0x86/0x130 - kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm] - kvm_vcpu_ioctl+0x47f/0x7b0 [kvm] - __x64_sys_ioctl+0x5de/0xc90 - do_syscall_64+0x31/0x50 - entry_SYSCALL_64_after_hwframe+0x44/0xae - </TASK> - Allocated by task 0: - (stack is not available) - The buggy address belongs to the object at ffff888011e33800 - which belongs to the cache kmalloc-512 of size 512 - The buggy address is located 0 bytes to the right of - 512-byte region [ffff888011e33800, ffff888011e33a00) - The buggy address belongs to the physical page: - page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30 - head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0 - flags: 0x4000000000010200(slab|head|zone=1) - raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80 - raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 - page dumped because: kasan: bad access detected - Memory state around the buggy address: - ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ^ - ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ================================================================== - Disabling lock debugging due to kernel taint - -Fixes: be50b2065dfa ("kvm: x86: Add support for getting/setting expanded xstate buffer") -Fixes: c60427dd50ba ("x86/fpu: Add uabi_size to guest_fpu") -Reported-by: Zdenek Kaspar <zkaspar82@gmail.com> -Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name> -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: kvm@vger.kernel.org -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson <seanjc@google.com> -Tested-by: Zdenek Kaspar <zkaspar82@gmail.com> -Message-Id: <20220504001219.983513-1-seanjc@google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - arch/x86/kernel/fpu/core.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c -index e28ab0ecc537..0fdc807ae13f 100644 ---- a/arch/x86/kernel/fpu/core.c -+++ b/arch/x86/kernel/fpu/core.c -@@ -14,6 +14,8 @@ - #include <asm/traps.h> - #include <asm/irq_regs.h> - -+#include <uapi/asm/kvm.h> -+ - #include <linux/hardirq.h> - #include <linux/pkeys.h> - #include <linux/vmalloc.h> -@@ -232,7 +234,20 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu) - gfpu->fpstate = fpstate; - gfpu->xfeatures = fpu_user_cfg.default_features; - gfpu->perm = fpu_user_cfg.default_features; -- gfpu->uabi_size = fpu_user_cfg.default_size; -+ -+ /* -+ * KVM sets the FP+SSE bits in the XSAVE header when copying FPU state -+ * to userspace, even when XSAVE is unsupported, so that restoring FPU -+ * state on a different CPU that does support XSAVE can cleanly load -+ * the incoming state using its natural XSAVE. In other words, KVM's -+ * uABI size may be larger than this host's default size. Conversely, -+ * the default size should never be larger than KVM's base uABI size; -+ * all features that can expand the uABI size must be opt-in. -+ */ -+ gfpu->uabi_size = sizeof(struct kvm_xsave); -+ if (WARN_ON_ONCE(fpu_user_cfg.default_size > gfpu->uabi_size)) -+ gfpu->uabi_size = fpu_user_cfg.default_size; -+ - fpu_init_guest_permissions(gfpu); - - return true; --- -2.36.1 - diff --git a/debian/patches/series b/debian/patches/series index b0da24cfe..c31d70ddc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -71,7 +71,6 @@ bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch -bugfix/x86/x86-fpu-KVM-Set-the-base-guest-FPU-uABI-size-to-size.patch # Arch features features/x86/x86-memtest-WARN-if-bad-RAM-found.patch |