Fix CVE-2019-3882 (rhbz 1689426 1695571)
This commit is contained in:
Justin M. Forbes
parent
6d7472f1ad
commit
3fd5815625
2 changed files with 136 additions and 0 deletions
|
|
@ -622,6 +622,9 @@ Patch515: nfsv4.1-avoid-false-retries.patch
|
|||
# CVE-2019-9857 rhbz 1694758 1694759
|
||||
Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
|
||||
|
||||
# CVE-2019-3882 rhbz 1689426 1695571
|
||||
Patch517: vfio-type1-limit-dma-mappings-per-container.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1909,6 +1912,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Apr 03 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2019-3882 (rhbz 1689426 1695571)
|
||||
|
||||
* Mon Apr 01 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2019-9857 (rhbz 1694758 1694759)
|
||||
|
||||
|
|
|
|||
130
vfio-type1-limit-dma-mappings-per-container.patch
Normal file
130
vfio-type1-limit-dma-mappings-per-container.patch
Normal file
|
|
@ -0,0 +1,130 @@
|
|||
From mboxrd@z Thu Jan 1 00:00:00 1970
|
||||
Return-Path: <SRS0=/BGd=SD=vger.kernel.org=linux-kernel-owner@kernel.org>
|
||||
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
|
||||
aws-us-west-2-korg-lkml-1.web.codeaurora.org
|
||||
X-Spam-Level:
|
||||
X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
|
||||
INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham
|
||||
autolearn_force=no version=3.4.0
|
||||
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
|
||||
by smtp.lore.kernel.org (Postfix) with ESMTP id 5BCBAC43381
|
||||
for <linux-kernel@archiver.kernel.org>; Mon, 1 Apr 2019 20:16:59 +0000 (UTC)
|
||||
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
||||
by mail.kernel.org (Postfix) with ESMTP id 31C4F20896
|
||||
for <linux-kernel@archiver.kernel.org>; Mon, 1 Apr 2019 20:16:59 +0000 (UTC)
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1726867AbfDAUQ5 (ORCPT
|
||||
<rfc822;linux-kernel@archiver.kernel.org>);
|
||||
Mon, 1 Apr 2019 16:16:57 -0400
|
||||
Received: from mx1.redhat.com ([209.132.183.28]:52924 "EHLO mx1.redhat.com"
|
||||
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
||||
id S1726284AbfDAUQ5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
|
||||
Mon, 1 Apr 2019 16:16:57 -0400
|
||||
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
|
||||
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
|
||||
(No client certificate requested)
|
||||
by mx1.redhat.com (Postfix) with ESMTPS id 6BC20307D933;
|
||||
Mon, 1 Apr 2019 20:16:57 +0000 (UTC)
|
||||
Received: from gimli.home (ovpn-116-99.phx2.redhat.com [10.3.116.99])
|
||||
by smtp.corp.redhat.com (Postfix) with ESMTP id AF2DC104C53F;
|
||||
Mon, 1 Apr 2019 20:16:52 +0000 (UTC)
|
||||
Subject: [PATCH] vfio/type1: Limit DMA mappings per container
|
||||
From: Alex Williamson <alex.williamson@redhat.com>
|
||||
To: alex.williamson@redhat.com
|
||||
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
|
||||
eric.auger@redhat.com, cohuck@redhat.com
|
||||
Date: Mon, 01 Apr 2019 14:16:52 -0600
|
||||
Message-ID: <155414977872.12780.13728555131525362206.stgit@gimli.home>
|
||||
User-Agent: StGit/0.19-dirty
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
Content-Transfer-Encoding: 7bit
|
||||
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
|
||||
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 01 Apr 2019 20:16:57 +0000 (UTC)
|
||||
Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
Archived-At: <https://lore.kernel.org/lkml/155414977872.12780.13728555131525362206.stgit@gimli.home/>
|
||||
List-Archive: <https://lore.kernel.org/lkml/>
|
||||
List-Post: <mailto:linux-kernel@vger.kernel.org>
|
||||
|
||||
Memory backed DMA mappings are accounted against a user's locked
|
||||
memory limit, including multiple mappings of the same memory. This
|
||||
accounting bounds the number of such mappings that a user can create.
|
||||
However, DMA mappings that are not backed by memory, such as DMA
|
||||
mappings of device MMIO via mmaps, do not make use of page pinning
|
||||
and therefore do not count against the user's locked memory limit.
|
||||
These mappings still consume memory, but the memory is not well
|
||||
associated to the process for the purpose of oom killing a task.
|
||||
|
||||
To add bounding on this use case, we introduce a limit to the total
|
||||
number of concurrent DMA mappings that a user is allowed to create.
|
||||
This limit is exposed as a tunable module option where the default
|
||||
value of 64K is expected to be well in excess of any reasonable use
|
||||
case (a large virtual machine configuration would typically only make
|
||||
use of tens of concurrent mappings).
|
||||
|
||||
This fixes CVE-2019-3882.
|
||||
|
||||
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
||||
---
|
||||
drivers/vfio/vfio_iommu_type1.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
|
||||
index 73652e21efec..7fc8fd7d4dc7 100644
|
||||
--- a/drivers/vfio/vfio_iommu_type1.c
|
||||
+++ b/drivers/vfio/vfio_iommu_type1.c
|
||||
@@ -58,12 +58,18 @@ module_param_named(disable_hugepages,
|
||||
MODULE_PARM_DESC(disable_hugepages,
|
||||
"Disable VFIO IOMMU support for IOMMU hugepages.");
|
||||
|
||||
+static int dma_entry_limit __read_mostly = U16_MAX;
|
||||
+module_param_named(dma_entry_limit, dma_entry_limit, int, 0644);
|
||||
+MODULE_PARM_DESC(dma_entry_limit,
|
||||
+ "Maximum number of user DMA mappings per container (65535).");
|
||||
+
|
||||
struct vfio_iommu {
|
||||
struct list_head domain_list;
|
||||
struct vfio_domain *external_domain; /* domain for external user */
|
||||
struct mutex lock;
|
||||
struct rb_root dma_list;
|
||||
struct blocking_notifier_head notifier;
|
||||
+ atomic_t dma_avail;
|
||||
bool v2;
|
||||
bool nesting;
|
||||
};
|
||||
@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
|
||||
vfio_unlink_dma(iommu, dma);
|
||||
put_task_struct(dma->task);
|
||||
kfree(dma);
|
||||
+ atomic_inc(&iommu->dma_avail);
|
||||
}
|
||||
|
||||
static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
|
||||
@@ -1081,8 +1088,14 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
+ if (!atomic_add_unless(&iommu->dma_avail, -1, 0)) {
|
||||
+ ret = -ENOSPC;
|
||||
+ goto out_unlock;
|
||||
+ }
|
||||
+
|
||||
dma = kzalloc(sizeof(*dma), GFP_KERNEL);
|
||||
if (!dma) {
|
||||
+ atomic_inc(&iommu->dma_avail);
|
||||
ret = -ENOMEM;
|
||||
goto out_unlock;
|
||||
}
|
||||
@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg)
|
||||
|
||||
INIT_LIST_HEAD(&iommu->domain_list);
|
||||
iommu->dma_list = RB_ROOT;
|
||||
+ atomic_set(&iommu->dma_avail, dma_entry_limit);
|
||||
mutex_init(&iommu->lock);
|
||||
BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
|
||||
|
||||
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue