rpms/kernel/F-9 cifs-fix-unicode-string-area-word-alignment-2.6.27.patch, NONE, 1.1.2.1 kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch, NONE, 1.1.2.1 kernel.spec, 1.891.2.49, 1.891.2.50

Chuck Ebbert cebbert at fedoraproject.org
Mon May 11 14:44:41 UTC 2009 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24101

Modified Files:
      Tag: private-fedora-9-2_6_27-branch
	kernel.spec 
Added Files:
      Tag: private-fedora-9-2_6_27-branch
	cifs-fix-unicode-string-area-word-alignment-2.6.27.patch 
	kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch 
Log Message:
Add stable patch from 2.6.29.1
Add stable patch pending in 2.6.29-stable

cifs-fix-unicode-string-area-word-alignment-2.6.27.patch:

--- NEW FILE cifs-fix-unicode-string-area-word-alignment-2.6.27.patch ---
From: Jeff Layton <jlayton at redhat.com>
Date: Tue, 14 Apr 2009 15:00:53 +0000 (-0400)
Subject: cifs: fix unicode string area word alignment in session setup
X-Git-Tag: v2.6.30-rc3~52^2~4
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27b87fe52baba0a55e9723030e76fce94fabcea4

cifs: fix unicode string area word alignment in session setup

The handling of unicode string area alignment is wrong.
decode_unicode_ssetup improperly assumes that it will always be preceded
by a pad byte. This isn't the case if the string area is already
word-aligned.

This problem, combined with the bad buffer sizing for the serverDomain
string can cause memory corruption. The bad alignment can make it so
that the alignment of the characters is off. This can make them
translate to characters that are greater than 2 bytes each. If this
happens we can overflow the allocation.

Fix this by fixing the alignment in CIFS_SessSetup instead so we can
verify it against the head of the response. Also, clean up the
workaround for improperly terminated strings by checking for a
odd-length unicode buffers and then forcibly terminating them.

Finally, resize the buffer for serverDomain. Now that we've fixed
the alignment, it's probably fine, but a malicious server could
overflow it.

A better solution for handling these strings is still needed, but
this should be a suitable bandaid.

Signed-off-by: Jeff Layton <jlayton at redhat.com>
CC: Stable <stable at vger.kernel.org>
Signed-off-by: Steve French <sfrench at us.ibm.com>
---

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 5c68b42..70d04d0 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -285,27 +285,26 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
 	int words_left, len;
 	char *data = *pbcc_area;
 
-
-
 	cFYI(1, ("bleft %d", bleft));
 
-
-	/* SMB header is unaligned, so cifs servers word align start of
-	   Unicode strings */
-	data++;
-	bleft--; /* Windows servers do not always double null terminate
-		    their final Unicode string - in which case we
-		    now will not attempt to decode the byte of junk
-		    which follows it */
+	/*
+	 * Windows servers do not always double null terminate their final
+	 * Unicode string. Check to see if there are an uneven number of bytes
+	 * left. If so, then add an extra NULL pad byte to the end of the
+	 * response.
+	 *
+	 * See section 2.7.2 in "Implementing CIFS" for details
+	 */
+	if (bleft % 2) {
+		data[bleft] = 0;
+		++bleft;
+	}
 
 	words_left = bleft / 2;
 
 	/* save off server operating system */
 	len = UniStrnlen((wchar_t *) data, words_left);
 
-/* We look for obvious messed up bcc or strings in response so we do not go off
-   the end since (at least) WIN2K and Windows XP have a major bug in not null
-   terminating last Unicode string in response  */
 	if (len >= words_left)
 		return rc;
 
@@ -343,13 +342,10 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
 		return rc;
 
 	kfree(ses->serverDomain);
-	ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */
-	if (ses->serverDomain != NULL) {
+	ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
+	if (ses->serverDomain != NULL)
 		cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
 				   nls_cp);
-		ses->serverDomain[2*len] = 0;
-		ses->serverDomain[(2*len) + 1] = 0;
-	}
 	data += 2 * (len + 1);
 	words_left -= len + 1;
 
@@ -702,12 +698,18 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
 	}
 
 	/* BB check if Unicode and decode strings */
-	if (smb_buf->Flags2 & SMBFLG2_UNICODE)
+	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+		/* unicode string area must be word-aligned */
+		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
+			++bcc_ptr;
+			--bytes_remaining;
+		}
 		rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
-						   ses, nls_cp);
-	else
+					   ses, nls_cp);
+	} else {
 		rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
 					 ses, nls_cp);
+	}
 
 ssetup_exit:
 	if (spnego_key)

kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch:

--- NEW FILE kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch ---
>From stable-bounces at linux.kernel.org  Thu Mar 26 23:05:08 2009
Date: Thu, 26 Mar 2009 23:05:03 GMT
From: Avi Kivity <avi at redhat.com>
Message-Id: <200903262305.n2QN53AB005694 at hera.kernel.org>
To: stable at kernel.org
Subject: KVM: VMX: Don't allow uninhibited access to EFER on i386

From: Avi Kivity <avi at redhat.com>

upstream commit: 16175a796d061833aacfbd9672235f2d2725df65

vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
do so through the default: label in the switch.  If they set EFER_LME, they
can oops the host.

Fix by having EFER access through the normal channel (which will check for
EFER_LME) even on i386.

Reported-and-tested-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
Cc: stable at kernel.org
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Chris Wright <chrisw at sous-sol.org>
---
 arch/x86/kvm/vmx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -928,11 +928,11 @@ static int vmx_set_msr(struct kvm_vcpu *
 	int ret = 0;
 
 	switch (msr_index) {
-#ifdef CONFIG_X86_64
 	case MSR_EFER:
 		vmx_load_host_state(vmx);
 		ret = kvm_set_msr_common(vcpu, msr_index, data);
 		break;
+#ifdef CONFIG_X86_64
 	case MSR_FS_BASE:
 		vmcs_writel(GUEST_FS_BASE, data);
 		break;


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-9/kernel.spec,v
retrieving revision 1.891.2.49
retrieving revision 1.891.2.50
diff -u -p -r1.891.2.49 -r1.891.2.50
--- kernel.spec	9 May 2009 01:29:13 -0000	1.891.2.49
+++ kernel.spec	11 May 2009 14:44:10 -0000	1.891.2.50
@@ -753,6 +753,9 @@ Patch2914: ext4.git-5-e0ee7aa0b15299bc67
 # Add better support for DMI-based autoloading
 Patch3110: linux-2.6-dmi-autoload.patch
 
+Patch4000: kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch
+Patch4001: cifs-fix-unicode-string-area-word-alignment-2.6.27.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1352,6 +1355,9 @@ fi
 # get rid of imacfb and make efifb work everywhere it was used
 ApplyPatch linux-2.6-merge-efifb-imacfb.patch
 
+ApplyPatch kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch
+ApplyPatch cifs-fix-unicode-string-area-word-alignment-2.6.27.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1955,6 +1961,10 @@ fi
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
 
 %changelog
+* Mon May 11 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.23-78.2.50
+- Add stable patch from 2.6.29.1
+- Add stable patch pending in 2.6.29-stable
+
 * Fri May 08 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.23-78.2.49
 - Linux 2.6.27.23

More information about the fedora-extras-commits mailing list