Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Fix CVE-2017-8824, CVE-2017-1000407 in 4.13 #117

Merged
merged 2 commits into from
Dec 5, 2017
Merged

Fix CVE-2017-8824, CVE-2017-1000407 in 4.13 #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ba2997a
KVM: Remove I/O port 0x80 bypass on intel hosts.
Nov 29, 2017
1ba144b
dccp: CVE-2017-8824: use-after-free in DCCP code
0x36 Dec 5, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 5 additions & 15 deletions arch/x86/kvm/vmx.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -943,8 +943,7 @@ static DEFINE_PER_CPU(struct list_head, blocked_vcpu_on_cpu);
static DEFINE_PER_CPU(spinlock_t, blocked_vcpu_on_cpu_lock);

enum {
VMX_IO_BITMAP_A,
VMX_IO_BITMAP_B,
VMX_IO_BITMAP,
VMX_MSR_BITMAP_LEGACY,
VMX_MSR_BITMAP_LONGMODE,
VMX_MSR_BITMAP_LEGACY_X2APIC_APICV,
Expand All @@ -958,8 +957,7 @@ enum {

static unsigned long *vmx_bitmap[VMX_BITMAP_NR];

#define vmx_io_bitmap_a (vmx_bitmap[VMX_IO_BITMAP_A])
#define vmx_io_bitmap_b (vmx_bitmap[VMX_IO_BITMAP_B])
#define vmx_io_bitmap (vmx_bitmap[VMX_IO_BITMAP])
#define vmx_msr_bitmap_legacy (vmx_bitmap[VMX_MSR_BITMAP_LEGACY])
#define vmx_msr_bitmap_longmode (vmx_bitmap[VMX_MSR_BITMAP_LONGMODE])
#define vmx_msr_bitmap_legacy_x2apic_apicv (vmx_bitmap[VMX_MSR_BITMAP_LEGACY_X2APIC_APICV])
Expand Down Expand Up @@ -5306,8 +5304,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
int i;

/* I/O */
vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap_a));
vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap_b));
vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap));
vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap));

if (enable_shadow_vmcs) {
vmcs_write64(VMREAD_BITMAP, __pa(vmx_vmread_bitmap));
Expand Down Expand Up @@ -6584,18 +6582,10 @@ static __init int hardware_setup(void)
goto out;
}

vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);

/*
* Allow direct access to the PC debug port (it is often used for I/O
* delays, but the vmexits simply slow things down).
*/
memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
clear_bit(0x80, vmx_io_bitmap_a);

memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
memset(vmx_io_bitmap, 0xff, PAGE_SIZE);

memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE);
memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE);
Expand Down
5 changes: 5 additions & 0 deletions net/dccp/proto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
struct dccp_sock *dp = dccp_sk(sk);
int err = 0;
const int old_state = sk->sk_state;

Expand All @@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
sk->sk_err = ECONNRESET;

dccp_clear_xmit_timers(sk);
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
dp->dccps_hc_rx_ccid = NULL;
dp->dccps_hc_tx_ccid = NULL;

__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
Expand Down