[Hardy] CVE-2010-4247: XEN: Add yield points to blktap and blkback

Stefan Bader stefan.bader at canonical.com
Tue Jun 7 14:52:33 UTC 2011 

On 01.06.2011 16:06, Stefan Bader wrote:
> As far as I can see this only affects Hardy as that is the only place
> that creates a dom0 kernel. The code itself seems to be present in the
> lucid-ec2 tree, but as we do not support dom0 and those are drivers
> for that. So I set the Lucid-ec2 status to not-affected, but I am thinking
> of adding the changes anyway, just in case...
> 
> -Stefan
> 
> From 7610b848ef18bd8db8471b450f09bc24f7c5cf7e Mon Sep 17 00:00:00 2001
> From: Stefan Bader <stefan.bader at canonical.com>
> Date: Wed, 1 Jun 2011 11:54:40 +0200
> Subject: [PATCH] UBUNTU: XEN: Add yield points to blktap and blkback
> 
> CVE-2010-4247
> BugLink: http://bugs.launchpad.net/bugs/791212
> 
> This adds a combined patch that consists of
> 
> http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/77f831cbb91d
> 
> blkback: Request-processing loop is unbounded and hence requires a
> yield point. Also, bad request type is a good cause to sleep for a
> short while as the frontend has probably gone mad.
> 
> Patch by Steven Smith <steven.smith at eu.citrix.com>
> 
> Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
> 
> and
> 
> http://xenbits.xensource.com/hg/linux-2.6.18-xen.hg/rev/7070d34f251c
> 
> blkback/blktap: Check for kthread_should_stop() in inner loop,
> mdelaay() should be msleep(), and these changes belong in blktap as
> well as blkback.
> Based on comments and patches from Jan Beulich and Steven Smith.
> Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
> 
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  .../xen/patchset/021-xen-CVE-2010-4247.patch       |  127 ++++++++++++++++++++
>  1 files changed, 127 insertions(+), 0 deletions(-)
>  create mode 100644 debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
> 
> diff --git a/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
> new file mode 100644
> index 0000000..95a24b7
> --- /dev/null
> +++ b/debian/binary-custom.d/xen/patchset/021-xen-CVE-2010-4247.patch
> @@ -0,0 +1,127 @@
> +Fixes for CVE-2010-4247
> +
> +blkback: Request-processing loop is unbounded and hence requires a
> +yield point. Also, bad request type is a good cause to sleep for a
> +short while as the frontend has probably gone mad.
> +
> +Patch by Steven Smith <steven.smith at eu.citrix.com>
> +
> +Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
> +
> +blkback/blktap: Check for kthread_should_stop() in inner loop,
> +mdelaay() should be msleep(), and these changes belong in blktap as
> +well as blkback.
> +Based on comments and patches from Jan Beulich and Steven Smith.
> +Signed-off-by: Keir Fraser <keir.fraser at citrix.com>
> +
> +Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> +
> +diff -Nurp custom-source-xen.orig/drivers/xen/blkback/blkback.c custom-source-xen/drivers/xen/blkback/blkback.c
> +--- custom-source-xen.orig/drivers/xen/blkback/blkback.c	2011-06-01 09:35:13.180006000 +0000
> ++++ custom-source-xen/drivers/xen/blkback/blkback.c	2011-06-01 09:46:55.470006001 +0000
> +@@ -309,7 +309,7 @@ static int do_block_io_op(blkif_t *blkif
> + 	rp = blk_rings->common.sring->req_prod;
> + 	rmb(); /* Ensure we see queued requests up to 'rp'. */
> + 
> +-	while ((rc != rp)) {
> ++	while (rc != rp) {
> + 
> + 		if (RING_REQUEST_CONS_OVERFLOW(&blk_rings->common, rc))
> + 			break;
> +@@ -321,6 +321,11 @@ static int do_block_io_op(blkif_t *blkif
> + 			break;
> + 		}
> + 
> ++		if (kthread_should_stop()) {
> ++			more_to_do = 1;
> ++			break;
> ++		}
> ++
> + 		switch (blkif->blk_protocol) {
> + 		case BLKIF_PROTOCOL_NATIVE:
> + 			memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc), sizeof(req));
> +@@ -349,6 +354,9 @@ static int do_block_io_op(blkif_t *blkif
> + 			dispatch_rw_block_io(blkif, &req, pending_req);
> + 			break;
> + 		default:
> ++			/* A good sign something is wrong: sleep for a while to
> ++			 * avoid excessive CPU consumption by a bad guest. */
> ++			msleep(1);
> + 			DPRINTK("error: unknown block io operation [%d]\n",
> + 				req.operation);
> + 			make_response(blkif, req.id, req.operation,
> +@@ -356,7 +364,11 @@ static int do_block_io_op(blkif_t *blkif
> + 			free_req(pending_req);
> + 			break;
> + 		}
> ++
> ++		/* Yield point for this unbounded loop. */
> ++		cond_resched();
> + 	}
> ++
> + 	return more_to_do;
> + }
> + 
> +@@ -507,7 +519,8 @@ static void dispatch_rw_block_io(blkif_t
> +  fail_response:
> + 	make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
> + 	free_req(pending_req);
> +-} 
> ++	msleep(1); /* back off a bit */
> ++}
> + 
> + 
> + 
> +diff -Nurp custom-source-xen.orig/drivers/xen/blktap/blktap.c custom-source-xen/drivers/xen/blktap/blktap.c
> +--- custom-source-xen.orig/drivers/xen/blktap/blktap.c	2011-06-01 09:35:13.190006000 +0000
> ++++ custom-source-xen/drivers/xen/blktap/blktap.c	2011-06-01 09:45:50.870006001 +0000
> +@@ -53,6 +53,7 @@
> + #include <linux/major.h>
> + #include <linux/gfp.h>
> + #include <linux/poll.h>
> ++#include <linux/delay.h>
> + #include <asm/tlbflush.h>
> + 
> + #define MAX_TAP_DEV 256     /*the maximum number of tapdisk ring devices    */
> +@@ -1243,6 +1244,11 @@ static int do_block_io_op(blkif_t *blkif
> + 			break;
> + 		}
> + 
> ++		if (kthread_should_stop()) {
> ++			more_to_do = 1;
> ++			break;
> ++		}
> ++
> + 		switch (blkif->blk_protocol) {
> + 		case BLKIF_PROTOCOL_NATIVE:
> + 			memcpy(&req, RING_GET_REQUEST(&blk_rings->native, rc),
> +@@ -1271,6 +1277,9 @@ static int do_block_io_op(blkif_t *blkif
> + 			break;
> + 
> + 		default:
> ++			/* A good sign something is wrong: sleep for a while to
> ++			 * avoid excessive CPU consumption by a bad guest. */
> ++			msleep(1);
> + 			WPRINTK("unknown operation [%d]\n",
> + 				req.operation);
> + 			make_response(blkif, req.id, req.operation,
> +@@ -1278,6 +1287,9 @@ static int do_block_io_op(blkif_t *blkif
> + 			free_req(pending_req);
> + 			break;
> + 		}
> ++
> ++		/* Yield point for this unbounded loop. */
> ++		cond_resched();
> + 	}
> + 		
> + 	blktap_kick_user(blkif->dev_num);
> +@@ -1504,7 +1516,8 @@ static void dispatch_rw_block_io(blkif_t
> +  fail_response:
> + 	make_response(blkif, req->id, req->operation, BLKIF_RSP_ERROR);
> + 	free_req(pending_req);
> +-} 
> ++	msleep(1); /* back off a bit */
> ++}
> + 
> + 
> + 

Pushing this one as I did not see any replies, yet.

-Stefan

More information about the kernel-team mailing list