Linux v3.4-rc3-65-g9b7f43a

kernel.spec

@@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 3
 # The git snapshot level
-%define gitrev 2
+%define gitrev 3
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -737,9 +737,6 @@ Patch21260: x86-Avoid-invoking-RCU-when-CPU-is-idle.patch
 #rhbz 804957 CVE-2012-1568
 Patch21306: shlib_base_randomize.patch
 
-#rhbz 807632
-Patch21385: libata-forbid-port-runtime-pm-by-default.patch
-
 Patch21400: unhandled-irqs-switch-to-polling.patch
 
 Patch21620: vgaarb-vga_default_device.patch
@@ -752,9 +749,12 @@ Patch22000: weird-root-dentry-name-debug.patch
 #selinux ptrace child permissions
 Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
 
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
 Patch22006: KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
 
+#rhbz 814278 814289 CVE-2012-2119
+Patch22007: macvtap-zerocopy-validate-vector-length.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1446,9 +1446,6 @@ ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
 #Highbank clock functions
 ApplyPatch highbank-export-clock-functions.patch 
 
-#rhbz 807632
-ApplyPatch libata-forbid-port-runtime-pm-by-default.patch
-
 #vgaarb patches.  blame mjg59
 ApplyPatch vgaarb-vga_default_device.patch
 
@@ -1456,9 +1453,12 @@ ApplyPatch vgaarb-vga_default_device.patch
 ApplyPatch x86-microcode-Fix-sysfs-warning-during-module-unload-on-unsupported-CPUs.patch
 ApplyPatch x86-microcode-Ensure-that-module-is-only-loaded-for-supported-AMD-CPUs.patch
 
-#rhbz 814149 814155
+#rhbz 814149 814155 CVE-2012-2121
 ApplyPatch KVM-unmap-pages-from-the-iommu-when-slots-are-removed.patch
 
+#rhbz 814278 814289 CVE-2012-2119
+ApplyPatch macvtap-zerocopy-validate-vector-length.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2319,8 +2319,15 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc3.git3.1
+- Linux v3.4-rc3-65-g9b7f43a
+
 * Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com>
-- Fix KVM device assignment page leak (rhbz 814149 814155)
+- CVE-2012-2119 macvtap: zerocopy: vector length is not validated before
+  pinning user pages (rhbz 814278 814289)
+
+* Thu Apr 19 2012 Justin M. Forbes <jforbes@redhat.com>
+- CVE-2012-2121: Fix KVM device assignment page leak (rhbz 814149 814155)
 
 * Wed Apr 18 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc3.git2.1
 - Linux v3.4-rc3-36-g592fe89

macvtap-zerocopy-validate-vector-length.patch

@@ -0,0 +1,25 @@
+Currently we do not validate the vector length before calling
+get_user_pages_fast(), host stack would be easily overflowed by
+malicious guest driver who give us a descriptor with length greater
+than MAX_SKB_FRAGS. Solve this problem by checking the free entries
+before trying to pin user pages.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ drivers/net/macvtap.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 7cb2684..d197a78 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -527,6 +527,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
+ 		}
+ 		base = (unsigned long)from->iov_base + offset1;
+ 		size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
++		if (i + size >= MAX_SKB_FRAGS)
++			return -EFAULT;
+ 		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ 		if ((num_pages != size) ||
+ 		    (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags))
+

sources

@@ -1,3 +1,3 @@
 7133f5a2086a7d7ef97abac610c094f5  linux-3.3.tar.xz
 2dfdc406169c0fcec64d5f939a44aff0  patch-3.4-rc3.xz
-5884dc5b83805f09c87e6ce0cf7766ff  patch-3.4-rc3-git2.xz
+92d57dac7a77f41fb939df4eb3024aea  patch-3.4-rc3-git3.xz