+++ /dev/null
-From 0185604c2d82c560dab2f2933a18f797e74ab5a8 Mon Sep 17 00:00:00 2001
-From: Andrew Honig <ahonig@google.com>
-Date: Wed, 18 Nov 2015 14:50:23 -0800
-Subject: KVM: x86: Reload pit counters for all channels when restoring state
-
-Currently if userspace restores the pit counters with a count of 0
-on channels 1 or 2 and the guest attempts to read the count on those
-channels, then KVM will perform a mod of 0 and crash. This will ensure
-that 0 values are converted to 65536 as per the spec.
-
-This is CVE-2015-7513.
-
-Signed-off-by: Andy Honig <ahonig@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/x86.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index b84ba4b..7ffc224 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -3640,10 +3640,12 @@
- static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
- {
- int r = 0;
-+ int i = 0;
-
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
-- kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
-@@ -3664,6 +3666,7 @@
- static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
- {
- int r = 0, start = 0;
-+ int i = 0;
- u32 prev_legacy, cur_legacy;
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
-@@ -3673,7 +3676,8 @@
- memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
- sizeof(kvm->arch.vpit->pit_state.channels));
- kvm->arch.vpit->pit_state.flags = ps->flags;
-- kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
---
-cgit v0.11.2
-
+++ /dev/null
-From 94f9cd81436c85d8c3a318ba92e236ede73752fc Mon Sep 17 00:00:00 2001
-From: Munehisa Kamata <kamatam@amazon.com>
-Date: Mon, 26 Oct 2015 19:10:52 -0700
-Subject: [PATCH] netfilter: nf_nat_redirect: add missing NULL pointer check
-
-Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
-redirect IPv4 to use it from nf_tables") has introduced a trivial logic
-change which can result in the following crash.
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
-IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
-PGD 3ba662067 PUD 3ba661067 PMD 0
-Oops: 0000 [#1] SMP
-Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
-CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 #1
-Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
-task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
-[...]
-Call Trace:
- <IRQ>
- [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
- [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
- [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
- [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
- [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
- [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
- [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
- [<ffffffff81449137>] nf_iterate+0x57/0x80
- [<ffffffff814491f7>] nf_hook_slow+0x97/0x100
- [<ffffffff814504d4>] ip_rcv+0x314/0x400
-
-unsigned int
-nf_nat_redirect_ipv4(struct sk_buff *skb,
-...
-{
-...
- rcu_read_lock();
- indev = __in_dev_get_rcu(skb->dev);
- if (indev != NULL) {
- ifa = indev->ifa_list;
- newdst = ifa->ifa_local; <---
- }
- rcu_read_unlock();
-...
-}
-
-Before the commit, 'ifa' had been always checked before access. After the
-commit, however, it could be accessed even if it's NULL. Interestingly,
-this was once fixed in 2003.
-
-http://marc.info/?l=netfilter-devel&m=106668497403047&w=2
-
-In addition to the original one, we have seen the crash when packets that
-need to be redirected somehow arrive on an interface which hasn't been
-yet fully configured.
-
-This change just reverts the logic to the old behavior to avoid the crash.
-
-Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
-Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nf_nat_redirect.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
-index 97b75f9..d438698 100644
---- a/net/netfilter/nf_nat_redirect.c
-+++ b/net/netfilter/nf_nat_redirect.c
-@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb,
-
- rcu_read_lock();
- indev = __in_dev_get_rcu(skb->dev);
-- if (indev != NULL) {
-+ if (indev && indev->ifa_list) {
- ifa = indev->ifa_list;
- newdst = ifa->ifa_local;
- }
---
-2.1.4
-
RELEASE=4.1
# also update proxmox-ve/changelog if you change KERNEL_VER or KREL
-KERNEL_VER=4.2.6
-PKGREL=36
+KERNEL_VER=4.2.8
+PKGREL=37
# also include firmware of previous version into
# the fw package: fwlist-2.6.32-PREV-pve
KREL=1
cd ${KERNEL_SRC}; patch -p1 <../override_for_missing_acs_capabilities.patch
#cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
cd ${KERNEL_SRC}; patch -p1 <../kvmstealtime.patch
- cd ${KERNEL_SRC}; patch -p1 <../kvm-x86-obey-KVM_X86_QUIRK_CD_NW_CLEARED-in-kvm_set_cr0.patch
cd ${KERNEL_SRC}; patch -p1 <../apparmor-socket-mediation.patch
- cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8785-fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
cd ${KERNEL_SRC}; patch -p1 <../CVE-2016-2069-x86-mm-Add-barriers.patch
- cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8787-netfilter-NULL-pointer-check.patch
# backport iSCSI fix from 4.4rc5
cd ${KERNEL_SRC}; patch -p1 <../iSCSI-block-sd-Fix-device-imposed-transfer-length-limits.patch
# backport aacraid update from kernel 4.4rc5
+pve-kernel (4.2.8-37) unstable; urgency=medium
+
+ * update kernel source to Ubuntu-4.2.0-27.32
+
+ * bump API to 4.2.8-1-pve
+
+ * remove kvm-x86-obey-KVM_X86_QUIRK_CD_NW_CLEARED-in-kvm_set_cr0.patch
+ (upstream)
+
+ * remove CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
+ (upstream)
+
+ * remove CVE-2015-8787-netfilter-NULL-pointer-check.patch (upstream)
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 03 Feb 2016 15:18:40 +0100
+
pve-kernel (4.2.6-36) unstable; urgency=medium
* Fix CVE-2016-2069: TBL flushing
+++ /dev/null
-From 879ae1880449c88db11c1ebdaedc2da79b2fe73f Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Wed, 4 Nov 2015 12:54:41 +0100
-Subject: KVM: x86: obey KVM_X86_QUIRK_CD_NW_CLEARED in kvm_set_cr0()
-
-Commit b18d5431acc7 ("KVM: x86: fix CR0.CD virtualization") was
-technically correct, but it broke OVMF guests by slowing down various
-parts of the firmware.
-
-Commit fb279950ba02 ("KVM: vmx: obey KVM_QUIRK_CD_NW_CLEARED") quirked the
-first function modified by b18d5431acc7, vmx_get_mt_mask(), for OVMF's
-sake. This restored the speed of the OVMF code that runs before
-PlatformPei (including the memory intensive LZMA decompression in SEC).
-
-This patch extends the quirk to the second function modified by
-b18d5431acc7, kvm_set_cr0(). It eliminates the intrusive slowdown that
-hits the EFI_MP_SERVICES_PROTOCOL implementation of edk2's
-UefiCpuPkg/CpuDxe -- which is built into OVMF --, when CpuDxe starts up
-all APs at once for initialization, in order to count them.
-
-We also carry over the kvm_arch_has_noncoherent_dma() sub-condition from
-the other half of the original commit b18d5431acc7.
-
-Fixes: b18d5431acc7a2fd22767925f3a6f597aa4bd29e
-Cc: stable@vger.kernel.org
-Cc: Jordan Justen <jordan.l.justen@intel.com>
-Cc: Alex Williamson <alex.williamson@redhat.com>
-Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
-Tested-by: Janusz Mocek <januszmk6@gmail.com>
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>#
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/x86.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index a24bae0..30723a4 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -625,7 +625,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
- if ((cr0 ^ old_cr0) & update_bits)
- kvm_mmu_reset_context(vcpu);
-
-- if ((cr0 ^ old_cr0) & X86_CR0_CD)
-+ if (((cr0 ^ old_cr0) & X86_CR0_CD) &&
-+ kvm_arch_has_noncoherent_dma(vcpu->kvm) &&
-+ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED))
- kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL);
-
- return 0;
---
-cgit v0.11.2
-
+proxmox-ve (4.0-32) unstable; urgency=medium
+
+ * depend on newest 4.2.8-1-pve kernel
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 03 Feb 2016 16:15:41 +0100
+
proxmox-ve (4.0-31) unstable; urgency=medium
* setup kernel links for installation CD (rescue boot)