rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
qemu/0025-9pfs-fix-integer-overf...

90 lines
2.8 KiB
Diff
Raw Normal View History

CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285)
2017-01-16 21:04:06 +00:00
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 12:00:40 +0100
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
---
hw/9pfs/9p.c | 32 ++++++++++++--------------------
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040) CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598) CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699) CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137) CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497)
2017-07-12 22:19:21 +00:00
index ad57123aaf..9c18322945 100644
CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285)
2017-01-16 21:04:06 +00:00
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1629,20 +1629,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
ssize_t err;
size_t offset = 7;
- int read_count;
- int64_t xattr_len;
+ uint64_t read_count;
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
VirtQueueElement *elem = v->elems[pdu->idx];
- xattr_len = fidp->fs.xattr.len;
- read_count = xattr_len - off;
+ if (fidp->fs.xattr.len < off) {
+ read_count = 0;
+ } else {
+ read_count = fidp->fs.xattr.len - off;
+ }
if (read_count > max_count) {
read_count = max_count;
- } else if (read_count < 0) {
- /*
- * read beyond XATTR value
- */
- read_count = 0;
}
err = pdu_marshal(pdu, offset, "d", read_count);
if (err < 0) {
@@ -1970,23 +1967,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
int i, to_copy;
ssize_t err = 0;
- int write_count;
- int64_t xattr_len;
+ uint64_t write_count;
size_t offset = 7;
- xattr_len = fidp->fs.xattr.len;
- write_count = xattr_len - off;
- if (write_count > count) {
- write_count = count;
- } else if (write_count < 0) {
- /*
- * write beyond XATTR value len specified in
- * xattrcreate
- */
+ if (fidp->fs.xattr.len < off) {
err = -ENOSPC;
goto out;
}
+ write_count = fidp->fs.xattr.len - off;
+ if (write_count > count) {
+ write_count = count;
+ }
err = pdu_marshal(pdu, offset, "d", write_count);
if (err < 0) {
return err;