CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz #1295442)
CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818) CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz #1294787) CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) Fix modules.d/kvm.conf example syntax (bz #1298823)
This commit is contained in:
parent
51a9cb48fd
commit
10ec804850
@ -0,0 +1,90 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 15 Dec 2015 12:27:54 +0530
|
||||
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
|
||||
|
||||
Vmxnet3 device emulator does not check if the device is active
|
||||
before activating it, also it did not free the transmit & receive
|
||||
buffers while deactivating the device, thus resulting in memory
|
||||
leakage on the host. This patch fixes both these issues to avoid
|
||||
host memory leakage.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470)
|
||||
---
|
||||
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
|
||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index d2be2ae..25ca344 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
|
||||
|
||||
static void vmxnet3_deactivate_device(VMXNET3State *s)
|
||||
{
|
||||
- VMW_CBPRN("Deactivating vmxnet3...");
|
||||
- s->device_active = false;
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CBPRN("Deactivating vmxnet3...");
|
||||
+ vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
+ vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
+ vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ s->device_active = false;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void vmxnet3_reset(VMXNET3State *s)
|
||||
@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
|
||||
|
||||
vmxnet3_deactivate_device(s);
|
||||
vmxnet3_reset_interrupt_states(s);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
s->drv_shmem = 0;
|
||||
s->tx_sop = true;
|
||||
s->skip_current_tx_pkt = false;
|
||||
@@ -1427,6 +1431,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
|
||||
return;
|
||||
}
|
||||
|
||||
+ /* Verify if device is active */
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CFPRN("Vmxnet3 device is active");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
vmxnet3_adjust_by_guest_type(s);
|
||||
vmxnet3_update_features(s);
|
||||
vmxnet3_update_pm_state(s);
|
||||
@@ -1623,7 +1633,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
|
||||
break;
|
||||
|
||||
case VMXNET3_CMD_QUIESCE_DEV:
|
||||
- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
|
||||
+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
|
||||
vmxnet3_deactivate_device(s);
|
||||
break;
|
||||
|
||||
@@ -1728,7 +1738,7 @@ vmxnet3_io_bar1_write(void *opaque,
|
||||
* shared address only after we get the high part
|
||||
*/
|
||||
if (val == 0) {
|
||||
- s->device_active = false;
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
}
|
||||
s->temp_shared_guest_driver_memory = val;
|
||||
s->drv_shmem = 0;
|
||||
@@ -2009,9 +2019,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
|
||||
static void vmxnet3_net_uninit(VMXNET3State *s)
|
||||
{
|
||||
g_free(s->mcast_list);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
- vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
- vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
||||
|
62
0012-i386-avoid-null-pointer-dereference.patch
Normal file
62
0012-i386-avoid-null-pointer-dereference.patch
Normal file
@ -0,0 +1,62 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Fri, 18 Dec 2015 11:35:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
Hello,
|
||||
|
||||
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
|
||||
occurs while doing I/O port write operations via hmp interface. In that,
|
||||
'current_cpu' remains null as it is not called from cpu_exec loop, which
|
||||
results in the said issue.
|
||||
|
||||
Below is a proposed (tested)patch to fix this issue; Does it look okay?
|
||||
|
||||
===
|
||||
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 18 Dec 2015 11:16:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
When I/O port write operation is called from hmp interface,
|
||||
'current_cpu' remains null, as it is not called from cpu_exec()
|
||||
loop. This leads to a null pointer dereference in vapic_write
|
||||
routine. Add check to avoid it.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7)
|
||||
---
|
||||
hw/i386/kvmvapic.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index c6d34b2..f0922da 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
|
||||
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
unsigned int size)
|
||||
{
|
||||
- CPUState *cs = current_cpu;
|
||||
- X86CPU *cpu = X86_CPU(cs);
|
||||
- CPUX86State *env = &cpu->env;
|
||||
- hwaddr rom_paddr;
|
||||
VAPICROMState *s = opaque;
|
||||
+ X86CPU *cpu;
|
||||
+ CPUX86State *env;
|
||||
+ hwaddr rom_paddr;
|
||||
|
||||
- cpu_synchronize_state(cs);
|
||||
+ if (!current_cpu) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ cpu_synchronize_state(current_cpu);
|
||||
+ cpu = X86_CPU(current_cpu);
|
||||
+ env = &cpu->env;
|
||||
|
||||
/*
|
||||
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
|
32
0013-scsi-initialise-info-object-with-appropriate-size.patch
Normal file
32
0013-scsi-initialise-info-object-with-appropriate-size.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 21 Dec 2015 15:13:13 +0530
|
||||
Subject: [PATCH] scsi: initialise info object with appropriate size
|
||||
|
||||
While processing controller 'CTRL_GET_INFO' command, the routine
|
||||
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
|
||||
appropriate size to null initialise it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index a04369c..d9b99c0 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
BusChild *kid;
|
||||
int num_pd_disks = 0;
|
||||
|
||||
- memset(&info, 0x0, cmd->iov_size);
|
||||
+ memset(&info, 0x0, dcmd_size);
|
||||
if (cmd->iov_size < dcmd_size) {
|
||||
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
|
||||
dcmd_size);
|
44
0014-net-rocker-fix-an-incorrect-array-bounds-check.patch
Normal file
44
0014-net-rocker-fix-an-incorrect-array-bounds-check.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 28 Dec 2015 16:24:08 +0530
|
||||
Subject: [PATCH] net: rocker: fix an incorrect array bounds check
|
||||
|
||||
While processing transmit(tx) descriptors in 'tx_consume' routine
|
||||
the switch emulator suffers from an off-by-one error, if a
|
||||
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
|
||||
fragments. Fix an incorrect bounds check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa)
|
||||
---
|
||||
hw/net/rocker/rocker.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 47d080f..7e4ec0a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -234,6 +234,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
|
||||
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
|
||||
|
||||
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
||||
+ goto err_too_many_frags;
|
||||
+ }
|
||||
iov[iovcnt].iov_len = frag_len;
|
||||
iov[iovcnt].iov_base = g_malloc(frag_len);
|
||||
if (!iov[iovcnt].iov_base) {
|
||||
@@ -246,10 +249,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
err = -ROCKER_ENXIO;
|
||||
goto err_bad_io;
|
||||
}
|
||||
-
|
||||
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
|
||||
- goto err_too_many_frags;
|
||||
- }
|
||||
+ iovcnt++;
|
||||
}
|
||||
|
||||
if (iovcnt) {
|
45
0015-net-ne2000-fix-bounds-check-in-ioport-operations.patch
Normal file
45
0015-net-ne2000-fix-bounds-check-in-ioport-operations.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 31 Dec 2015 17:05:27 +0530
|
||||
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
|
||||
|
||||
While doing ioport r/w operations, ne2000 device emulation suffers
|
||||
from OOB r/w errors. Update respective array bounds check to avoid
|
||||
OOB access.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6)
|
||||
---
|
||||
hw/net/ne2000.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 2bdb4c9..364f226 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
|
||||
uint32_t val)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
stl_le_p(s->mem + addr, val);
|
||||
}
|
||||
}
|
||||
@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
|
||||
static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
return ldl_le_p(s->mem + addr);
|
||||
} else {
|
||||
return 0xffffffff;
|
36
0016-ide-ahci-reset-ncq-object-to-unused-on-error.patch
Normal file
36
0016-ide-ahci-reset-ncq-object-to-unused-on-error.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 11 Jan 2016 14:10:42 -0500
|
||||
Subject: [PATCH] ide: ahci: reset ncq object to unused on error
|
||||
|
||||
When processing NCQ commands, AHCI device emulation prepares a
|
||||
NCQ transfer object; To which an aio control block(aiocb) object
|
||||
is assigned in 'execute_ncq_command'. In case, when the NCQ
|
||||
command is invalid, the 'aiocb' object is not assigned, and NCQ
|
||||
transfer object is left as 'used'. This leads to a use after
|
||||
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
|
||||
Reset NCQ transfer object to 'unused' to avoid it.
|
||||
|
||||
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab)
|
||||
---
|
||||
hw/ide/ahci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
||||
index 378ad60..73948af 100644
|
||||
--- a/hw/ide/ahci.c
|
||||
+++ b/hw/ide/ahci.c
|
||||
@@ -897,6 +897,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
|
||||
ide_state->error = ABRT_ERR;
|
||||
ide_state->status = READY_STAT | ERR_STAT;
|
||||
ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
|
||||
+ ncq_tfs->used = 0;
|
||||
}
|
||||
|
||||
static void ncq_finish(NCQTransferState *ncq_tfs)
|
5
kvm.conf
5
kvm.conf
@ -7,6 +7,5 @@
|
||||
### Set these options to enable nested virtualization
|
||||
###
|
||||
|
||||
#option kvm_intel nested=1
|
||||
#option kvm_amd nested=1
|
||||
|
||||
#options kvm_intel nested=1
|
||||
#options kvm_amd nested=1
|
||||
|
30
qemu.spec
30
qemu.spec
@ -40,7 +40,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.4.1
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -89,8 +89,22 @@ Patch0007: 0007-ehci-make-idt-processing-more-robust.patch
|
||||
Patch0008: 0008-acpi-fix-buffer-overrun-on-migration.patch
|
||||
# CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
|
||||
Patch0009: 0009-net-vmxnet3-Refine-l2-header-validation.patch
|
||||
# CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz #1295442)
|
||||
# CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
|
||||
# #1295442)
|
||||
Patch0010: 0010-vmxnet3-Support-reading-IMR-registers-on-bar0.patch
|
||||
# CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
|
||||
Patch0011: 0011-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
|
||||
# CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
|
||||
Patch0012: 0012-i386-avoid-null-pointer-dereference.patch
|
||||
# CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
|
||||
Patch0013: 0013-scsi-initialise-info-object-with-appropriate-size.patch
|
||||
# CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720)
|
||||
Patch0014: 0014-net-rocker-fix-an-incorrect-array-bounds-check.patch
|
||||
# CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
|
||||
# #1294787)
|
||||
Patch0015: 0015-net-ne2000-fix-bounds-check-in-ioport-operations.patch
|
||||
# CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023)
|
||||
Patch0016: 0016-ide-ahci-reset-ncq-object-to-unused-on-error.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -1226,6 +1240,18 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jan 20 2016 Cole Robinson <crobinso@redhat.com> - 2:2.4.1-6
|
||||
- CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
|
||||
#1295442)
|
||||
- CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
|
||||
- CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
|
||||
- CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
|
||||
- CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720)
|
||||
- CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
|
||||
#1294787)
|
||||
- CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023)
|
||||
- Fix modules.d/kvm.conf example syntax (bz #1298823)
|
||||
|
||||
* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.4.1-5
|
||||
- CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
|
||||
- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
|
||||
|
Loading…
Reference in New Issue
Block a user