CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027) CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440) CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz #1295442)
This commit is contained in:
parent
125cf24347
commit
14860a24cf
|
@ -0,0 +1,57 @@
|
|||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 26 Jun 2015 14:25:29 +0200
|
||||
Subject: [PATCH] msix: implement pba write (but read-only)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
qpci_msix_pending() writes on pba region, causing qemu to SEGV:
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
[Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
|
||||
0x0000000000000000 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x0000000000000000 in ()
|
||||
#1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
|
||||
#2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
|
||||
#3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
|
||||
#4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
|
||||
#5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
|
||||
#6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
|
||||
#7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
|
||||
#8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
|
||||
#9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
|
||||
#10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
|
||||
#11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
|
||||
#12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
|
||||
|
||||
(without this patch, this can be reproduced with the ivshmem qtest)
|
||||
|
||||
Implement an empty mmio write to avoid the crash.
|
||||
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 43b11a91dd861a946b231b89b7542856ade23d1b)
|
||||
---
|
||||
hw/pci/msix.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/pci/msix.c b/hw/pci/msix.c
|
||||
index 24de260..68ab050 100644
|
||||
--- a/hw/pci/msix.c
|
||||
+++ b/hw/pci/msix.c
|
||||
@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
|
||||
return pci_get_long(dev->msix_pba + addr);
|
||||
}
|
||||
|
||||
+static void msix_pba_mmio_write(void *opaque, hwaddr addr,
|
||||
+ uint64_t val, unsigned size)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
static const MemoryRegionOps msix_pba_mmio_ops = {
|
||||
.read = msix_pba_mmio_read,
|
||||
+ .write = msix_pba_mmio_write,
|
||||
.endianness = DEVICE_LITTLE_ENDIAN,
|
||||
.valid = {
|
||||
.min_access_size = 4,
|
|
@ -0,0 +1,45 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 14 Dec 2015 09:21:23 +0100
|
||||
Subject: [PATCH] ehci: make idt processing more robust
|
||||
|
||||
Make ehci_process_itd return an error in case we didn't do any actual
|
||||
iso transfer because we've found no active transaction. That'll avoid
|
||||
ehci happily run in circles forever if the guest builds a loop out of
|
||||
idts.
|
||||
|
||||
This is CVE-2015-8558.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index d4d7547..51d39c6 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
{
|
||||
USBDevice *dev;
|
||||
USBEndpoint *ep;
|
||||
- uint32_t i, len, pid, dir, devaddr, endp;
|
||||
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
||||
uint32_t pg, off, ptr1, ptr2, max, mult;
|
||||
|
||||
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
||||
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
ehci_raise_irq(ehci, USBSTS_INT);
|
||||
}
|
||||
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
||||
+ xfers++;
|
||||
}
|
||||
}
|
||||
- return 0;
|
||||
+ return xfers ? 0 : -1;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 19 Nov 2015 15:14:07 +0200
|
||||
Subject: [PATCH] acpi: fix buffer overrun on migration
|
||||
|
||||
ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
|
||||
ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
|
||||
ICH9_PMIO_GPE0_LEN bytes are migrated.
|
||||
|
||||
As a quick work-around, allocate twice the memory.
|
||||
We'll probably want to tweak code to avoid
|
||||
migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
|
||||
but that is a bit trickier to do without breaking
|
||||
migration compatibility.
|
||||
|
||||
Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
||||
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb)
|
||||
---
|
||||
hw/acpi/core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
|
||||
index 51913d6..c505952 100644
|
||||
--- a/hw/acpi/core.c
|
||||
+++ b/hw/acpi/core.c
|
||||
@@ -611,8 +611,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
|
||||
void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
|
||||
{
|
||||
ar->gpe.len = len;
|
||||
- ar->gpe.sts = g_malloc0(len / 2);
|
||||
- ar->gpe.en = g_malloc0(len / 2);
|
||||
+ /* Only first len / 2 bytes are ever used,
|
||||
+ * but the caller in ich9.c migrates full len bytes.
|
||||
+ * TODO: fix ich9.c and drop the extra allocation.
|
||||
+ */
|
||||
+ ar->gpe.sts = g_malloc0(len);
|
||||
+ ar->gpe.en = g_malloc0(len);
|
||||
}
|
||||
|
||||
void acpi_gpe_reset(ACPIREGS *ar)
|
|
@ -0,0 +1,73 @@
|
|||
From: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Date: Tue, 18 Aug 2015 12:45:55 +0300
|
||||
Subject: [PATCH] net/vmxnet3: Refine l2 header validation
|
||||
|
||||
Validation of l2 header length assumed minimal packet size as
|
||||
eth_header + 2 * vlan_header regardless of the actual protocol.
|
||||
|
||||
This caused crash for valid non-IP packets shorter than 22 bytes, as
|
||||
'tx_pkt->packet_type' hasn't been assigned for such packets, and
|
||||
'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
|
||||
|
||||
Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
|
||||
Check its return value during packet processing flow.
|
||||
|
||||
As a side effect, in case IPv4 and IPv6 header validation failure,
|
||||
corrupt packets will be dropped.
|
||||
|
||||
Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit a7278b36fcab9af469563bd7b9dadebe2ae25e48)
|
||||
---
|
||||
hw/net/vmxnet3.c | 4 +---
|
||||
hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
|
||||
2 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index dfb328d..aa81a38 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
|
||||
}
|
||||
|
||||
if (txd.eop) {
|
||||
- if (!s->skip_current_tx_pkt) {
|
||||
- vmxnet_tx_pkt_parse(s->tx_pkt);
|
||||
-
|
||||
+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
|
||||
if (s->needs_vlan) {
|
||||
vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
|
||||
}
|
||||
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
|
||||
index f7344c4..eb88ddf 100644
|
||||
--- a/hw/net/vmxnet_tx_pkt.c
|
||||
+++ b/hw/net/vmxnet_tx_pkt.c
|
||||
@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
|
||||
|
||||
bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
|
||||
ETH_MAX_L2_HDR_LEN);
|
||||
- if (bytes_read < ETH_MAX_L2_HDR_LEN) {
|
||||
+ if (bytes_read < sizeof(struct eth_header)) {
|
||||
+ l2_hdr->iov_len = 0;
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ l2_hdr->iov_len = sizeof(struct eth_header);
|
||||
+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
|
||||
+ case ETH_P_VLAN:
|
||||
+ l2_hdr->iov_len += sizeof(struct vlan_header);
|
||||
+ break;
|
||||
+ case ETH_P_DVLAN:
|
||||
+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (bytes_read < l2_hdr->iov_len) {
|
||||
l2_hdr->iov_len = 0;
|
||||
return false;
|
||||
- } else {
|
||||
- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
|
||||
}
|
||||
|
||||
l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);
|
|
@ -0,0 +1,34 @@
|
|||
From: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Date: Mon, 21 Sep 2015 17:09:02 +0300
|
||||
Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
|
||||
|
||||
Instead of asserting, return the actual IMR register value.
|
||||
This is aligned with what's returned on ESXi.
|
||||
|
||||
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Tested-by: Dana Rubin <dana.rubin@ravellosystems.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit c6048f849c7e3f009786df76206e895a69de032c)
|
||||
---
|
||||
hw/net/vmxnet3.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index aa81a38..c9caa94 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1106,9 +1106,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
|
||||
static uint64_t
|
||||
vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
|
||||
{
|
||||
+ VMXNET3State *s = opaque;
|
||||
+
|
||||
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
|
||||
VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
|
||||
- g_assert_not_reached();
|
||||
+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
|
||||
+ VMXNET3_REG_ALIGN);
|
||||
+ return s->interrupt_states[l].is_masked;
|
||||
}
|
||||
|
||||
VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);
|
32
qemu.spec
32
qemu.spec
|
@ -43,7 +43,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.3.1
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
@ -71,11 +71,10 @@ Source12: bridge.conf
|
|||
# qemu-kvm back compat wrapper
|
||||
Source13: qemu-kvm.sh
|
||||
|
||||
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz
|
||||
# #1222894)
|
||||
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
|
||||
Patch0001: 0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch
|
||||
# Fix: qemu-img: error while compressing sector <NNN>: Input/output
|
||||
# error (bz #1214855)
|
||||
# Fix: qemu-img: error while compressing sector <NNN>: Input/output error
|
||||
# (bz #1214855)
|
||||
Patch0002: 0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch
|
||||
# Fix qemu-img map crash for unaligned image (bz #1229394)
|
||||
Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
|
||||
|
@ -84,8 +83,8 @@ Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
|
|||
Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
|
||||
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
|
||||
Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
|
||||
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
|
||||
# (bz #1255899)
|
||||
# CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz
|
||||
# #1255899)
|
||||
Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
|
||||
# Fix typo causing qemu-img to link against entire world (bz #1260996)
|
||||
Patch0007: 0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch
|
||||
|
@ -126,6 +125,17 @@ Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
|
|||
Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
|
||||
# vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
|
||||
Patch0026: 0026-ui-vnc-avoid-floating-point-exception.patch
|
||||
# CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
|
||||
Patch0027: 0027-msix-implement-pba-write-but-read-only.patch
|
||||
# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
|
||||
Patch0028: 0028-ehci-make-idt-processing-more-robust.patch
|
||||
# CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
|
||||
Patch0029: 0029-acpi-fix-buffer-overrun-on-migration.patch
|
||||
# CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
|
||||
Patch0030: 0030-net-vmxnet3-Refine-l2-header-validation.patch
|
||||
# CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
|
||||
# #1295442)
|
||||
Patch0031: 0031-vmxnet3-Support-reading-IMR-registers-on-bar0.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -1228,6 +1238,14 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%changelog
|
||||
* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-10
|
||||
- CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
|
||||
- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
|
||||
- CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
|
||||
- CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
|
||||
- CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
|
||||
#1295442)
|
||||
|
||||
* Tue Dec 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-9
|
||||
- vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
|
||||
|
||||
|
|
Loading…
Reference in New Issue