rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2015-7549: pci: null pointer dereference issue (bz #1291138) 

CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz #1295442)
This commit is contained in:
Cole Robinson 2016-01-09 13:11:22 -05:00
parent 125cf24347
commit 14860a24cf
6 changed files with 276 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
0027-msix-implement-pba-write-but-read-only.patch Normal file
View File

@ -0,0 +1,57 @@
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 26 Jun 2015 14:25:29 +0200
Subject: [PATCH] msix: implement pba write (but read-only)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
qpci_msix_pending() writes on pba region, causing qemu to SEGV:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ()
#1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
#2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
#3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
#4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
#5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
#6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
#7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
#8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
#9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
#10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
#11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
#12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
(without this patch, this can be reproduced with the ivshmem qtest)
Implement an empty mmio write to avoid the crash.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 43b11a91dd861a946b231b89b7542856ade23d1b)
---
hw/pci/msix.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/pci/msix.c b/hw/pci/msix.c
index 24de260..68ab050 100644
--- a/hw/pci/msix.c
+++ b/hw/pci/msix.c
@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
return pci_get_long(dev->msix_pba + addr);
}
+static void msix_pba_mmio_write(void *opaque, hwaddr addr,
+ uint64_t val, unsigned size)
+{
+}
+
static const MemoryRegionOps msix_pba_mmio_ops = {
.read = msix_pba_mmio_read,
+ .write = msix_pba_mmio_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 4,

45
0028-ehci-make-idt-processing-more-robust.patch Normal file
View File

@ -0,0 +1,45 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 14 Dec 2015 09:21:23 +0100
Subject: [PATCH] ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: qemu-stable@nongnu.org
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index d4d7547..51d39c6 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp;
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
+ xfers++;
}
}
- return 0;
+ return xfers ? 0 : -1;
}

42
0029-acpi-fix-buffer-overrun-on-migration.patch Normal file
View File

@ -0,0 +1,42 @@
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 19 Nov 2015 15:14:07 +0200
Subject: [PATCH] acpi: fix buffer overrun on migration
ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
ICH9_PMIO_GPE0_LEN bytes are migrated.
As a quick work-around, allocate twice the memory.
We'll probably want to tweak code to avoid
migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
but that is a bit trickier to do without breaking
migration compatibility.
Tested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb)
---
hw/acpi/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 51913d6..c505952 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -611,8 +611,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
{
ar->gpe.len = len;
- ar->gpe.sts = g_malloc0(len / 2);
- ar->gpe.en = g_malloc0(len / 2);
+ /* Only first len / 2 bytes are ever used,
+ * but the caller in ich9.c migrates full len bytes.
+ * TODO: fix ich9.c and drop the extra allocation.
+ */
+ ar->gpe.sts = g_malloc0(len);
+ ar->gpe.en = g_malloc0(len);
}
void acpi_gpe_reset(ACPIREGS *ar)

73
0030-net-vmxnet3-Refine-l2-header-validation.patch Normal file
View File

@ -0,0 +1,73 @@
From: Dana Rubin <dana.rubin@ravellosystems.com>
Date: Tue, 18 Aug 2015 12:45:55 +0300
Subject: [PATCH] net/vmxnet3: Refine l2 header validation
Validation of l2 header length assumed minimal packet size as
eth_header + 2 * vlan_header regardless of the actual protocol.
This caused crash for valid non-IP packets shorter than 22 bytes, as
'tx_pkt->packet_type' hasn't been assigned for such packets, and
'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
Check its return value during packet processing flow.
As a side effect, in case IPv4 and IPv6 header validation failure,
corrupt packets will be dropped.
Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit a7278b36fcab9af469563bd7b9dadebe2ae25e48)
---
hw/net/vmxnet3.c | 4 +---
hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index dfb328d..aa81a38 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
}
if (txd.eop) {
- if (!s->skip_current_tx_pkt) {
- vmxnet_tx_pkt_parse(s->tx_pkt);
-
+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
if (s->needs_vlan) {
vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
}
diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index f7344c4..eb88ddf 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
ETH_MAX_L2_HDR_LEN);
- if (bytes_read < ETH_MAX_L2_HDR_LEN) {
+ if (bytes_read < sizeof(struct eth_header)) {
+ l2_hdr->iov_len = 0;
+ return false;
+ }
+
+ l2_hdr->iov_len = sizeof(struct eth_header);
+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
+ case ETH_P_VLAN:
+ l2_hdr->iov_len += sizeof(struct vlan_header);
+ break;
+ case ETH_P_DVLAN:
+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
+ break;
+ }
+
+ if (bytes_read < l2_hdr->iov_len) {
l2_hdr->iov_len = 0;
return false;
- } else {
- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
}
l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);

34
0031-vmxnet3-Support-reading-IMR-registers-on-bar0.patch Normal file
View File

@ -0,0 +1,34 @@
From: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Date: Mon, 21 Sep 2015 17:09:02 +0300
Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
Instead of asserting, return the actual IMR register value.
This is aligned with what's returned on ESXi.
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Tested-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit c6048f849c7e3f009786df76206e895a69de032c)
---
hw/net/vmxnet3.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index aa81a38..c9caa94 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1106,9 +1106,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
static uint64_t
vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
{
+ VMXNET3State *s = opaque;
+
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
- g_assert_not_reached();
+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
+ VMXNET3_REG_ALIGN);
+ return s->interrupt_states[l].is_masked;
}
VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);

32
qemu.spec
View File

@ -43,7 +43,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.3.1
Release: 9%{?dist}
Release: 10%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -71,11 +71,10 @@ Source12: bridge.conf
# qemu-kvm back compat wrapper
Source13: qemu-kvm.sh
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz
# #1222894)
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
Patch0001: 0001-slirp-use-less-predictable-directory-name-in-tmp-for.patch
# Fix: qemu-img: error while compressing sector <NNN>: Input/output
# error (bz #1214855)
# Fix: qemu-img: error while compressing sector <NNN>: Input/output error
# (bz #1214855)
Patch0002: 0002-qcow2-Handle-EAGAIN-returned-from-update_refcount.patch
# Fix qemu-img map crash for unaligned image (bz #1229394)
Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
@ -84,8 +83,8 @@ Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
# (bz #1255899)
# CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz
# #1255899)
Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
# Fix typo causing qemu-img to link against entire world (bz #1260996)
Patch0007: 0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch
@ -126,6 +125,17 @@ Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
# vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
Patch0026: 0026-ui-vnc-avoid-floating-point-exception.patch
# CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
Patch0027: 0027-msix-implement-pba-write-but-read-only.patch
# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
Patch0028: 0028-ehci-make-idt-processing-more-robust.patch
# CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
Patch0029: 0029-acpi-fix-buffer-overrun-on-migration.patch
# CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
Patch0030: 0030-net-vmxnet3-Refine-l2-header-validation.patch
# CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
# #1295442)
Patch0031: 0031-vmxnet3-Support-reading-IMR-registers-on-bar0.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@ -1228,6 +1238,14 @@ getent passwd qemu >/dev/null || \
%changelog
* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-10
- CVE-2015-7549: pci: null pointer dereference issue (bz #1291138)
- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
- CVE-2015-8666: Heap-based buffer overrun during VM migration (bz #1294027)
- CVE-2015-8744: vmxnet3: fix crash with short packets (bz #1295440)
- CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz
#1295442)
* Tue Dec 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-9
- vnc: avoid floating point exceptions (bz #1289541, bz #1289542)