From 3a13ddd5148f36dd22979001991bda4fafb9430a Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sat, 15 Oct 2016 22:24:48 -0400 Subject: [PATCH] CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7157: mptsas: invalid memory access (bz #1373505) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) --- ...-page-count-while-initialising-descr.patch | 82 +++++++++++++++++++ ...i-pvscsi-limit-loop-to-fetch-SG-list.patch | 61 ++++++++++++++ ...i-limit-process-IO-loop-to-ring-size.patch | 35 ++++++++ ...orrect-bitmap-and-pixmap-size-checks.patch | 42 ++++++++++ ...i-mptconfig-fix-an-assert-expression.patch | 33 ++++++++ ...fig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch | 37 +++++++++ ...hci-fix-memory-leak-in-usb_xhci_exit.patch | 29 +++++++ ...g_new0-to-allocate-MPTSASRequest-obj.patch | 32 ++++++++ ...heck-for-descriptor-s-mapped-address.patch | 35 ++++++++ ...et-mcf-limit-buffer-descriptor-count.patch | 49 +++++++++++ ...umber-of-link-trbs-we-are-willing-to.patch | 65 +++++++++++++++ ...-fix-memory-leak-in-ehci_process_itd.patch | 29 +++++++ ...te-buffers-before-waking-up-the-host.patch | 50 +++++++++++ qemu-2.7.0-usb-redirect-wakeup.patch | 29 ------- qemu.spec | 44 +++++++++- 15 files changed, 621 insertions(+), 31 deletions(-) create mode 100644 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch create mode 100644 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch create mode 100644 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch create mode 100644 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch create mode 100644 0005-scsi-mptconfig-fix-an-assert-expression.patch create mode 100644 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch create mode 100644 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch create mode 100644 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch create mode 100644 0009-virtio-add-check-for-descriptor-s-mapped-address.patch create mode 100644 0010-net-mcf-limit-buffer-descriptor-count.patch create mode 100644 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch create mode 100644 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch create mode 100644 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch delete mode 100644 qemu-2.7.0-usb-redirect-wakeup.patch diff --git a/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch b/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch new file mode 100644 index 0000000..57b7b9b --- /dev/null +++ b/0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch @@ -0,0 +1,82 @@ +From: Prasad J Pandit +Date: Wed, 31 Aug 2016 12:19:29 +0530 +Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor + rings + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the page count for these rings to +an arbitrary value, leading to infinite loop or OOB access. +Add check to avoid it. + +Reported-by: Tom Victor +Signed-off-by: Prasad J Pandit +Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753) +--- + hw/scsi/vmw_pvscsi.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 5116f4a..4245c15 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input) + return log; + } + +-static int ++static void + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + +- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) +- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { +- return -1; +- } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + + /* Flush ring state page changes */ + smp_wmb(); +- +- return 0; + } + + static int +@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc) + + trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); + for (i = 0; i < rc->cmpRingNumPages; i++) { +- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); ++ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); + } + } + +@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) + + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + +- pvscsi_dbg_dump_tx_rings_config(rc); +- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ if (!rc->reqRingNumPages ++ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES ++ || !rc->cmpRingNumPages ++ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { + return PVSCSI_COMMAND_PROCESSING_FAILED; + } + ++ pvscsi_dbg_dump_tx_rings_config(rc); ++ pvscsi_ring_init_data(&s->rings, rc); ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } diff --git a/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch b/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch new file mode 100644 index 0000000..89ae98d --- /dev/null +++ b/0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch @@ -0,0 +1,61 @@ +From: Prasad J Pandit +Date: Tue, 6 Sep 2016 02:20:43 +0530 +Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list + +In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very +long time or go into an infinite loop due to two different bugs: + +1) the request descriptor data length is defined to be 64 bit. While +building SG list from a request descriptor, it gets truncated to 32bit +in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop +situation large 'dataLen' values when data_length is cast to uint32_t and +chunk_size becomes always zero. Fix this by removing the incorrect cast. + +2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the +element has a zero length. Get out of the loop early when this happens, +by introducing an upper limit on the number of SG list elements. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8) +--- + hw/scsi/vmw_pvscsi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 4245c15..babac5a 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -40,6 +40,8 @@ + #define PVSCSI_MAX_DEVS (64) + #define PVSCSI_MSIX_NUM_VECTORS (1) + ++#define PVSCSI_MAX_SG_ELEM 2048 ++ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, + static void + pvscsi_convert_sglist(PVSCSIRequest *r) + { +- int chunk_size; ++ uint32_t chunk_size, elmcnt = 0; + uint64_t data_length = r->req.dataLen; + PVSCSISGState sg = r->sg; +- while (data_length) { +- while (!sg.resid) { ++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { ++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { + pvscsi_get_next_sg_elem(&sg); + trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, + r->sg.resid); + } +- assert(data_length > 0); +- chunk_size = MIN((unsigned) data_length, sg.resid); ++ chunk_size = MIN(data_length, sg.resid); + if (chunk_size) { + qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); + } diff --git a/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch new file mode 100644 index 0000000..9280e15 --- /dev/null +++ b/0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch @@ -0,0 +1,35 @@ +From: Prasad J Pandit +Date: Wed, 14 Sep 2016 15:09:12 +0530 +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size + +Vmware Paravirtual SCSI emulator while processing IO requests +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' +always returned positive value. Limit IO loop to the ring size. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9) +--- + hw/scsi/vmw_pvscsi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index babac5a..a5ce7de 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -247,8 +247,11 @@ static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + +- if (ready_ptr != mgr->consumed_ptr) { ++ if (ready_ptr != mgr->consumed_ptr ++ && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = + mgr->consumed_ptr++ & mgr->txr_len_mask; + uint32_t next_ready_page = diff --git a/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch new file mode 100644 index 0000000..91a9b52 --- /dev/null +++ b/0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch @@ -0,0 +1,42 @@ +From: Prasad J Pandit +Date: Thu, 8 Sep 2016 18:15:54 +0530 +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db) +--- + hw/display/vmware_vga.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e51a05e..6599cf0 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +- if (cursor.width > 256 || +- cursor.height > 256 || +- cursor.bpp > 32 || +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++ if (cursor.width > 256 ++ || cursor.height > 256 ++ || cursor.bpp > 32 ++ || SVGA_BITMAP_SIZE(x, y) ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + diff --git a/0005-scsi-mptconfig-fix-an-assert-expression.patch b/0005-scsi-mptconfig-fix-an-assert-expression.patch new file mode 100644 index 0000000..75ba430 --- /dev/null +++ b/0005-scsi-mptconfig-fix-an-assert-expression.patch @@ -0,0 +1,33 @@ +From: Prasad J Pandit +Date: Wed, 31 Aug 2016 17:36:07 +0530 +Subject: [PATCH] scsi: mptconfig: fix an assert expression + +When LSI SAS1068 Host Bus emulator builds configuration page +headers, mptsas_config_pack() should assert that the size +fits in a byte. However, the size is expressed in 32-bit +units, so up to 1020 bytes fit. The assertion was only +allowing replies up to 252 bytes, so fix it. + +Suggested-by: Paolo Bonzini +Signed-off-by: Prasad J Pandit +Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6) +--- + hw/scsi/mptconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 7071854..3e4f400 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) + va_end(ap); + + if (data) { +- assert(ret < 256 && (ret % 4) == 0); ++ assert(ret / 4 < 256 && (ret % 4) == 0); + stb_p(*data + 1, ret / 4); + } + return ret; diff --git a/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch b/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch new file mode 100644 index 0000000..8be70e0 --- /dev/null +++ b/0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch @@ -0,0 +1,37 @@ +From: Paolo Bonzini +Date: Mon, 29 Aug 2016 11:35:37 +0200 +Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK + +These issues cause respectively a QEMU crash and a leak of 2 bytes of +stack. They were discovered by VictorV of 360 Marvel Team. + +Reported-by: Tom Victor +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d) +--- + hw/scsi/mptconfig.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 3e4f400..87a416a 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address + { + /* VPD - all zeros */ + return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, +- "s256"); ++ "*s256"); + } + + static +@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address) + return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01, + "*l*lwwb*b*b*blww", + pcic->vendor_id, pcic->device_id, pcic->revision, +- pcic->subsystem_vendor_id, ++ pcic->class_id, pcic->subsystem_vendor_id, + pcic->subsystem_id); + } + diff --git a/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch b/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch new file mode 100644 index 0000000..d47fccf --- /dev/null +++ b/0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch @@ -0,0 +1,29 @@ +From: Li Qiang +Date: Tue, 13 Sep 2016 03:20:03 -0700 +Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit + +If the xhci uses msix, it doesn't free the corresponding +memory, thus leading a memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e) +--- + hw/usb/hcd-xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 188f954..281a2a5 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) + /* destroy msix memory region */ + if (dev->msix_table && dev->msix_pba + && dev->msix_entry_used) { +- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); +- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); ++ msix_uninit(dev, &xhci->mem, &xhci->mem); + } + + usb_bus_release(&xhci->bus); diff --git a/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch new file mode 100644 index 0000000..41c48b3 --- /dev/null +++ b/0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch @@ -0,0 +1,32 @@ +From: Li Qiang +Date: Mon, 12 Sep 2016 18:14:11 +0530 +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5) +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 0e0a22f..eaae1bb 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; diff --git a/0009-virtio-add-check-for-descriptor-s-mapped-address.patch b/0009-virtio-add-check-for-descriptor-s-mapped-address.patch new file mode 100644 index 0000000..d663896 --- /dev/null +++ b/0009-virtio-add-check-for-descriptor-s-mapped-address.patch @@ -0,0 +1,35 @@ +From: Prasad J Pandit +Date: Mon, 19 Sep 2016 23:55:45 +0530 +Subject: [PATCH] virtio: add check for descriptor's mapped address + +virtio back end uses set of buffers to facilitate I/O operations. +If its size is too large, 'cpu_physical_memory_map' could return +a null address. This would result in a null dereference while +un-mapping descriptors. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Laszlo Ersek +(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0) +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 74c085c..eabe573 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove + } + + iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); ++ if (!iov[num_sg].iov_base) { ++ error_report("virtio: bogus descriptor or out of resources"); ++ exit(1); ++ } ++ + iov[num_sg].iov_len = len; + addr[num_sg] = pa; + diff --git a/0010-net-mcf-limit-buffer-descriptor-count.patch b/0010-net-mcf-limit-buffer-descriptor-count.patch new file mode 100644 index 0000000..ae05c63 --- /dev/null +++ b/0010-net-mcf-limit-buffer-descriptor-count.patch @@ -0,0 +1,49 @@ +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Paolo Bonzini +Signed-off-by: Jason Wang +(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a) +--- + hw/net/mcf_fec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index 0ee8ad9..d31fea1 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); diff --git a/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch new file mode 100644 index 0000000..03b7429 --- /dev/null +++ b/0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch @@ -0,0 +1,65 @@ +From: Gerd Hoffmann +Date: Mon, 10 Oct 2016 12:46:22 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Needed to avoid we run in circles forever in case the guest builds +an endless loop with link trbs. + +Reported-by: Li Qiang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce) +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 281a2a5..8a9a31a 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; diff --git a/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch b/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch new file mode 100644 index 0000000..e7c7aa3 --- /dev/null +++ b/0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch @@ -0,0 +1,29 @@ +From: Li Qiang +Date: Sun, 18 Sep 2016 19:48:35 -0700 +Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd + +While processing isochronous transfer descriptors(iTD), if the page +select(PG) field value is out of bands it will return. In this +situation the ehci's sg list is not freed thus leading to a memory +leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Thomas Huth +Signed-off-by: Michael Tokarev +(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a) +--- + hw/usb/hcd-ehci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index b093db7..f4ece9a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, + if (off + len > 4096) { + /* transfer crosses page border */ + if (pg == 6) { ++ qemu_sglist_destroy(&ehci->isgl); + return -1; /* avoid page pg + 1 */ + } + ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); diff --git a/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch b/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch new file mode 100644 index 0000000..521e879 --- /dev/null +++ b/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch @@ -0,0 +1,50 @@ +From: Hans de Goede +Date: Mon, 10 Oct 2016 12:45:13 +0200 +Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter + +Needed to make sure usb redirection is prepared to actually handle the +callback from the usb host adapter. Without this interrupt endpoints +don't work on xhci. + +Note: On ehci the usb_wakeup() call only schedules a BH for the actual +work, which hides this bug because the allocation happens before ehci +calls back even without this patch. + +Signed-off-by: Hans de Goede +Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3) +--- + hw/usb/redirect.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 444672a..d4ca026 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id, + } + + if (ep & USB_DIR_IN) { ++ bool q_was_empty; ++ + if (dev->endpoint[EP2I(ep)].interrupt_started == 0) { + DPRINTF("received int packet while not started ep %02X\n", ep); + free(data); + return; + } + +- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) { +- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); +- } ++ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq); + + /* bufp_alloc also adds the packet to the ep queue */ + bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data); ++ ++ if (q_was_empty) { ++ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); ++ } + } else { + /* + * We report output interrupt packets as completed directly upon diff --git a/qemu-2.7.0-usb-redirect-wakeup.patch b/qemu-2.7.0-usb-redirect-wakeup.patch deleted file mode 100644 index e8e4a47..0000000 --- a/qemu-2.7.0-usb-redirect-wakeup.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -up qemu-2.7.0/hw/usb/redirect.c~ qemu-2.7.0/hw/usb/redirect.c ---- qemu-2.7.0/hw/usb/redirect.c~ 2016-09-02 17:34:20.000000000 +0200 -+++ qemu-2.7.0/hw/usb/redirect.c 2016-10-10 09:18:35.319562664 +0200 -@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(vo - } - - if (ep & USB_DIR_IN) { -+ bool q_was_empty; -+ - if (dev->endpoint[EP2I(ep)].interrupt_started == 0) { - DPRINTF("received int packet while not started ep %02X\n", ep); - free(data); - return; - } - -- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) { -- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); -- } -+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq); - - /* bufp_alloc also adds the packet to the ep queue */ - bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data); -+ -+ if (q_was_empty) { -+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0); -+ } - } else { - /* - * We report output interrupt packets as completed directly upon diff --git a/qemu.spec b/qemu.spec index db22bae..5757eb5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -68,7 +68,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.7.0 -Release: 3%{?rcrel}%{?dist} +Release: 4%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -100,7 +100,33 @@ Source20: kvm.conf # /etc/sysctl.d/50-kvm-s390x.conf Source21: 50-kvm-s390x.conf -Patch1: qemu-2.7.0-usb-redirect-wakeup.patch +# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) +Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch +# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) +Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch +# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz +# #1373480) +Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch +# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) +Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch +# CVE-2016-7157: mptsas: invalid memory access (bz #1373505) +Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch +Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch +# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) +Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch +# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) +Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch +# CVE-2016-7422: virtio: null pointer dereference (bz #1376756) +Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch +# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) +Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch +# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) +Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch +# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) +Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch +# Fix interrupt endpoints not working with network/spice USB redirection on +# guest with an emulated xhci controller (bz #1382331) +Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch # documentation deps BuildRequires: texi2html @@ -1565,6 +1591,20 @@ getent passwd qemu >/dev/null || \ %changelog +* Sat Oct 15 2016 Cole Robinson - 2:2.7.0-4 +- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) +- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) +- CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz + #1373480) +- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) +- CVE-2016-7157: mptsas: invalid memory access (bz #1373505) +- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) +- CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) +- CVE-2016-7422: virtio: null pointer dereference (bz #1376756) +- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) +- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) +- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) + * Mon Oct 10 2016 Hans de Goede - 2:2.7.0-3 - Fix interrupt endpoints not working with network/spice USB redirection on guest with an emulated xhci controller (rhbz#1382331)