CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)

CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480)
CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
This commit is contained in:
Cole Robinson 2016-10-15 22:24:48 -04:00
parent a2729a240b
commit 3a13ddd514
15 changed files with 621 additions and 31 deletions

View File

@ -0,0 +1,82 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 12:19:29 +0530
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
rings
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
---
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..4245c15 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
return log;
}
-static int
+static void
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
{
int i;
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
uint32_t req_ring_size, cmp_ring_size;
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
- return -1;
- }
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
/* Flush ring state page changes */
smp_wmb();
-
- return 0;
}
static int
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
for (i = 0; i < rc->cmpRingNumPages; i++) {
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
}
}
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
- pvscsi_dbg_dump_tx_rings_config(rc);
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+ if (!rc->reqRingNumPages
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
+ || !rc->cmpRingNumPages
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
return PVSCSI_COMMAND_PROCESSING_FAILED;
}
+ pvscsi_dbg_dump_tx_rings_config(rc);
+ pvscsi_ring_init_data(&s->rings, rc);
+
s->rings_info_valid = TRUE;
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
}

View File

@ -0,0 +1,61 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 6 Sep 2016 02:20:43 +0530
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:
1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation large 'dataLen' values when data_length is cast to uint32_t and
chunk_size becomes always zero. Fix this by removing the incorrect cast.
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length. Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
---
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 4245c15..babac5a 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
#define PVSCSI_MAX_DEVS (64)
#define PVSCSI_MSIX_NUM_VECTORS (1)
+#define PVSCSI_MAX_SG_ELEM 2048
+
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{
- int chunk_size;
+ uint32_t chunk_size, elmcnt = 0;
uint64_t data_length = r->req.dataLen;
PVSCSISGState sg = r->sg;
- while (data_length) {
- while (!sg.resid) {
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
pvscsi_get_next_sg_elem(&sg);
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
r->sg.resid);
}
- assert(data_length > 0);
- chunk_size = MIN((unsigned) data_length, sg.resid);
+ chunk_size = MIN(data_length, sg.resid);
if (chunk_size) {
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
}

View File

@ -0,0 +1,35 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Sep 2016 15:09:12 +0530
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index babac5a..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -247,8 +247,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =

View File

@ -0,0 +1,42 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 8 Sep 2016 18:15:54 +0530
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
---
hw/display/vmware_vga.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (cursor.width > 256 ||
- cursor.height > 256 ||
- cursor.bpp > 32 ||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ if (cursor.width > 256
+ || cursor.height > 256
+ || cursor.bpp > 32
+ || SVGA_BITMAP_SIZE(x, y)
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
goto badcmd;
}

View File

@ -0,0 +1,33 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 17:36:07 +0530
Subject: [PATCH] scsi: mptconfig: fix an assert expression
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte. However, the size is expressed in 32-bit
units, so up to 1020 bytes fit. The assertion was only
allowing replies up to 252 bytes, so fix it.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..3e4f400 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256 && (ret % 4) == 0);
stb_p(*data + 1, ret / 4);
}
return ret;

View File

@ -0,0 +1,37 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 29 Aug 2016 11:35:37 +0200
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack. They were discovered by VictorV of 360 Marvel Team.
Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
---
hw/scsi/mptconfig.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 3e4f400..87a416a 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
"*l*lwwb*b*b*blww",
pcic->vendor_id, pcic->device_id, pcic->revision,
- pcic->subsystem_vendor_id,
+ pcic->class_id, pcic->subsystem_vendor_id,
pcic->subsystem_id);
}

View File

@ -0,0 +1,29 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 13 Sep 2016 03:20:03 -0700
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);

View File

@ -0,0 +1,32 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 12 Sep 2016 18:14:11 +0530
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;

View File

@ -0,0 +1,35 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 19 Sep 2016 23:55:45 +0530
Subject: [PATCH] virtio: add check for descriptor's mapped address
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference while
un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 74c085c..eabe573 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+ if (!iov[num_sg].iov_base) {
+ error_report("virtio: bogus descriptor or out of resources");
+ exit(1);
+ }
+
iov[num_sg].iov_len = len;
addr[num_sg] = pa;

View File

@ -0,0 +1,49 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
---
hw/net/mcf_fec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);

View File

@ -0,0 +1,65 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 10 Oct 2016 12:46:22 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Needed to avoid we run in circles forever in case the guest builds
an endless loop with link trbs.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 281a2a5..8a9a31a 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;

View File

@ -0,0 +1,29 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:48:35 -0700
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list is not freed thus leading to a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

View File

@ -0,0 +1,50 @@
From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 10 Oct 2016 12:45:13 +0200
Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
Needed to make sure usb redirection is prepared to actually handle the
callback from the usb host adapter. Without this interrupt endpoints
don't work on xhci.
Note: On ehci the usb_wakeup() call only schedules a BH for the actual
work, which hides this bug because the allocation happens before ehci
calls back even without this patch.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
---
hw/usb/redirect.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 444672a..d4ca026 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
}
if (ep & USB_DIR_IN) {
+ bool q_was_empty;
+
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
DPRINTF("received int packet while not started ep %02X\n", ep);
free(data);
return;
}
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
- }
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
/* bufp_alloc also adds the packet to the ep queue */
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
+
+ if (q_was_empty) {
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
+ }
} else {
/*
* We report output interrupt packets as completed directly upon

View File

@ -1,29 +0,0 @@
diff -up qemu-2.7.0/hw/usb/redirect.c~ qemu-2.7.0/hw/usb/redirect.c
--- qemu-2.7.0/hw/usb/redirect.c~ 2016-09-02 17:34:20.000000000 +0200
+++ qemu-2.7.0/hw/usb/redirect.c 2016-10-10 09:18:35.319562664 +0200
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(vo
}
if (ep & USB_DIR_IN) {
+ bool q_was_empty;
+
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
DPRINTF("received int packet while not started ep %02X\n", ep);
free(data);
return;
}
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
- }
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
/* bufp_alloc also adds the packet to the ep queue */
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
+
+ if (q_was_empty) {
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
+ }
} else {
/*
* We report output interrupt packets as completed directly upon

View File

@ -68,7 +68,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.7.0
Release: 3%{?rcrel}%{?dist}
Release: 4%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -100,7 +100,33 @@ Source20: kvm.conf
# /etc/sysctl.d/50-kvm-s390x.conf
Source21: 50-kvm-s390x.conf
Patch1: qemu-2.7.0-usb-redirect-wakeup.patch
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
# #1373480)
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
# Fix interrupt endpoints not working with network/spice USB redirection on
# guest with an emulated xhci controller (bz #1382331)
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
# documentation deps
BuildRequires: texi2html
@ -1565,6 +1591,20 @@ getent passwd qemu >/dev/null || \
%changelog
* Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-4
- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
- CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
#1373480)
- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
- CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
- CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
- CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
* Mon Oct 10 2016 Hans de Goede <hdegoede@redhat.com> - 2:2.7.0-3
- Fix interrupt endpoints not working with network/spice USB redirection
on guest with an emulated xhci controller (rhbz#1382331)