CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480) CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) CVE-2016-7157: mptsas: invalid memory access (bz #1373505) CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) CVE-2016-7422: virtio: null pointer dereference (bz #1376756) CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
This commit is contained in:
parent
a2729a240b
commit
3a13ddd514
@ -0,0 +1,82 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
||||
rings
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <vv474172261@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
- pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
}
|
||||
|
||||
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
61
0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
Normal file
61
0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 6 Sep 2016 02:20:43 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation large 'dataLen' values when data_length is cast to uint32_t and
|
||||
chunk_size becomes always zero. Fix this by removing the incorrect cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
35
0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
Normal file
35
0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
42
0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
Normal file
42
0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
33
0005-scsi-mptconfig-fix-an-assert-expression.patch
Normal file
33
0005-scsi-mptconfig-fix-an-assert-expression.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() should assert that the size
|
||||
fits in a byte. However, the size is expressed in 32-bit
|
||||
units, so up to 1020 bytes fit. The assertion was only
|
||||
allowing replies up to 252 bytes, so fix it.
|
||||
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..3e4f400 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
37
0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
Normal file
37
0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||
|
||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||
|
||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 3e4f400..87a416a 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||
"*l*lwwb*b*b*blww",
|
||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||
- pcic->subsystem_vendor_id,
|
||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||
pcic->subsystem_id);
|
||||
}
|
||||
|
29
0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
Normal file
29
0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
@ -0,0 +1,32 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
35
0009-virtio-add-check-for-descriptor-s-mapped-address.patch
Normal file
35
0009-virtio-add-check-for-descriptor-s-mapped-address.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
49
0010-net-mcf-limit-buffer-descriptor-count.patch
Normal file
49
0010-net-mcf-limit-buffer-descriptor-count.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
@ -0,0 +1,65 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:46:22 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Needed to avoid we run in circles forever in case the guest builds
|
||||
an endless loop with link trbs.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 281a2a5..8a9a31a 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
29
0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
Normal file
29
0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list is not freed thus leading to a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
@ -0,0 +1,50 @@
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:45:13 +0200
|
||||
Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
|
||||
|
||||
Needed to make sure usb redirection is prepared to actually handle the
|
||||
callback from the usb host adapter. Without this interrupt endpoints
|
||||
don't work on xhci.
|
||||
|
||||
Note: On ehci the usb_wakeup() call only schedules a BH for the actual
|
||||
work, which hides this bug because the allocation happens before ehci
|
||||
calls back even without this patch.
|
||||
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
|
||||
---
|
||||
hw/usb/redirect.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index 444672a..d4ca026 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
|
||||
}
|
||||
|
||||
if (ep & USB_DIR_IN) {
|
||||
+ bool q_was_empty;
|
||||
+
|
||||
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
|
||||
DPRINTF("received int packet while not started ep %02X\n", ep);
|
||||
free(data);
|
||||
return;
|
||||
}
|
||||
|
||||
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
|
||||
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
- }
|
||||
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
|
||||
|
||||
/* bufp_alloc also adds the packet to the ep queue */
|
||||
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
|
||||
+
|
||||
+ if (q_was_empty) {
|
||||
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
+ }
|
||||
} else {
|
||||
/*
|
||||
* We report output interrupt packets as completed directly upon
|
@ -1,29 +0,0 @@
|
||||
diff -up qemu-2.7.0/hw/usb/redirect.c~ qemu-2.7.0/hw/usb/redirect.c
|
||||
--- qemu-2.7.0/hw/usb/redirect.c~ 2016-09-02 17:34:20.000000000 +0200
|
||||
+++ qemu-2.7.0/hw/usb/redirect.c 2016-10-10 09:18:35.319562664 +0200
|
||||
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(vo
|
||||
}
|
||||
|
||||
if (ep & USB_DIR_IN) {
|
||||
+ bool q_was_empty;
|
||||
+
|
||||
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
|
||||
DPRINTF("received int packet while not started ep %02X\n", ep);
|
||||
free(data);
|
||||
return;
|
||||
}
|
||||
|
||||
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
|
||||
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
- }
|
||||
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
|
||||
|
||||
/* bufp_alloc also adds the packet to the ep queue */
|
||||
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
|
||||
+
|
||||
+ if (q_was_empty) {
|
||||
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
|
||||
+ }
|
||||
} else {
|
||||
/*
|
||||
* We report output interrupt packets as completed directly upon
|
44
qemu.spec
44
qemu.spec
@ -68,7 +68,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.7.0
|
||||
Release: 3%{?rcrel}%{?dist}
|
||||
Release: 4%{?rcrel}%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -100,7 +100,33 @@ Source20: kvm.conf
|
||||
# /etc/sysctl.d/50-kvm-s390x.conf
|
||||
Source21: 50-kvm-s390x.conf
|
||||
|
||||
Patch1: qemu-2.7.0-usb-redirect-wakeup.patch
|
||||
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||
# #1373480)
|
||||
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
||||
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||
# guest with an emulated xhci controller (bz #1382331)
|
||||
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
|
||||
# documentation deps
|
||||
BuildRequires: texi2html
|
||||
@ -1565,6 +1591,20 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-4
|
||||
- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||
- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
- CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||
#1373480)
|
||||
- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
- CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||
- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
- CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||
- CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
|
||||
* Mon Oct 10 2016 Hans de Goede <hdegoede@redhat.com> - 2:2.7.0-3
|
||||
- Fix interrupt endpoints not working with network/spice USB redirection
|
||||
on guest with an emulated xhci controller (rhbz#1382331)
|
||||
|
Loading…
Reference in New Issue
Block a user