CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)

CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
2014-10-29 15:58:32 -04:00 · 2014-10-29 15:58:32 -04:00 · 725f84b743
parent 145f8dccfa
commit 725f84b743
15 changed files with 393 additions and 9 deletions
--- a/0001-loader-Add-load_image_gzipped-function.patch
+++ b/0001-loader-Add-load_image_gzipped-function.patch
@ -1,4 +1,3 @@
-From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 19 Aug 2014 18:56:28 +0100
 Subject: [PATCH] loader: Add load_image_gzipped function.
--- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
@ -1,4 +1,3 @@
-From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Tue, 19 Aug 2014 18:56:28 +0100
 Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
--- a/0003-block.curl-adding-timeout-option.patch
+++ b/0003-block.curl-adding-timeout-option.patch
@ -1,4 +1,3 @@
-From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001
 From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
 Date: Wed, 13 Aug 2014 12:44:27 -0300
 Subject: [PATCH] block.curl: adding 'timeout' option
--- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
+++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
@ -1,4 +1,3 @@
-From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Fri, 29 Aug 2014 16:03:12 +0100
 Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
--- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
+++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
@ -1,4 +1,3 @@
-From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 28 Aug 2014 09:04:21 +0100
 Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
--- a/0006-virtio-pci-enable-bus-master-for-old-guests.patch
+++ b/0006-virtio-pci-enable-bus-master-for-old-guests.patch
@ -1,4 +1,3 @@
-From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Thu, 11 Sep 2014 18:45:33 +0200
 Subject: [PATCH] virtio-pci: enable bus master for old guests
--- a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
@ -1,4 +1,3 @@
-From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Thu, 11 Sep 2014 18:34:29 +0300
 Subject: [PATCH] virtio-pci: fix migration for pci bus master
--- a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
@ -1,4 +1,3 @@
-From 9d8b817bfe327873c009fa4621c0308e7f3bc5de Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Mon, 29 Sep 2014 11:27:32 +0300
 Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master"
--- a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
+++ b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
@ -0,0 +1,45 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Mon, 27 Oct 2014 12:41:44 +0100
+Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
+
+bits_per_pixel that are less than 8 could result in accessing
+non-initialized buffers later in the code due to the expectation
+that bytes_per_pixel value that is used to initialize these buffers is
+never zero.
+
+To fix this check that bits_per_pixel from the client is one of the
+values that the rfb protocol specification allows.
+
+This is CVE-2014-7815.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+[ kraxel: apply codestyle fix ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
+---
+ ui/vnc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index f8d9b7d..87e34ae 100644
+--- a/ui/vnc.c
+++ b/ui/vnc.c
+@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
+    switch (bits_per_pixel) {
+    case 8:
+    case 16:
+    case 32:
+        break;
+    default:
+        vnc_client_error(vs);
+        return;
+    }
+
+     vs->client_pf.rmax = red_max;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
--- a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
+++ b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
@ -0,0 +1,34 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:06 +0100
+Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel
+
+Quick & easy stopgap for CVE-2014-3689:  We just compile out the
+hardware acceleration functions which lack sanity checks.  Thankfully
+we have capability bits for them (SVGA_CAP_RECT_COPY and
+SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
+
+Subsequent patches will add the missing checks and re-enable the
+hardware acceleration emulation.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 591b645..4a4229b 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -29,8 +29,10 @@
+ #include "hw/pci/pci.h"
+ 
+ #undef VERBOSE
+#if 0
+ #define HW_RECT_ACCEL
+ #define HW_FILL_ACCEL
+#endif
+ #define HW_MOUSE_ACCEL
+ 
+ #include "vga_int.h"
--- a/0011-vmware-vga-add-vmsvga_verify_rect.patch
+++ b/0011-vmware-vga-add-vmsvga_verify_rect.patch
@ -0,0 +1,79 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:07 +0100
+Subject: [PATCH] vmware-vga: add vmsvga_verify_rect
+
+Add verification function for rectangles, returning
+true if verification passes and false otherwise.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 4a4229b..f0e487f 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -294,8 +294,59 @@ enum {
+     SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
+ };
+ 
+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
+                                      const char *name,
+                                      int x, int y, int w, int h)
+{
+    if (x < 0) {
+        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
+        return false;
+    }
+    if (x > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
+        return false;
+    }
+    if (w < 0) {
+        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
+        return false;
+    }
+    if (w > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
+        return false;
+    }
+    if (x + w > surface_width(surface)) {
+        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
+                name, surface_width(surface), x, w);
+        return false;
+    }
+
+    if (y < 0) {
+        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
+        return false;
+    }
+    if (y > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
+        return false;
+    }
+    if (h < 0) {
+        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
+        return false;
+    }
+    if (h > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
+        return false;
+    }
+    if (y + h > surface_height(surface)) {
+        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
+                name, surface_height(surface), y, h);
+        return false;
+    }
+
+    return true;
+}
+
+ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+-                int x, int y, int w, int h)
+                                      int x, int y, int w, int h)
+ {
+     DisplaySurface *surface = qemu_console_surface(s->vga.con);
+     int line;
--- a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
+++ b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
@ -0,0 +1,61 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:08 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
+
+Switch vmsvga_update_rect over to use vmsvga_verify_rect.  Slight change
+in behavior:  We don't try to automatically fixup rectangles any more.
+In case we find invalid update requests we'll do a full-screen update
+instead.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 32 ++++----------------------------
+ 1 file changed, 4 insertions(+), 28 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index f0e487f..718746e 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+     uint8_t *src;
+     uint8_t *dst;
+ 
+-    if (x < 0) {
+-        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
+-        w += x;
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        /* go for a fullscreen update as fallback */
+         x = 0;
+-    }
+-    if (w < 0) {
+-        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
+-        w = 0;
+-    }
+-    if (x + w > surface_width(surface)) {
+-        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+-                __func__, x, w);
+-        x = MIN(x, surface_width(surface));
+-        w = surface_width(surface) - x;
+-    }
+-
+-    if (y < 0) {
+-        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
+-        h += y;
+         y = 0;
+-    }
+-    if (h < 0) {
+-        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
+-        h = 0;
+-    }
+-    if (y + h > surface_height(surface)) {
+-        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+-                __func__, y, h);
+-        y = MIN(y, surface_height(surface));
+-        h = surface_height(surface) - y;
+        w = surface_width(surface);
+        h = surface_height(surface);
+     }
+ 
+     bypl = surface_stride(surface);
--- a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
+++ b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
@ -0,0 +1,75 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:09 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
+
+Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 718746e..c2e0a43 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -29,8 +29,8 @@
+ #include "hw/pci/pci.h"
+ 
+ #undef VERBOSE
+-#if 0
+ #define HW_RECT_ACCEL
+#if 0
+ #define HW_FILL_ACCEL
+ #endif
+ #define HW_MOUSE_ACCEL
+@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
+ }
+ 
+ #ifdef HW_RECT_ACCEL
+-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
+                 int x0, int y0, int x1, int y1, int w, int h)
+ {
+     DisplaySurface *surface = qemu_console_surface(s->vga.con);
+@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+     int line = h;
+     uint8_t *ptr[2];
+ 
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
+        return -1;
+    }
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
+        return -1;
+    }
+
+     if (y1 > y0) {
+         ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
+         ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
+@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+     }
+ 
+     vmsvga_update_rect_delayed(s, x1, y1, w, h);
+    return 0;
+ }
+ #endif
+ 
+@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+             width = vmsvga_fifo_read(s);
+             height = vmsvga_fifo_read(s);
+ #ifdef HW_RECT_ACCEL
+-            vmsvga_copy_rect(s, x, y, dx, dy, width, height);
+-            break;
+-#else
+            if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
+                break;
+            }
+#endif
+             args = 0;
+             goto badcmd;
+-#endif
+ 
+         case SVGA_CMD_DEFINE_CURSOR:
+             len -= 8;
--- a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
+++ b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
@ -0,0 +1,72 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:10 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
+
+Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index c2e0a43..d44e3e8 100644
+--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
+@@ -30,9 +30,7 @@
+ 
+ #undef VERBOSE
+ #define HW_RECT_ACCEL
+-#if 0
+ #define HW_FILL_ACCEL
+-#endif
+ #define HW_MOUSE_ACCEL
+ 
+ #include "vga_int.h"
+@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
+ #endif
+ 
+ #ifdef HW_FILL_ACCEL
+-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
+                 uint32_t c, int x, int y, int w, int h)
+ {
+     DisplaySurface *surface = qemu_console_surface(s->vga.con);
+@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+     uint8_t *src;
+     uint8_t col[4];
+ 
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        return -1;
+    }
+
+     col[0] = c;
+     col[1] = c >> 8;
+     col[2] = c >> 16;
+@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+     }
+ 
+     vmsvga_update_rect_delayed(s, x, y, w, h);
+    return 0;
+ }
+ #endif
+ 
+@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+             width = vmsvga_fifo_read(s);
+             height = vmsvga_fifo_read(s);
+ #ifdef HW_FILL_ACCEL
+-            vmsvga_fill_rect(s, colour, x, y, width, height);
+-            break;
+-#else
+            if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
+                break;
+            }
+#endif
+             args = 0;
+             goto badcmd;
+-#endif
+ 
+         case SVGA_CMD_RECT_COPY:
+             len -= 7;
--- a/qemu.spec
+++ b/qemu.spec
@ -152,7 +152,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.1.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@ -204,6 +204,16 @@ Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch
 Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
 # Fix PPC virtio regression (bz #1144490)
 Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
+# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
+# sanitization (bz #1157647, bz #1157641)
+Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
+# CVE-2014-3689 vmware_vga: insufficient parameter validation in
+# rectangle functions (bz #1153038, bz #1153035)
+Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
+Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch
+Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
+Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
+Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch

 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@ -742,6 +752,16 @@ CAC emulation development files.
 %patch0007 -p1
 # Fix PPC virtio regression (bz #1144490)
 %patch0008 -p1
+# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
+# sanitization (bz #1157647, bz #1157641)
+%patch0009 -p1
+# CVE-2014-3689 vmware_vga: insufficient parameter validation in
+# rectangle functions (bz #1153038, bz #1153035)
+%patch0010 -p1
+%patch0011 -p1
+%patch0012 -p1
+%patch0013 -p1
+%patch0014 -p1


 %build
@ -1521,6 +1541,12 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Wed Oct 29 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.2-6
+- CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization
+  (bz #1157647, bz #1157641)
+- CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle
+  functions (bz #1153038, bz #1153035)
+
 * Fri Oct 24 2014 Danel P. Berrange <berrange@redhat.com> - 2:2.1.2-5
 - Fix dep on numactl-devel to be build time not install time