Fix virtio 9p thread pool usage

CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) Re-add dist tag
2016-01-09 12:35:08 -05:00 · 2016-01-09 12:35:08 -05:00 · 78f4db5d1d
commit 78f4db5d1d
parent 2a77992272
3 changed files with 61 additions and 11 deletions
--- a/0001-virtio-9p-use-accessor-to-get-thread_pool.patch
+++ b/0001-virtio-9p-use-accessor-to-get-thread_pool.patch
@ -1,6 +1,6 @@
 From: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Date: Wed, 23 Dec 2015 10:56:58 +0100
 Subject: [PATCH] virtio-9p: use accessor to get thread_pool
-Date: Sun, 20 Dec 2015 12:19:05 +0100

 The aio_context_new() function does not allocate a thread pool. This is
 deferred to the first call to the aio_get_thread_pool() accessor. It is
@ -8,16 +8,17 @@ hence forbidden to access the thread_pool field directly, as it may be
 NULL. The accessor *must* be used always.

 Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
-Cc: qemu-stable@nongnu.org
 Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
 Tested-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: qemu-stable@nongnu.org
 Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
-
- hw/9pfs/virtio-9p-coth.c |    2 +-
+(cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6)
+---
+ hw/9pfs/virtio-9p-coth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
-index fb6e8f80e0f4..ab9425c60fd2 100644
+index fb6e8f8..ab9425c 100644
 --- a/hw/9pfs/virtio-9p-coth.c
 +++ b/hw/9pfs/virtio-9p-coth.c
@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
@ -28,7 +29,3 @@ index fb6e8f80e0f4..ab9425c60fd2 100644
 +    thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
                            coroutine_enter_func, co, coroutine_enter_cb, co);
 }
-
-
-
-
--- a/0002-ehci-make-idt-processing-more-robust.patch
+++ b/0002-ehci-make-idt-processing-more-robust.patch
@ -0,0 +1,45 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 14 Dec 2015 09:21:23 +0100
+Subject: [PATCH] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction.  That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..d07f228 100644
+--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+     USBDevice *dev;
+     USBEndpoint *ep;
+-    uint32_t i, len, pid, dir, devaddr, endp;
+    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+     uint32_t pg, off, ptr1, ptr2, max, mult;
+ 
+     ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+                 ehci_raise_irq(ehci, USBSTS_INT);
+             }
+             itd->transact[i] &= ~ITD_XACT_ACTIVE;
+            xfers++;
+         }
+     }
+-    return 0;
+    return xfers ? 0 : -1;
+ }
+ 
+ 
--- a/qemu.spec
+++ b/qemu.spec
@ -40,7 +40,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.5.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@ -71,7 +71,10 @@ Source13: qemu-kvm.sh
 # For modprobe.d
 Source20: kvm.conf

-Patch0001: 0001-virtio-9p-use-accessor-to-get-thread-pool.patch
+# Fix virtio 9p thread pool usage
+Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch
+# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+Patch0002: 0002-ehci-make-idt-processing-more-robust.patch

 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@ -1166,6 +1169,11 @@ getent passwd qemu >/dev/null || \


 %changelog
+* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.5.0-3
+- Fix virtio 9p thread pool usage
+- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
+- Re-add dist tag
+
 * Thu Jan 7 2016 Paolo Bonzini <pbonzini@redhat.com> - 2:2.5.0-2
 - add /etc/modprobe.d/kvm.conf
 - add 0001-virtio-9p-use-accessor-to-get-thread-pool.patch