rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix virtio 9p thread pool usage

Browse Source 
CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
Re-add dist tag
This commit is contained in:
Cole Robinson 2016-01-09 12:35:08 -05:00
parent 2a77992272
commit 78f4db5d1d
3 changed files with 61 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
0001-virtio-9p-use-accessor-to-get-thread-pool.patch → 0001-virtio-9p-use-accessor-to-get-thread_pool.patch
View File

@ -1,6 +1,6 @@
From: Greg Kurz <gkurz@linux.vnet.ibm.com> From: Greg Kurz <gkurz@linux.vnet.ibm.com>
Date: Wed, 23 Dec 2015 10:56:58 +0100
Subject: [PATCH] virtio-9p: use accessor to get thread_pool Subject: [PATCH] virtio-9p: use accessor to get thread_pool
Date: Sun, 20 Dec 2015 12:19:05 +0100
The aio_context_new() function does not allocate a thread pool. This is The aio_context_new() function does not allocate a thread pool. This is
deferred to the first call to the aio_get_thread_pool() accessor. It is deferred to the first call to the aio_get_thread_pool() accessor. It is
@ -8,16 +8,17 @@ hence forbidden to access the thread_pool field directly, as it may be
NULL. The accessor *must* be used always. NULL. The accessor *must* be used always.
Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Tested-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Cc: qemu-stable@nongnu.org
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
(cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6)
hw/9pfs/virtio-9p-coth.c | 2 +- ---
hw/9pfs/virtio-9p-coth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
index fb6e8f80e0f4..ab9425c60fd2 100644 index fb6e8f8..ab9425c 100644
--- a/hw/9pfs/virtio-9p-coth.c --- a/hw/9pfs/virtio-9p-coth.c
+++ b/hw/9pfs/virtio-9p-coth.c +++ b/hw/9pfs/virtio-9p-coth.c
@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) @@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
@ -28,7 +29,3 @@ index fb6e8f80e0f4..ab9425c60fd2 100644
+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), + thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
coroutine_enter_func, co, coroutine_enter_cb, co); coroutine_enter_func, co, coroutine_enter_cb, co);
} }

45
0002-ehci-make-idt-processing-more-robust.patch Normal file
View File

@ -0,0 +1,45 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 14 Dec 2015 09:21:23 +0100
Subject: [PATCH] ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: qemu-stable@nongnu.org
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..d07f228 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp;
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
+ xfers++;
}
}
- return 0;
+ return xfers ? 0 : -1;
}

12
qemu.spec
View File

@ -40,7 +40,7 @@
Summary: QEMU is a FAST! processor emulator Summary: QEMU is a FAST! processor emulator
Name: qemu Name: qemu
Version: 2.5.0 Version: 2.5.0
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 2 Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools Group: Development/Tools
@ -71,7 +71,10 @@ Source13: qemu-kvm.sh
# For modprobe.d # For modprobe.d
Source20: kvm.conf Source20: kvm.conf
Patch0001: 0001-virtio-9p-use-accessor-to-get-thread-pool.patch # Fix virtio 9p thread pool usage
Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch
# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
Patch0002: 0002-ehci-make-idt-processing-more-robust.patch
BuildRequires: SDL2-devel BuildRequires: SDL2-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -1166,6 +1169,11 @@ getent passwd qemu >/dev/null || \
%changelog %changelog
* Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.5.0-3
- Fix virtio 9p thread pool usage
- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
- Re-add dist tag
* Thu Jan 7 2016 Paolo Bonzini <pbonzini@redhat.com> - 2:2.5.0-2 * Thu Jan 7 2016 Paolo Bonzini <pbonzini@redhat.com> - 2:2.5.0-2
- add /etc/modprobe.d/kvm.conf - add /etc/modprobe.d/kvm.conf
- add 0001-virtio-9p-use-accessor-to-get-thread-pool.patch - add 0001-virtio-9p-use-accessor-to-get-thread-pool.patch