CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
This commit is contained in:
parent
c5e57685f9
commit
cf8819083b
@ -1,7 +1,6 @@
|
||||
From d233fc09d20fa24f6ee03f8505333d73f559eacf Mon Sep 17 00:00:00 2001
|
||||
From: Aurelien Jarno <aurelien@aurel32.net>
|
||||
Date: Sun, 13 Sep 2015 23:03:44 +0200
|
||||
Subject: [PATCH 1/2] target-ppc: fix vcipher, vcipherlast, vncipherlast and
|
||||
Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and
|
||||
vpermxor
|
||||
|
||||
For vector instructions, the helpers get pointers to the vector register
|
||||
@ -93,6 +92,3 @@ index 0a55d5e..b122868 100644
|
||||
}
|
||||
|
||||
#undef VECTOR_FOR_INORDER_I
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,7 +1,6 @@
|
||||
From d539a02e18916c558985f26cf37af1e83851d9fd Mon Sep 17 00:00:00 2001
|
||||
From: Aurelien Jarno <aurelien@aurel32.net>
|
||||
Date: Sun, 13 Sep 2015 23:03:45 +0200
|
||||
Subject: [PATCH 2/2] target-ppc: fix xscmpodp and xscmpudp decoding
|
||||
Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding
|
||||
|
||||
The xscmpodp and xscmpudp instructions only have the AX, BX bits in
|
||||
there encoding, the lowest bit (usually TX) is marked as an invalid
|
||||
@ -48,6 +47,3 @@ index 84c5cea..c0eed13 100644
|
||||
GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
|
||||
GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
|
||||
GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
|
||||
--
|
||||
2.5.0
|
||||
|
@ -0,0 +1,35 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Fri, 4 Sep 2015 17:21:06 +0100
|
||||
Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
|
||||
(CVE-2015-6815)
|
||||
|
||||
While processing transmit descriptors, it could lead to an infinite
|
||||
loop if 'bytes' was to become zero; Add a check to avoid it.
|
||||
|
||||
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
|
||||
descriptor fields to 0.
|
||||
--Stefan]
|
||||
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
|
||||
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
|
||||
---
|
||||
hw/net/e1000.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||||
index 5c6bcd0..09c9e9d 100644
|
||||
--- a/hw/net/e1000.c
|
||||
+++ b/hw/net/e1000.c
|
||||
@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
memmove(tp->data, tp->header, tp->hdr_len);
|
||||
tp->size = tp->hdr_len;
|
||||
}
|
||||
- } while (split_size -= bytes);
|
||||
+ split_size -= bytes;
|
||||
+ } while (bytes && split_size);
|
||||
} else if (!tp->tse && tp->cptse) {
|
||||
// context descriptor TSE is not set, while data descriptor TSE is set
|
||||
DBGOUT(TXERR, "TCP segmentation error\n");
|
141
0005-ide-fix-ATAPI-command-permissions.patch
Normal file
141
0005-ide-fix-ATAPI-command-permissions.patch
Normal file
@ -0,0 +1,141 @@
|
||||
From: John Snow <jsnow@redhat.com>
|
||||
Date: Thu, 17 Sep 2015 14:17:05 -0400
|
||||
Subject: [PATCH] ide: fix ATAPI command permissions
|
||||
|
||||
We're a little too lenient with what we'll let an ATAPI drive handle.
|
||||
Clamp down on the IDE command execution table to remove CD_OK permissions
|
||||
from commands that are not and have never been ATAPI commands.
|
||||
|
||||
For ATAPI command validity, please see:
|
||||
- ATA4 Section 6.5 ("PACKET Command feature set")
|
||||
- ATA8/ACS Section 4.3 ("The PACKET feature set")
|
||||
- ACS3 Section 4.3 ("The PACKET feature set")
|
||||
|
||||
ACS3 has a historical command validity table in Table B.4
|
||||
("Historical Command Assignments") that can be referenced to find when
|
||||
a command was introduced, deprecated, obsoleted, etc.
|
||||
|
||||
The only reference for ATAPI command validity is by checking that
|
||||
version's PACKET feature set section.
|
||||
|
||||
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
|
||||
therefore are assumed to have never been ATAPI commands.
|
||||
|
||||
Mandatory commands, as listed in ATA8-ACS3, are:
|
||||
|
||||
- DEVICE RESET
|
||||
- EXECUTE DEVICE DIAGNOSTIC
|
||||
- IDENTIFY DEVICE
|
||||
- IDENTIFY PACKET DEVICE
|
||||
- NOP
|
||||
- PACKET
|
||||
- READ SECTOR(S)
|
||||
- SET FEATURES
|
||||
|
||||
Optional commands as listed in ATA8-ACS3, are:
|
||||
|
||||
- FLUSH CACHE
|
||||
- READ LOG DMA EXT
|
||||
- READ LOG EXT
|
||||
- WRITE LOG DMA EXT
|
||||
- WRITE LOG EXT
|
||||
|
||||
All other commands are illegal to send to an ATAPI device and should
|
||||
be rejected by the device.
|
||||
|
||||
CD_OK removal justifications:
|
||||
|
||||
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
|
||||
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
|
||||
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
|
||||
|
||||
This patch fixes a divide by zero fault that can be caused by sending
|
||||
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
|
||||
attempt to use zeroed CHS values to perform sector arithmetic.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
Reviewed-by: Markus Armbruster <armbru@redhat.com>
|
||||
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
|
||||
CC: qemu-stable@nongnu.org
|
||||
(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
|
||||
---
|
||||
hw/ide/core.c | 30 +++++++++++++++---------------
|
||||
1 file changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 50449ca..71caea9 100644
|
||||
--- a/hw/ide/core.c
|
||||
+++ b/hw/ide/core.c
|
||||
@@ -1747,11 +1747,11 @@ static const struct {
|
||||
} ide_cmd_table[0x100] = {
|
||||
/* NOP not implemented, mandatory for CD */
|
||||
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
|
||||
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
|
||||
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
|
||||
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
|
||||
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
|
||||
[WIN_READ] = { cmd_read_pio, ALL_OK },
|
||||
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
|
||||
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
|
||||
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
@@ -1770,12 +1770,12 @@ static const struct {
|
||||
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
|
||||
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
|
||||
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
|
||||
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
|
||||
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
|
||||
@@ -1789,19 +1789,19 @@ static const struct {
|
||||
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
|
||||
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
|
||||
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
|
||||
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
|
||||
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
|
||||
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
|
||||
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
|
||||
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
|
||||
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
|
||||
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
};
|
||||
|
||||
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
|
@ -0,0 +1,32 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Tue, 15 Sep 2015 16:46:59 +0530
|
||||
Subject: [PATCH] net: avoid infinite loop when receiving
|
||||
packets(CVE-2015-5278)
|
||||
|
||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
||||
bytes to process network packets. While receiving packets
|
||||
via ne2000_receive() routine, a local 'index' variable
|
||||
could exceed the ring buffer size, leading to an infinite
|
||||
loop situation.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
|
||||
---
|
||||
hw/net/ne2000.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 3492db3..44a4264 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
if (index <= s->stop)
|
||||
avail = s->stop - index;
|
||||
else
|
||||
- avail = 0;
|
||||
+ break;
|
||||
len = size;
|
||||
if (len > avail)
|
||||
len = avail;
|
@ -0,0 +1,67 @@
|
||||
From: P J P <pjp@fedoraproject.org>
|
||||
Date: Tue, 15 Sep 2015 16:40:49 +0530
|
||||
Subject: [PATCH] net: add checks to validate ring buffer
|
||||
pointers(CVE-2015-5279)
|
||||
|
||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
||||
bytes to process network packets. While receiving packets
|
||||
via ne2000_receive() routine, a local 'index' variable
|
||||
could exceed the ring buffer size, which could lead to a
|
||||
memory buffer overflow. Added other checks at initialisation.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: P J P <pjp@fedoraproject.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
|
||||
---
|
||||
hw/net/ne2000.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 44a4264..2bdb4c9 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
|
||||
}
|
||||
|
||||
index = s->curpag << 8;
|
||||
+ if (index >= NE2000_PMEM_END) {
|
||||
+ index = s->start;
|
||||
+ }
|
||||
/* 4 bytes for header */
|
||||
total_len = size + 4;
|
||||
/* address for next packet (4 bytes for CRC) */
|
||||
@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
offset = addr | (page << 4);
|
||||
switch(offset) {
|
||||
case EN0_STARTPG:
|
||||
- s->start = val << 8;
|
||||
+ if (val << 8 <= NE2000_PMEM_END) {
|
||||
+ s->start = val << 8;
|
||||
+ }
|
||||
break;
|
||||
case EN0_STOPPG:
|
||||
- s->stop = val << 8;
|
||||
+ if (val << 8 <= NE2000_PMEM_END) {
|
||||
+ s->stop = val << 8;
|
||||
+ }
|
||||
break;
|
||||
case EN0_BOUNDARY:
|
||||
- s->boundary = val;
|
||||
+ if (val << 8 < NE2000_PMEM_END) {
|
||||
+ s->boundary = val;
|
||||
+ }
|
||||
break;
|
||||
case EN0_IMR:
|
||||
s->imr = val;
|
||||
@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
s->phys[offset - EN1_PHYS] = val;
|
||||
break;
|
||||
case EN1_CURPAG:
|
||||
- s->curpag = val;
|
||||
+ if (val << 8 < NE2000_PMEM_END) {
|
||||
+ s->curpag = val;
|
||||
+ }
|
||||
break;
|
||||
case EN1_MULT ... EN1_MULT + 7:
|
||||
s->mult[offset - EN1_MULT] = val;
|
25
qemu.spec
25
qemu.spec
@ -40,7 +40,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.4.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -71,10 +71,19 @@ Source13: qemu-kvm.sh
|
||||
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
|
||||
# (bz #1255899)
|
||||
Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch
|
||||
|
||||
# Fix emulation of various instructions, required by libm in F22 ppc64 guests.
|
||||
Patch0002: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
|
||||
Patch0003: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
|
||||
# Fix emulation of various instructions, required by libm in F22 ppc64
|
||||
# guests.
|
||||
Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
|
||||
Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
|
||||
# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
|
||||
Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
|
||||
# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
|
||||
Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch
|
||||
# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
|
||||
Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
|
||||
# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
|
||||
# #1263287)
|
||||
Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -1207,6 +1216,12 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Sep 21 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.0-4
|
||||
- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
|
||||
- CVE-2015-6855: ide: divide by zero issue (bz #1261793)
|
||||
- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
|
||||
- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
|
||||
|
||||
* Sun Sep 20 2015 Richard W.M. Jones <rjones@redhat.com> - 2:2.4.0-3
|
||||
- Fix emulation of various instructions, required by libm in F22 ppc64 guests.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user