From cf8819083b589a21198683d5a7c7065226df0bd2 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 21 Sep 2015 18:01:46 -0400 Subject: [PATCH] CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) --- ...cipher-vcipherlast-vncipherlast-and-.patch | 6 +- ...c-fix-xscmpodp-and-xscmpudp-decoding.patch | 6 +- ...nite-loop-in-processing-transmit-des.patch | 35 +++++ 0005-ide-fix-ATAPI-command-permissions.patch | 141 ++++++++++++++++++ ...te-loop-when-receiving-packets-CVE-2.patch | 32 ++++ ...o-validate-ring-buffer-pointers-CVE-.patch | 67 +++++++++ qemu.spec | 25 +++- 7 files changed, 297 insertions(+), 15 deletions(-) rename 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch => 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch (94%) rename 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch => 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch (93%) create mode 100644 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch create mode 100644 0005-ide-fix-ATAPI-command-permissions.patch create mode 100644 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch create mode 100644 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch similarity index 94% rename from 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch rename to 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch index 2b099a4..9401ea7 100644 --- a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +++ b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch @@ -1,7 +1,6 @@ -From d233fc09d20fa24f6ee03f8505333d73f559eacf Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sun, 13 Sep 2015 23:03:44 +0200 -Subject: [PATCH 1/2] target-ppc: fix vcipher, vcipherlast, vncipherlast and +Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor For vector instructions, the helpers get pointers to the vector register @@ -93,6 +92,3 @@ index 0a55d5e..b122868 100644 } #undef VECTOR_FOR_INORDER_I --- -2.5.0 - diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch similarity index 93% rename from 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch rename to 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch index 94e7b83..2d2f370 100644 --- a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +++ b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch @@ -1,7 +1,6 @@ -From d539a02e18916c558985f26cf37af1e83851d9fd Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sun, 13 Sep 2015 23:03:45 +0200 -Subject: [PATCH 2/2] target-ppc: fix xscmpodp and xscmpudp decoding +Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding The xscmpodp and xscmpudp instructions only have the AX, BX bits in there encoding, the lowest bit (usually TX) is marked as an invalid @@ -48,6 +47,3 @@ index 84c5cea..c0eed13 100644 GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), --- -2.5.0 - diff --git a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch new file mode 100644 index 0000000..9e77105 --- /dev/null +++ b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch @@ -0,0 +1,35 @@ +From: P J P +Date: Fri, 4 Sep 2015 17:21:06 +0100 +Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor + (CVE-2015-6815) + +While processing transmit descriptors, it could lead to an infinite +loop if 'bytes' was to become zero; Add a check to avoid it. + +[The guest can force 'bytes' to 0 by setting the hdr_len and mss +descriptor fields to 0. +--Stefan] + +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Thomas Huth +Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com +(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7) +--- + hw/net/e1000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 5c6bcd0..09c9e9d 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + memmove(tp->data, tp->header, tp->hdr_len); + tp->size = tp->hdr_len; + } +- } while (split_size -= bytes); ++ split_size -= bytes; ++ } while (bytes && split_size); + } else if (!tp->tse && tp->cptse) { + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentation error\n"); diff --git a/0005-ide-fix-ATAPI-command-permissions.patch b/0005-ide-fix-ATAPI-command-permissions.patch new file mode 100644 index 0000000..7afc084 --- /dev/null +++ b/0005-ide-fix-ATAPI-command-permissions.patch @@ -0,0 +1,141 @@ +From: John Snow +Date: Thu, 17 Sep 2015 14:17:05 -0400 +Subject: [PATCH] ide: fix ATAPI command permissions + +We're a little too lenient with what we'll let an ATAPI drive handle. +Clamp down on the IDE command execution table to remove CD_OK permissions +from commands that are not and have never been ATAPI commands. + +For ATAPI command validity, please see: +- ATA4 Section 6.5 ("PACKET Command feature set") +- ATA8/ACS Section 4.3 ("The PACKET feature set") +- ACS3 Section 4.3 ("The PACKET feature set") + +ACS3 has a historical command validity table in Table B.4 +("Historical Command Assignments") that can be referenced to find when +a command was introduced, deprecated, obsoleted, etc. + +The only reference for ATAPI command validity is by checking that +version's PACKET feature set section. + +ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 +therefore are assumed to have never been ATAPI commands. + +Mandatory commands, as listed in ATA8-ACS3, are: + +- DEVICE RESET +- EXECUTE DEVICE DIAGNOSTIC +- IDENTIFY DEVICE +- IDENTIFY PACKET DEVICE +- NOP +- PACKET +- READ SECTOR(S) +- SET FEATURES + +Optional commands as listed in ATA8-ACS3, are: + +- FLUSH CACHE +- READ LOG DMA EXT +- READ LOG EXT +- WRITE LOG DMA EXT +- WRITE LOG EXT + +All other commands are illegal to send to an ATAPI device and should +be rejected by the device. + +CD_OK removal justifications: + +0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. +0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. +0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. +0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. +0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. +0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. +0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. +0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. +0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. +0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. +0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. + +This patch fixes a divide by zero fault that can be caused by sending +the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to +attempt to use zeroed CHS values to perform sector arithmetic. + +Reported-by: Qinghao Tang +Signed-off-by: John Snow +Reviewed-by: Markus Armbruster +Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com +CC: qemu-stable@nongnu.org +(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) +--- + hw/ide/core.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 50449ca..71caea9 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1747,11 +1747,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1770,12 +1770,12 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, + [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, +@@ -1789,19 +1789,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch new file mode 100644 index 0000000..c1f70ca --- /dev/null +++ b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch @@ -0,0 +1,32 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:46:59 +0530 +Subject: [PATCH] net: avoid infinite loop when receiving + packets(CVE-2015-5278) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, leading to an infinite +loop situation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943) +--- + hw/net/ne2000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 3492db3..44a4264 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + if (index <= s->stop) + avail = s->stop - index; + else +- avail = 0; ++ break; + len = size; + if (len > avail) + len = avail; diff --git a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch new file mode 100644 index 0000000..d197a7e --- /dev/null +++ b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch @@ -0,0 +1,67 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:40:49 +0530 +Subject: [PATCH] net: add checks to validate ring buffer + pointers(CVE-2015-5279) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, which could lead to a +memory buffer overflow. Added other checks at initialisation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) +--- + hw/net/ne2000.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 44a4264..2bdb4c9 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + } + + index = s->curpag << 8; ++ if (index >= NE2000_PMEM_END) { ++ index = s->start; ++ } + /* 4 bytes for header */ + total_len = size + 4; + /* address for next packet (4 bytes for CRC) */ +@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + offset = addr | (page << 4); + switch(offset) { + case EN0_STARTPG: +- s->start = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->start = val << 8; ++ } + break; + case EN0_STOPPG: +- s->stop = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->stop = val << 8; ++ } + break; + case EN0_BOUNDARY: +- s->boundary = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->boundary = val; ++ } + break; + case EN0_IMR: + s->imr = val; +@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + s->phys[offset - EN1_PHYS] = val; + break; + case EN1_CURPAG: +- s->curpag = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->curpag = val; ++ } + break; + case EN1_MULT ... EN1_MULT + 7: + s->mult[offset - EN1_MULT] = val; diff --git a/qemu.spec b/qemu.spec index 1e7d1f8..33b84e6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,7 +40,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.4.0 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -71,10 +71,19 @@ Source13: qemu-kvm.sh # CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface # (bz #1255899) Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch - -# Fix emulation of various instructions, required by libm in F22 ppc64 guests. -Patch0002: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch -Patch0003: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +# Fix emulation of various instructions, required by libm in F22 ppc64 +# guests. +Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch +# CVE-2015-6855: ide: divide by zero issue (bz #1261793) +Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch +# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch +# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz +# #1263287) +Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1207,6 +1216,12 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Sep 21 2015 Cole Robinson - 2:2.4.0-4 +- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +- CVE-2015-6855: ide: divide by zero issue (bz #1261793) +- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) + * Sun Sep 20 2015 Richard W.M. Jones - 2:2.4.0-3 - Fix emulation of various instructions, required by libm in F22 ppc64 guests.