a0f61528af
CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285)
72 lines
2.4 KiB
Diff
72 lines
2.4 KiB
Diff
From: Jan Beulich <JBeulich@suse.com>
|
|
Date: Tue, 22 Nov 2016 05:56:51 -0700
|
|
Subject: [PATCH] xen: fix ioreq handling
|
|
|
|
Avoid double fetches and bounds check size to avoid overflowing
|
|
internal variables.
|
|
|
|
This is CVE-2016-9381 / XSA-197.
|
|
|
|
Reported-by: yanghongke <yanghongke@huawei.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
|
|
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
|
|
(cherry picked from commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2)
|
|
---
|
|
xen-hvm.c | 16 +++++++++++++++-
|
|
1 file changed, 15 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xen-hvm.c b/xen-hvm.c
|
|
index 2f348ed..097007d 100644
|
|
--- a/xen-hvm.c
|
|
+++ b/xen-hvm.c
|
|
@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
|
|
trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
|
req->data, req->count, req->size);
|
|
|
|
+ if (req->size > sizeof(uint32_t)) {
|
|
+ hw_error("PIO: bad size (%u)", req->size);
|
|
+ }
|
|
+
|
|
if (req->dir == IOREQ_READ) {
|
|
if (!req->data_is_ptr) {
|
|
req->data = do_inp(req->addr, req->size);
|
|
@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req)
|
|
trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
|
req->data, req->count, req->size);
|
|
|
|
+ if (req->size > sizeof(req->data)) {
|
|
+ hw_error("MMIO: bad size (%u)", req->size);
|
|
+ }
|
|
+
|
|
if (!req->data_is_ptr) {
|
|
if (req->dir == IOREQ_READ) {
|
|
for (i = 0; i < req->count; i++) {
|
|
@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOState *state)
|
|
req.df = 1;
|
|
req.type = buf_req->type;
|
|
req.data_is_ptr = 0;
|
|
+ xen_rmb();
|
|
qw = (req.size == 8);
|
|
if (qw) {
|
|
buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
|
|
IOREQ_BUFFER_SLOT_NUM];
|
|
req.data |= ((uint64_t)buf_req->data) << 32;
|
|
+ xen_rmb();
|
|
}
|
|
|
|
handle_ioreq(state, &req);
|
|
@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaque)
|
|
|
|
handle_buffered_iopage(state);
|
|
if (req) {
|
|
- handle_ioreq(state, req);
|
|
+ ioreq_t copy = *req;
|
|
+
|
|
+ xen_rmb();
|
|
+ handle_ioreq(state, ©);
|
|
+ req->data = copy.data;
|
|
|
|
if (req->state != STATE_IOREQ_INPROCESS) {
|
|
fprintf(stderr, "Badness in I/O request ... not in service?!: "
|