[pve-devel] [PATCH kvm 1/2] fix various CVEs
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Aug 1 14:18:38 CEST 2016
applied both patches
On Tue, Jul 26, 2016 at 11:51:37AM +0200, Thomas Lamprecht wrote:
> For upstream commits 926cde5f3e4d2504ed161ed0 and
> cc96677469388bad3d664793 is no CVE number assigned yet.
>
> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> ---
> Readded CVE CVE-2016-2391 and CVE-2016-5126
>
> patch 0001-vga-add-sr_vbe-register-set.patch is only moved in the series file
> to match the commit order of the git branches
>
>
> ...ke-cmdbuf-big-enough-for-maximum-CDB-size.patch | 88 ++++++++++++++++++++++
> .../extra/0002-scsi-esp-fix-migration.patch | 58 ++++++++++++++
> ...6-2391-usb-ohci-avoid-multiple-eof-timers.patch | 43 +++++++++++
> debian/patches/series | 6 +-
> 4 files changed, 194 insertions(+), 1 deletion(-)
> create mode 100644 debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
> create mode 100644 debian/patches/extra/0002-scsi-esp-fix-migration.patch
> create mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
>
> diff --git a/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
> new file mode 100644
> index 0000000..5beeb50
> --- /dev/null
> +++ b/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
> @@ -0,0 +1,88 @@
> +From 0988f56451a246d5b72484e0c6dd37fe1bd69d12 Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp at fedoraproject.org>
> +Date: Thu, 16 Jun 2016 00:22:35 +0200
> +Subject: [PATCH 1/2] scsi: esp: make cmdbuf big enough for maximum CDB size
> +
> +While doing DMA read into ESP command buffer 's->cmdbuf', it could
> +write past the 's->cmdbuf' area, if it was transferring more than 16
> +bytes. Increase the command buffer size to 32, which is maximum when
> +'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
> +
> +Reported-by: Li Qiang <liqiang6-s at 360.cn>
> +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
> +Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> +
> +Conflicts:
> + hw/scsi/esp.c
> +commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec
> +scsi: esp: check TI buffer index before read/write
> +
> +added additional control variables to ESPState as ti_size
> +wasn't enough, we thus ran in a conflict here, use only
> +ti_size for now as conflict resolution.
> +
> +Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> +---
> + hw/scsi/esp.c | 10 ++++++++--
> + include/hw/scsi/esp.h | 3 ++-
> + 2 files changed, 10 insertions(+), 3 deletions(-)
> +
> +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
> +index 8961be2..e533522 100644
> +--- a/hw/scsi/esp.c
> ++++ b/hw/scsi/esp.c
> +@@ -243,6 +243,8 @@ static void esp_do_dma(ESPState *s)
> + len = s->dma_left;
> + if (s->do_cmd) {
> + trace_esp_do_dma(s->cmdlen, len);
> ++ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
> ++ len <= sizeof(s->cmdbuf) - s->cmdlen);
> + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
> + s->ti_size = 0;
> + s->cmdlen = 0;
> +@@ -342,7 +344,7 @@ static void handle_ti(ESPState *s)
> + s->dma_counter = dmalen;
> +
> + if (s->do_cmd)
> +- minlen = (dmalen < 32) ? dmalen : 32;
> ++ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
> + else if (s->ti_size < 0)
> + minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
> + else
> +@@ -448,7 +450,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
> + break;
> + case ESP_FIFO:
> + if (s->do_cmd) {
> +- s->cmdbuf[s->cmdlen++] = val & 0xff;
> ++ if (s->cmdlen < ESP_CMDBUF_SZ) {
> ++ s->cmdbuf[s->cmdlen++] = val & 0xff;
> ++ } else {
> ++ trace_esp_error_fifo_overrun();
> ++ }
> + } else if (s->ti_size == TI_BUFSZ - 1) {
> + trace_esp_error_fifo_overrun();
> + } else {
> +diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
> +index 6c79527..d2c4886 100644
> +--- a/include/hw/scsi/esp.h
> ++++ b/include/hw/scsi/esp.h
> +@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
> +
> + #define ESP_REGS 16
> + #define TI_BUFSZ 16
> ++#define ESP_CMDBUF_SZ 32
> +
> + typedef struct ESPState ESPState;
> +
> +@@ -31,7 +32,7 @@ struct ESPState {
> + SCSIBus bus;
> + SCSIDevice *current_dev;
> + SCSIRequest *current_req;
> +- uint8_t cmdbuf[TI_BUFSZ];
> ++ uint8_t cmdbuf[ESP_CMDBUF_SZ];
> + uint32_t cmdlen;
> + uint32_t do_cmd;
> +
> +--
> +2.1.4
> +
> diff --git a/debian/patches/extra/0002-scsi-esp-fix-migration.patch b/debian/patches/extra/0002-scsi-esp-fix-migration.patch
> new file mode 100644
> index 0000000..0ddaed0
> --- /dev/null
> +++ b/debian/patches/extra/0002-scsi-esp-fix-migration.patch
> @@ -0,0 +1,58 @@
> +From 10cf6bf50d000a1b0dad1d5f2b931d1d1b1ff7f3 Mon Sep 17 00:00:00 2001
> +From: Paolo Bonzini <pbonzini at redhat.com>
> +Date: Mon, 20 Jun 2016 16:32:39 +0200
> +Subject: [PATCH 2/2] scsi: esp: fix migration
> +
> +Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
> +2016-06-16) changed the size of a migrated field. Split it in two
> +parts, and only migrate the second part in a new vmstate version.
> +
> +Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> +---
> + hw/scsi/esp.c | 5 +++--
> + include/migration/vmstate.h | 5 ++++-
> + 2 files changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
> +index e533522..8cff94b 100644
> +--- a/hw/scsi/esp.c
> ++++ b/hw/scsi/esp.c
> +@@ -573,7 +573,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
> +
> + const VMStateDescription vmstate_esp = {
> + .name ="esp",
> +- .version_id = 3,
> ++ .version_id = 4,
> + .minimum_version_id = 3,
> + .fields = (VMStateField[]) {
> + VMSTATE_BUFFER(rregs, ESPState),
> +@@ -584,7 +584,8 @@ const VMStateDescription vmstate_esp = {
> + VMSTATE_BUFFER(ti_buf, ESPState),
> + VMSTATE_UINT32(status, ESPState),
> + VMSTATE_UINT32(dma, ESPState),
> +- VMSTATE_BUFFER(cmdbuf, ESPState),
> ++ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
> ++ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
> + VMSTATE_UINT32(cmdlen, ESPState),
> + VMSTATE_UINT32(do_cmd, ESPState),
> + VMSTATE_UINT32(dma_left, ESPState),
> +diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
> +index 84ee355..853a2bd 100644
> +--- a/include/migration/vmstate.h
> ++++ b/include/migration/vmstate.h
> +@@ -888,8 +888,11 @@ extern const VMStateInfo vmstate_info_bitmap;
> + #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \
> + VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
> +
> ++#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
> ++ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
> ++
> + #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
> +- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
> ++ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
> +
> + #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \
> + VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)
> +--
> +2.1.4
> +
> diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
> new file mode 100644
> index 0000000..c02218a
> --- /dev/null
> +++ b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
> @@ -0,0 +1,43 @@
> +From a0dad3b2a4841f70f96145a2f60ffd04e5d584ad Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp at fedoraproject.org>
> +Date: Tue, 16 Feb 2016 15:34:14 +0530
> +Subject: [PATCH] usb: ohci avoid multiple eof timers
> +
> +When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
> +state, it creates an eof timer object in 'ohci_bus_start'.
> +It does not check if one already exists. This results in memory
> +leakage and null dereference issue. Add a check to avoid it.
> +
> +Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
> +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
> +
> +Conflicts:
> + hw/usb/hcd-ohci.c
> +---
> + hw/usb/hcd-ohci.c | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
> +index ffab561..ccd5ac4 100644
> +--- a/hw/usb/hcd-ohci.c
> ++++ b/hw/usb/hcd-ohci.c
> +@@ -1348,6 +1348,16 @@ static void ohci_frame_boundary(void *opaque)
> + */
> + static int ohci_bus_start(OHCIState *ohci)
> + {
> ++ if (!ohci->eof_timer) {
> ++ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
> ++ ohci_frame_boundary, ohci);
> ++ }
> ++ if (!ohci->eof_timer) {
> ++ trace_usb_ohci_bus_eof_timer_failed(ohci->name);
> ++ ohci_die(ohci);
> ++ return 0;
> ++ }
> ++
> + trace_usb_ohci_start(ohci->name);
> +
> + /* Delay the first SOF event by one frame time as
> +--
> +2.1.4
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index 3614309..6618324 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -53,8 +53,8 @@ pve/0052-vnc-refactor-to-QIOChannelSocket.patch
> pve/0053-vma-use-BlockBackend-on-extract.patch
> #see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all
> extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
> +extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
> extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
> -extra/0001-vga-add-sr_vbe-register-set.patch
> extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
> extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
> extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
> @@ -63,3 +63,7 @@ extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
> extra/0005-vmsvga-add-more-fifo-checks.patch
> extra/0006-vmsvga-shadow-fifo-registers.patch
> extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
> +extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
> +extra/0001-vga-add-sr_vbe-register-set.patch
> +extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
> +extra/0002-scsi-esp-fix-migration.patch
> --
> 2.1.4
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list