[pve-devel] [PATCH kvm 3/4] various CVE fixes
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Aug 22 13:24:36 CEST 2016
CVE-2016-6833: net: vmxnet3: check for device_active before write
CVE-2016-6834: net: check fragment length during fragmentation
CVE-2016-6835: net: vmxnet: check IP header length
CVE-2016-6836: net: vmxnet: initialise local tx descriptor
CVE-2016-6888: net: vmxnet: use g_new for pkt initialisation
---
...heck-fragment-length-during-fragmentation.patch | 36 ++++++++++++++++++++
...net3-check-for-device_active-before-write.patch | 36 ++++++++++++++++++++
...t-vmxnet-use-g_new-for-pkt-initialisation.patch | 38 ++++++++++++++++++++++
.../0004-net-vmxnet-check-IP-header-length.patch | 34 +++++++++++++++++++
...net-vmxnet-initialise-local-tx-descriptor.patch | 31 ++++++++++++++++++
debian/patches/series | 5 +++
6 files changed, 180 insertions(+)
create mode 100644 debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
create mode 100644 debian/patches/extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
create mode 100644 debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
create mode 100644 debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
create mode 100644 debian/patches/extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
diff --git a/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch b/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
new file mode 100644
index 0000000..5e54bec
--- /dev/null
+++ b/debian/patches/extra/0001-net-check-fragment-length-during-fragmentation.patch
@@ -0,0 +1,36 @@
+From 24a01bab4aa431b79e201c1e2d0ac552a41114bc Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 4 Aug 2016 13:00:14 +0530
+Subject: [PATCH 1/5] net: check fragment length during fragmentation
+
+Network transport abstraction layer supports packet fragmentation.
+While fragmenting a packet, it checks for more fragments from
+packet length and current fragment length. It is susceptible
+to an infinite loop, if the current fragment length is zero.
+Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
+CC: qemu-stable at nongnu.org
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index 91e1e08..f4d0f5f 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
+
+ fragment_offset += fragment_len;
+
+- } while (more_frags);
++ } while (fragment_len && more_frags);
+
+ return true;
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/0002-net-vmxnet3-check-for-device_active-before-write.patch b/debian/patches/extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
new file mode 100644
index 0000000..7b1060d
--- /dev/null
+++ b/debian/patches/extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
@@ -0,0 +1,36 @@
+From 89636d45af75c102a7b893d8cc34a51be76e88b5 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 8 Aug 2016 18:08:31 +0530
+Subject: [PATCH 2/5] net: vmxnet3: check for device_active before write
+
+Vmxnet3 device emulator does not check if the device is active,
+before using it for write. It leads to a use after free issue,
+if the vmxnet3_io_bar0_write routine is called after the device is
+deactivated. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Acked-by: Dmitry Fleytman <dmitry at daynix.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 20f26b7..a6ce16e 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
+ {
+ VMXNET3State *s = opaque;
+
++ if (!s->device_active) {
++ return;
++ }
++
+ if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
+ VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
+ int tx_queue_idx =
+--
+2.1.4
+
diff --git a/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch b/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
new file mode 100644
index 0000000..67083f2
--- /dev/null
+++ b/debian/patches/extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
@@ -0,0 +1,38 @@
+From c2f17c0e4754b5140fb79371dc8cb7973ff5d1b0 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 16 Aug 2016 16:58:01 +0530
+Subject: [PATCH 3/5] net: vmxnet: use g_new for pkt initialisation
+
+When network transport abstraction layer initialises pkt, the maximum
+fragmentation count is not checked. This could lead to an integer
+overflow causing a NULL pointer dereference. Replace g_malloc() with
+g_new() to catch the multiplication overflow.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Acked-by: Dmitry Fleytman <dmitry at daynix.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet_tx_pkt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index f4d0f5f..9152444 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
+ {
+ struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
+
+- p->vec = g_malloc((sizeof *p->vec) *
+- (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
++ p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
+
+- p->raw = g_malloc((sizeof *p->raw) * max_frags);
++ p->raw = g_new(struct iovec, max_frags);
+
+ p->max_payload_frags = max_frags;
+ p->max_raw_frags = max_frags;
+--
+2.1.4
+
diff --git a/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch b/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
new file mode 100644
index 0000000..a1a1c70
--- /dev/null
+++ b/debian/patches/extra/0004-net-vmxnet-check-IP-header-length.patch
@@ -0,0 +1,34 @@
+From 1f2c8a260b6f1c87cefa7459baff7e203316f7b6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <address at hidden>
+Date: Tue, 9 Aug 2016 16:49:47 +0530
+Subject: [PATCH 4/5] net: vmxnet: check IP header length
+
+Vmxnet3 device emulator when parsing packet headers does not check
+for IP header length. It could lead to a OOB access when reading
+further packet data. Add check to avoid it.
+
+Reported-by: Li Qiang <address at hidden>
+Signed-off-by: Prasad J Pandit <address at hidden>
+---
+ hw/net/vmxnet_tx_pkt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index 9152444..849826b 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -177,6 +177,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
+ }
+
+ l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
++ if(l3_hdr->iov_len < sizeof(struct ip_header))
++ {
++ l3_hdr->iov_len = 0;
++ return false;
++ }
+ pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
+
+ /* copy optional IPv4 header data */
+--
+2.1.4
+
diff --git a/debian/patches/extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch b/debian/patches/extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
new file mode 100644
index 0000000..7459d26
--- /dev/null
+++ b/debian/patches/extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
@@ -0,0 +1,31 @@
+From 4fa993ee1f127eee2862f1779565aea0b760647a Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Thu, 11 Aug 2016 00:42:20 +0530
+Subject: [PATCH 5/5] net: vmxnet: initialise local tx descriptor
+
+In Vmxnet3 device emulator while processing transmit(tx) queue,
+when it reaches end of packet, it calls vmxnet3_complete_packet.
+In that local 'txcq_descr' object is not initialised, which could
+leak host memory bytes a guest.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/net/vmxnet3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index a6ce16e..360290d 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -529,6 +529,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
+
+ VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+
++ memset(&txcq_descr, 0, sizeof(txcq_descr));
+ txcq_descr.txdIdx = tx_ridx;
+ txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
+
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index d039f9b..8aeddda 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -57,3 +57,8 @@ pve/0055-enable-cache-unsafe-for-vma-extract_content-and-qmp_.patch
extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
extra/0002-scsi-esp-fix-migration.patch
extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
+extra/0001-net-check-fragment-length-during-fragmentation.patch
+extra/0002-net-vmxnet3-check-for-device_active-before-write.patch
+extra/0003-net-vmxnet-use-g_new-for-pkt-initialisation.patch
+extra/0004-net-vmxnet-check-IP-header-length.patch
+extra/0005-net-vmxnet-initialise-local-tx-descriptor.patch
--
2.1.4
More information about the pve-devel
mailing list