[pve-devel] [stable-3 kvm] various fixes
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Aug 22 16:05:58 CEST 2016
CVE-2016-5337: scsi: megasas: null terminate bios version buffer
CVE-2016-5338: scsi: esp: check TI buffer index before read/write
CVE-2016-6833: net: vmxnet3: check for device_active before write
CVE-2016-6834: net: check fragment length during fragmentation
CVE-2016-6835: net: vmxnet: check IP header length
CVE-2016-6836: net: vmxnet: initialise local tx descriptor
CVE-2016-6888: net: vmxnet: use g_new for pkt initialisation
---
...egasas-null-terminate-bios-version-buffer.patch | 34 ++++++++++
...p-check-TI-buffer-index-before-read-write.patch | 73 ++++++++++++++++++++++
...net3-check-for-device_active-before-write.patch | 36 +++++++++++
...heck-fragment-length-during-fragmentation.patch | 36 +++++++++++
...16-6835-net-vmxnet-check-IP-header-length.patch | 34 ++++++++++
...net-vmxnet-initialise-local-tx-descriptor.patch | 31 +++++++++
...t-vmxnet-use-g_new-for-pkt-initialisation.patch | 38 +++++++++++
debian/patches/series | 7 +++
8 files changed, 289 insertions(+)
create mode 100644 debian/patches/CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch
create mode 100644 debian/patches/CVE-2016-5338-scsi-esp-check-TI-buffer-index-before-read-write.patch
create mode 100644 debian/patches/CVE-2016-6833-net-vmxnet3-check-for-device_active-before-write.patch
create mode 100644 debian/patches/CVE-2016-6834-net-check-fragment-length-during-fragmentation.patch
create mode 100644 debian/patches/CVE-2016-6835-net-vmxnet-check-IP-header-length.patch
create mode 100644 debian/patches/CVE-2016-6836-net-vmxnet-initialise-local-tx-descriptor.patch
create mode 100644 debian/patches/CVE-2016-6888-net-vmxnet-use-g_new-for-pkt-initialisation.patch
diff --git a/debian/patches/CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch b/debian/patches/CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch
new file mode 100644
index 0000000..cde0779
--- /dev/null
+++ b/debian/patches/CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch
@@ -0,0 +1,34 @@
+From 407fb6fce916b8984b5fd288b4a97d61f014dc72 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 7 Jun 2016 16:44:03 +0530
+Subject: [PATCH] scsi: megasas: null terminate bios version buffer
+
+While reading information via 'megasas_ctrl_get_info' routine,
+a local bios version buffer isn't null terminated. Add the
+terminating null byte to avoid any OOB access.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
+Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
+---
+ hw/scsi/megasas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index cc66d36..a9ffc32 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+
+ ptr = memory_region_get_ram_ptr(&pci_dev->rom);
+ memcpy(biosver, ptr + 0x41, 31);
++ biosver[31] = 0;
+ memcpy(info.image_component[1].name, "BIOS", 4);
+ memcpy(info.image_component[1].version, biosver,
+ strlen((const char *)biosver));
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-5338-scsi-esp-check-TI-buffer-index-before-read-write.patch b/debian/patches/CVE-2016-5338-scsi-esp-check-TI-buffer-index-before-read-write.patch
new file mode 100644
index 0000000..5678334
--- /dev/null
+++ b/debian/patches/CVE-2016-5338-scsi-esp-check-TI-buffer-index-before-read-write.patch
@@ -0,0 +1,73 @@
+From 236039b89da8cf0a82fe32e605c1d647a13820f0 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 6 Jun 2016 22:04:43 +0530
+Subject: [PATCH] scsi: esp: check TI buffer index before read/write
+
+The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
+FIFO buffers. One is used to handle commands and other is for
+information transfer. Three control variables 'ti_rptr',
+'ti_wptr' and 'ti_size' are used to control r/w access to the
+information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
+
+'ti_rptr' is used as read index, where read occurs.
+'ti_wptr' is a write index, where write would occur.
+'ti_size' indicates total bytes to be read from the buffer.
+
+While reading/writing to this buffer, index could exceed its
+size. Add check to avoid OOB r/w access.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-Id: <1465230883-22303-1-git-send-email-ppandit at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
+Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
+---
+ hw/scsi/esp.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index b4601ad..baa0a2c 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -402,19 +402,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
+ trace_esp_mem_readb(saddr, s->rregs[saddr]);
+ switch (saddr) {
+ case ESP_FIFO:
+- if (s->ti_size > 0) {
++ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
++ /* Data out. */
++ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
++ s->rregs[ESP_FIFO] = 0;
++ esp_raise_irq(s);
++ } else if (s->ti_rptr < s->ti_wptr) {
+ s->ti_size--;
+- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+- /* Data out. */
+- qemu_log_mask(LOG_UNIMP,
+- "esp: PIO data read not implemented\n");
+- s->rregs[ESP_FIFO] = 0;
+- } else {
+- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+- }
++ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+ esp_raise_irq(s);
+ }
+- if (s->ti_size == 0) {
++ if (s->ti_rptr == s->ti_wptr) {
+ s->ti_rptr = 0;
+ s->ti_wptr = 0;
+ }
+@@ -458,7 +456,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
+ } else {
+ trace_esp_error_fifo_overrun();
+ }
+- } else if (s->ti_size == TI_BUFSZ - 1) {
++ } else if (s->ti_wptr == TI_BUFSZ - 1) {
+ trace_esp_error_fifo_overrun();
+ } else {
+ s->ti_size++;
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-6833-net-vmxnet3-check-for-device_active-before-write.patch b/debian/patches/CVE-2016-6833-net-vmxnet3-check-for-device_active-before-write.patch
new file mode 100644
index 0000000..e7cb890
--- /dev/null
+++ b/debian/patches/CVE-2016-6833-net-vmxnet3-check-for-device_active-before-write.patch
@@ -0,0 +1,36 @@
+From 89636d45af75c102a7b893d8cc34a51be76e88b5 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 8 Aug 2016 18:08:31 +0530
+Subject: [PATCH] net: vmxnet3: check for device_active before write
+
+Vmxnet3 device emulator does not check if the device is active,
+before using it for write. It leads to a use after free issue,
+if the vmxnet3_io_bar0_write routine is called after the device is
+deactivated. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Acked-by: Dmitry Fleytman <dmitry at daynix.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 20f26b7..a6ce16e 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
+ {
+ VMXNET3State *s = opaque;
+
++ if (!s->device_active) {
++ return;
++ }
++
+ if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
+ VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
+ int tx_queue_idx =
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-6834-net-check-fragment-length-during-fragmentation.patch b/debian/patches/CVE-2016-6834-net-check-fragment-length-during-fragmentation.patch
new file mode 100644
index 0000000..0dfead3
--- /dev/null
+++ b/debian/patches/CVE-2016-6834-net-check-fragment-length-during-fragmentation.patch
@@ -0,0 +1,36 @@
+From 24a01bab4aa431b79e201c1e2d0ac552a41114bc Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 4 Aug 2016 13:00:14 +0530
+Subject: [PATCH] net: check fragment length during fragmentation
+
+Network transport abstraction layer supports packet fragmentation.
+While fragmenting a packet, it checks for more fragments from
+packet length and current fragment length. It is susceptible
+to an infinite loop, if the current fragment length is zero.
+Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
+CC: qemu-stable at nongnu.org
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index 91e1e08..f4d0f5f 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct VmxnetTxPkt *pkt,
+
+ fragment_offset += fragment_len;
+
+- } while (more_frags);
++ } while (fragment_len && more_frags);
+
+ return true;
+ }
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-6835-net-vmxnet-check-IP-header-length.patch b/debian/patches/CVE-2016-6835-net-vmxnet-check-IP-header-length.patch
new file mode 100644
index 0000000..d005455
--- /dev/null
+++ b/debian/patches/CVE-2016-6835-net-vmxnet-check-IP-header-length.patch
@@ -0,0 +1,34 @@
+From 1f2c8a260b6f1c87cefa7459baff7e203316f7b6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <address at hidden>
+Date: Tue, 9 Aug 2016 16:49:47 +0530
+Subject: [PATCH] net: vmxnet: check IP header length
+
+Vmxnet3 device emulator when parsing packet headers does not check
+for IP header length. It could lead to a OOB access when reading
+further packet data. Add check to avoid it.
+
+Reported-by: Li Qiang <address at hidden>
+Signed-off-by: Prasad J Pandit <address at hidden>
+---
+ hw/net/vmxnet_tx_pkt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index 9152444..849826b 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -177,6 +177,11 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
+ }
+
+ l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base);
++ if(l3_hdr->iov_len < sizeof(struct ip_header))
++ {
++ l3_hdr->iov_len = 0;
++ return false;
++ }
+ pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p;
+
+ /* copy optional IPv4 header data */
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-6836-net-vmxnet-initialise-local-tx-descriptor.patch b/debian/patches/CVE-2016-6836-net-vmxnet-initialise-local-tx-descriptor.patch
new file mode 100644
index 0000000..f5079e6
--- /dev/null
+++ b/debian/patches/CVE-2016-6836-net-vmxnet-initialise-local-tx-descriptor.patch
@@ -0,0 +1,31 @@
+From 4fa993ee1f127eee2862f1779565aea0b760647a Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Thu, 11 Aug 2016 00:42:20 +0530
+Subject: [PATCH] net: vmxnet: initialise local tx descriptor
+
+In Vmxnet3 device emulator while processing transmit(tx) queue,
+when it reaches end of packet, it calls vmxnet3_complete_packet.
+In that local 'txcq_descr' object is not initialised, which could
+leak host memory bytes a guest.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/net/vmxnet3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index a6ce16e..360290d 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -529,6 +529,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
+
+ VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+
++ memset(&txcq_descr, 0, sizeof(txcq_descr));
+ txcq_descr.txdIdx = tx_ridx;
+ txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
+
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-6888-net-vmxnet-use-g_new-for-pkt-initialisation.patch b/debian/patches/CVE-2016-6888-net-vmxnet-use-g_new-for-pkt-initialisation.patch
new file mode 100644
index 0000000..798e6c7
--- /dev/null
+++ b/debian/patches/CVE-2016-6888-net-vmxnet-use-g_new-for-pkt-initialisation.patch
@@ -0,0 +1,38 @@
+From c2f17c0e4754b5140fb79371dc8cb7973ff5d1b0 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 16 Aug 2016 16:58:01 +0530
+Subject: [PATCH] net: vmxnet: use g_new for pkt initialisation
+
+When network transport abstraction layer initialises pkt, the maximum
+fragmentation count is not checked. This could lead to an integer
+overflow causing a NULL pointer dereference. Replace g_malloc() with
+g_new() to catch the multiplication overflow.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Acked-by: Dmitry Fleytman <dmitry at daynix.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet_tx_pkt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index f4d0f5f..9152444 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -60,10 +60,9 @@ void vmxnet_tx_pkt_init(struct VmxnetTxPkt **pkt, uint32_t max_frags,
+ {
+ struct VmxnetTxPkt *p = g_malloc0(sizeof *p);
+
+- p->vec = g_malloc((sizeof *p->vec) *
+- (max_frags + VMXNET_TX_PKT_PL_START_FRAG));
++ p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG);
+
+- p->raw = g_malloc((sizeof *p->raw) * max_frags);
++ p->raw = g_new(struct iovec, max_frags);
+
+ p->max_payload_frags = max_frags;
+ p->max_raw_frags = max_frags;
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 7c863cc..6224119 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -92,3 +92,10 @@ CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
0001-megasas-use-PCI-DMA-APIs.patch
CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
+CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch
+CVE-2016-5338-scsi-esp-check-TI-buffer-index-before-read-write.patch
+CVE-2016-6833-net-vmxnet3-check-for-device_active-before-write.patch
+CVE-2016-6834-net-check-fragment-length-during-fragmentation.patch
+CVE-2016-6835-net-vmxnet-check-IP-header-length.patch
+CVE-2016-6836-net-vmxnet-initialise-local-tx-descriptor.patch
+CVE-2016-6888-net-vmxnet-use-g_new-for-pkt-initialisation.patch
--
2.1.4
More information about the pve-devel
mailing list