[pve-devel] applied: [PATCH kvm] various fixes:
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Dec 12 14:55:46 CET 2016
CVE-2016-9776:
net: mcf: check receive buffer size register value
CVE-2016-9845:
virtio-gpu: fix information leak in getting capset info dispatch
CVE-2016-9846:
virtio-gpu: fix memory leak in update_cursor_data_virgl
CVE-2016-9907:
usbredir: free vm_change_state_handler in usbredir destroy dispatch
CVE-2016-9908:
virtio-gpu: fix information leak in capset get dispatch
CVE-2016-9911:
usb: ehci: fix memory leak in ehci_init_transfer
CVE-2016-9912:
virtio-gpu: call cleanup mapping function in resource destroy
CVE-2016-9913:
9pfs: adjust the order of resource cleanup in device unrealize
CVE-2016-9914:
9pfs: add cleanup operation in FileOperations
CVE-2016-9915:
9pfs: add cleanup operation for handle backend driver
CVE-2016-9916:
9pfs: add cleanup operation for proxy backend driver
CVE-2016-9921 and
CVE-2016-9922:
display: cirrus: check vga bits per pixel(bpp) value
---
...-check-receive-buffer-size-register-value.patch | 34 +++++++++
...fix-information-leak-in-getting-capset-in.patch | 37 ++++++++++
...fix-memory-leak-in-update_cursor_data_vir.patch | 36 ++++++++++
...ee-vm_change_state_handler-in-usbredir-de.patch | 54 +++++++++++++++
...fix-information-leak-in-capset-get-dispat.patch | 31 +++++++++
...hci-fix-memory-leak-in-ehci_init_transfer.patch | 31 +++++++++
...call-cleanup-mapping-function-in-resource.patch | 39 +++++++++++
...-the-order-of-resource-cleanup-in-device-.patch | 43 ++++++++++++
...s-add-cleanup-operation-in-FileOperations.patch | 56 +++++++++++++++
...eanup-operation-for-handle-backend-driver.patch | 47 +++++++++++++
...leanup-operation-for-proxy-backend-driver.patch | 47 +++++++++++++
...cirrus-check-vga-bits-per-pixel-bpp-value.patch | 81 ++++++++++++++++++++++
debian/patches/series | 12 ++++
13 files changed, 548 insertions(+)
create mode 100644 debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
create mode 100644 debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
create mode 100644 debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
create mode 100644 debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
create mode 100644 debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
create mode 100644 debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
create mode 100644 debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
create mode 100644 debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
create mode 100644 debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
create mode 100644 debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
create mode 100644 debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
create mode 100644 debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
diff --git a/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
new file mode 100644
index 0000000..85fa543
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
@@ -0,0 +1,34 @@
+From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 29 Nov 2016 00:38:39 +0530
+Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
+
+ColdFire Fast Ethernet Controller uses a receive buffer size
+register(EMRBR) to hold maximum size of all receive buffers.
+It is set by a user before any operation. If it was set to be
+zero, ColdFire emulator would go into an infinite loop while
+receiving data in mcf_fec_receive. Add check to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang at tencent.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/mcf_fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index d31fea1..3d4b3b3 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
+ s->tx_descriptor = s->etdsr;
+ break;
+ case 0x188:
+- s->emrbr = value & 0x7f0;
++ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
+ break;
+ default:
+ hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
new file mode 100644
index 0000000..8bec00a
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
@@ -0,0 +1,37 @@
+From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 02:53:11 -0700
+Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info
+ dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
+been full initialized before writing to the guest. This will leak
+the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
+patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 5818661e.0860240a.77264.7a56 at mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/virtio-gpu-3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 758d33a..23f39de 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
+
+ VIRTIO_GPU_FILL_CMD(info);
+
++ memset(&resp, 0, sizeof(resp));
+ if (info.capset_index == 0) {
+ resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+ virgl_renderer_get_cap_set(resp.capset_id,
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
new file mode 100644
index 0000000..4ba5aa7
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
@@ -0,0 +1,36 @@
+From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 04:06:58 -0700
+Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In update_cursor_data_virgl function, if the 'width'/ 'height'
+is not equal to current cursor's width/height it will return
+without free the 'data' allocated previously. This will lead
+a memory leak issue. This patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 58187760.41d71c0a.cca75.4cb9 at mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/virtio-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 5b6d17b..41f8096 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
+
+ if (width != s->current_cursor->width ||
+ height != s->current_cursor->height) {
++ free(data);
+ return;
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
new file mode 100644
index 0000000..39a5622
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
@@ -0,0 +1,54 @@
+From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 7 Nov 2016 21:57:46 -0800
+Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir
+ destroy dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In usbredir destroy dispatch function, it doesn't free the vm change
+state handler once registered in usbredir_realize function. This will
+lead a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Message-id: 58216976.d0236b0a.77b99.bcd6 at mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/redirect.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 444672a..42aeaa4 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -132,6 +132,7 @@ struct USBRedirDevice {
+ struct usbredirfilter_rule *filter_rules;
+ int filter_rules_count;
+ int compatible_speedmask;
++ VMChangeStateEntry *vmstate;
+ };
+
+ #define TYPE_USB_REDIR "usb-redir"
+@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
+ qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
+ usbredir_chardev_read, usbredir_chardev_event, dev);
+
+- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
++ dev->vmstate =
++ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
+ }
+
+ static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
+@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
+ }
+
+ free(dev->filter_rules);
++ qemu_del_vm_change_state_handler(dev->vmstate);
+ }
+
+ static int usbredir_check_filter(USBRedirDevice *dev)
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
new file mode 100644
index 0000000..7fe0533
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
@@ -0,0 +1,31 @@
+From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 05:37:57 -0700
+Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc(sizeof(*resp) + max_size);
++ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
new file mode 100644
index 0000000..fbe7cd5
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
@@ -0,0 +1,31 @@
+From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 8 Nov 2016 04:11:10 -0800
+Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer
+
+In ehci_init_transfer function, if the 'cpage' is bigger than 4,
+it doesn't free the 'p->sgl' once allocated previously thus leading
+a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 5821c0f4.091c6b0a.e0c92.e811 at mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/hcd-ehci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index f4ece9a..7622a3a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
+ while (bytes > 0) {
+ if (cpage > 4) {
+ fprintf(stderr, "cpage out of range (%d)\n", cpage);
++ qemu_sglist_destroy(&p->sgl);
+ return -1;
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
new file mode 100644
index 0000000..94f51c8
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
@@ -0,0 +1,39 @@
+From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource
+ destroy
+
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 41f8096..8903dee 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
++
+ #ifdef CONFIG_VIRGL
+ #include <virglrenderer.h>
+ #define VIRGL(_g, _virgl, _simple, ...) \
+@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+ struct virtio_gpu_simple_resource *res)
+ {
+ pixman_image_unref(res->image);
++ virtio_gpu_cleanup_mapping(res);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
new file mode 100644
index 0000000..9db7466
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
@@ -0,0 +1,43 @@
+From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device
+ unrealize
+
+Unrealize should undo things that were set during realize in
+reverse order. So should do in the error path in realize.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index fc4f2cd..ced7b4c 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+ rc = 0;
+ out:
+ if (rc) {
+- g_free(s->ctx.fs_root);
+ g_free(s->tag);
++ g_free(s->ctx.fs_root);
+ v9fs_path_free(&path);
+ }
+ return rc;
+@@ -3499,8 +3499,8 @@ out:
+
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
+- g_free(s->ctx.fs_root);
+ g_free(s->tag);
++ g_free(s->ctx.fs_root);
+ }
+
+ static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
new file mode 100644
index 0000000..c6fc38d
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
@@ -0,0 +1,56 @@
+From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations
+
+Currently, the backend of VirtFS doesn't have a cleanup
+function. This will lead resource leak issues if the backed
+driver allocates resources. This patch addresses this issue.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ fsdev/file-op-9p.h | 1 +
+ hw/9pfs/9p.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
+index 6db9fea..a56dc84 100644
+--- a/fsdev/file-op-9p.h
++++ b/fsdev/file-op-9p.h
+@@ -100,6 +100,7 @@ struct FileOperations
+ {
+ int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
+ int (*init)(struct FsContext *);
++ void (*cleanup)(struct FsContext *);
+ int (*lstat)(FsContext *, V9fsPath *, struct stat *);
+ ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
+ int (*chmod)(FsContext *, V9fsPath *, FsCred *);
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index ced7b4c..f2a90d4 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+ rc = 0;
+ out:
+ if (rc) {
++ if (s->ops->cleanup && s->ctx.private) {
++ s->ops->cleanup(&s->ctx);
++ }
+ g_free(s->tag);
+ g_free(s->ctx.fs_root);
+ v9fs_path_free(&path);
+@@ -3499,6 +3502,9 @@ out:
+
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
++ if (s->ops->cleanup) {
++ s->ops->cleanup(&s->ctx);
++ }
+ g_free(s->tag);
+ g_free(s->ctx.fs_root);
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
new file mode 100644
index 0000000..cc78623
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
@@ -0,0 +1,47 @@
+From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver
+
+In the init operation of handle backend dirver, it allocates a
+handle_data struct and opens a mount file. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p-handle.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
+index 3d77594..1687661 100644
+--- a/hw/9pfs/9p-handle.c
++++ b/hw/9pfs/9p-handle.c
+@@ -649,6 +649,14 @@ out:
+ return ret;
+ }
+
++static void handle_cleanup(FsContext *ctx)
++{
++ struct handle_data *data = ctx->private;
++
++ close(data->mountfd);
++ g_free(data);
++}
++
+ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ {
+ const char *sec_model = qemu_opt_get(opts, "security_model");
+@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ FileOperations handle_ops = {
+ .parse_opts = handle_parse_opts,
+ .init = handle_init,
++ .cleanup = handle_cleanup,
+ .lstat = handle_lstat,
+ .readlink = handle_readlink,
+ .close = handle_close,
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
new file mode 100644
index 0000000..78c49cb
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
@@ -0,0 +1,47 @@
+From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver
+
+In the init operation of proxy backend dirver, it allocates a
+V9fsProxy struct and some other resources. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p-proxy.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
+index f265501..336e9fe 100644
+--- a/hw/9pfs/9p-proxy.c
++++ b/hw/9pfs/9p-proxy.c
+@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)
+ return 0;
+ }
+
++static void proxy_cleanup(FsContext *ctx)
++{
++ V9fsProxy *proxy = ctx->private;
++
++ g_free(proxy->out_iovec.iov_base);
++ g_free(proxy->in_iovec.iov_base);
++ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
++ close(proxy->sockfd);
++ }
++ g_free(proxy);
++}
++
+ FileOperations proxy_ops = {
+ .parse_opts = proxy_parse_opts,
+ .init = proxy_init,
++ .cleanup = proxy_cleanup,
+ .lstat = proxy_lstat,
+ .readlink = proxy_readlink,
+ .close = proxy_close,
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
new file mode 100644
index 0000000..acaeb95
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
@@ -0,0 +1,81 @@
+From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 18 Oct 2016 13:15:17 +0530
+Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
+
+In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
+'cirrus_get_bpp' returns zero(0), which could lead to a divide
+by zero error in while copying pixel data. The same could occur
+via blit pitch values. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-id: 1476776717-24807-1-git-send-email-ppandit at redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+
+Notes:
+ CVE-2016-9921
+ CVE-2016-9922
+
+ hw/display/cirrus_vga.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 3d712d5..bdb092e 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
+ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ int32_t pitch, int32_t addr)
+ {
++ if (!pitch) {
++ return true;
++ }
+ if (pitch < 0) {
+ int64_t min = addr
+ + ((int64_t)s->cirrus_blt_height-1) * pitch;
+@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ s->cirrus_addr_mask));
+ }
+
+-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ {
+ int sx = 0, sy = 0;
+ int dx = 0, dy = 0;
+@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ int width, height;
+
+ depth = s->vga.get_bpp(&s->vga) / 8;
++ if (!depth) {
++ return 0;
++ }
+ s->vga.get_resolution(&s->vga, &width, &height);
+
+ /* extra x, y */
+@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+ s->cirrus_blt_dstpitch, s->cirrus_blt_width,
+ s->cirrus_blt_height);
++
++ return 1;
+ }
+
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ if (blit_is_unsafe(s))
+ return 0;
+
+- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
++ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+ s->cirrus_blt_srcaddr - s->vga.start_addr,
+ s->cirrus_blt_width, s->cirrus_blt_height);
+-
+- return 1;
+ }
+
+ /***************************************
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index bc87c7a..f868c7e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -77,3 +77,15 @@ extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
+extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
+extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
+extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
+extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
+extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
+extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
+extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
+extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
+extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
+extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
+extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
+extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
--
2.1.4
More information about the pve-devel
mailing list