[pve-devel] applied: [PATCH kvm] various fixes:

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Dec 12 14:55:46 CET 2016


CVE-2016-9776:
 net: mcf: check receive buffer size register value
CVE-2016-9845:
 virtio-gpu: fix information leak in getting capset info dispatch
CVE-2016-9846:
 virtio-gpu: fix memory leak in update_cursor_data_virgl
CVE-2016-9907:
 usbredir: free vm_change_state_handler in usbredir destroy dispatch
CVE-2016-9908:
 virtio-gpu: fix information leak in capset get dispatch
CVE-2016-9911:
 usb: ehci: fix memory leak in ehci_init_transfer
CVE-2016-9912:
 virtio-gpu: call cleanup mapping function in resource destroy
CVE-2016-9913:
 9pfs: adjust the order of resource cleanup in device unrealize
CVE-2016-9914:
 9pfs: add cleanup operation in FileOperations
CVE-2016-9915:
 9pfs: add cleanup operation for handle backend driver
CVE-2016-9916:
 9pfs: add cleanup operation for proxy backend driver
CVE-2016-9921 and
CVE-2016-9922:
 display: cirrus: check vga bits per pixel(bpp) value
---
 ...-check-receive-buffer-size-register-value.patch | 34 +++++++++
 ...fix-information-leak-in-getting-capset-in.patch | 37 ++++++++++
 ...fix-memory-leak-in-update_cursor_data_vir.patch | 36 ++++++++++
 ...ee-vm_change_state_handler-in-usbredir-de.patch | 54 +++++++++++++++
 ...fix-information-leak-in-capset-get-dispat.patch | 31 +++++++++
 ...hci-fix-memory-leak-in-ehci_init_transfer.patch | 31 +++++++++
 ...call-cleanup-mapping-function-in-resource.patch | 39 +++++++++++
 ...-the-order-of-resource-cleanup-in-device-.patch | 43 ++++++++++++
 ...s-add-cleanup-operation-in-FileOperations.patch | 56 +++++++++++++++
 ...eanup-operation-for-handle-backend-driver.patch | 47 +++++++++++++
 ...leanup-operation-for-proxy-backend-driver.patch | 47 +++++++++++++
 ...cirrus-check-vga-bits-per-pixel-bpp-value.patch | 81 ++++++++++++++++++++++
 debian/patches/series                              | 12 ++++
 13 files changed, 548 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
 create mode 100644 debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
 create mode 100644 debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
 create mode 100644 debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
 create mode 100644 debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
 create mode 100644 debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
 create mode 100644 debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
 create mode 100644 debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
 create mode 100644 debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
 create mode 100644 debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
 create mode 100644 debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
 create mode 100644 debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch

diff --git a/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
new file mode 100644
index 0000000..85fa543
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
@@ -0,0 +1,34 @@
+From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 29 Nov 2016 00:38:39 +0530
+Subject: [PATCH 01/12] net: mcf: check receive buffer size register value
+
+ColdFire Fast Ethernet Controller uses a receive buffer size
+register(EMRBR) to hold maximum size of all receive buffers.
+It is set by a user before any operation. If it was set to be
+zero, ColdFire emulator would go into an infinite loop while
+receiving data in mcf_fec_receive. Add check to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang at tencent.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/mcf_fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index d31fea1..3d4b3b3 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
+         s->tx_descriptor = s->etdsr;
+         break;
+     case 0x188:
+-        s->emrbr = value & 0x7f0;
++        s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
+         break;
+     default:
+         hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
new file mode 100644
index 0000000..8bec00a
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
@@ -0,0 +1,37 @@
+From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 02:53:11 -0700
+Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info
+ dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
+been full initialized before writing to the guest. This will leak
+the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
+patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 5818661e.0860240a.77264.7a56 at mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/virtio-gpu-3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 758d33a..23f39de 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
+ 
+     VIRTIO_GPU_FILL_CMD(info);
+ 
++    memset(&resp, 0, sizeof(resp));
+     if (info.capset_index == 0) {
+         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+         virgl_renderer_get_cap_set(resp.capset_id,
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
new file mode 100644
index 0000000..4ba5aa7
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
@@ -0,0 +1,36 @@
+From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 04:06:58 -0700
+Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In update_cursor_data_virgl function, if the 'width'/ 'height'
+is not equal to current cursor's width/height it will return
+without free the 'data' allocated previously. This will lead
+a memory leak issue. This patch fix this issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 58187760.41d71c0a.cca75.4cb9 at mx.google.com
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/virtio-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 5b6d17b..41f8096 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
+ 
+     if (width != s->current_cursor->width ||
+         height != s->current_cursor->height) {
++        free(data);
+         return;
+     }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
new file mode 100644
index 0000000..39a5622
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
@@ -0,0 +1,54 @@
+From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 7 Nov 2016 21:57:46 -0800
+Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir
+ destroy dispatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In usbredir destroy dispatch function, it doesn't free the vm change
+state handler once registered in usbredir_realize function. This will
+lead a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+Message-id: 58216976.d0236b0a.77b99.bcd6 at mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/redirect.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 444672a..42aeaa4 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -132,6 +132,7 @@ struct USBRedirDevice {
+     struct usbredirfilter_rule *filter_rules;
+     int filter_rules_count;
+     int compatible_speedmask;
++    VMChangeStateEntry *vmstate;
+ };
+ 
+ #define TYPE_USB_REDIR "usb-redir"
+@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
+     qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
+                           usbredir_chardev_read, usbredir_chardev_event, dev);
+ 
+-    qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
++    dev->vmstate =
++        qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
+ }
+ 
+ static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
+@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
+     }
+ 
+     free(dev->filter_rules);
++    qemu_del_vm_change_state_handler(dev->vmstate);
+ }
+ 
+ static int usbredir_check_filter(USBRedirDevice *dev)
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
new file mode 100644
index 0000000..7fe0533
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
@@ -0,0 +1,31 @@
+From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 05:37:57 -0700
+Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
+-    resp = g_malloc(sizeof(*resp) + max_size);
++    resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+     virgl_renderer_fill_caps(gc.capset_id,
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
new file mode 100644
index 0000000..fbe7cd5
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
@@ -0,0 +1,31 @@
+From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 8 Nov 2016 04:11:10 -0800
+Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer
+
+In ehci_init_transfer function, if the 'cpage' is bigger than 4,
+it doesn't free the 'p->sgl' once allocated previously thus leading
+a memory leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Message-id: 5821c0f4.091c6b0a.e0c92.e811 at mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/hcd-ehci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index f4ece9a..7622a3a 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
+     while (bytes > 0) {
+         if (cpage > 4) {
+             fprintf(stderr, "cpage out of range (%d)\n", cpage);
++            qemu_sglist_destroy(&p->sgl);
+             return -1;
+         }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
new file mode 100644
index 0000000..94f51c8
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
@@ -0,0 +1,39 @@
+From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource
+ destroy
+
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 41f8096..8903dee 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+ 
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
++
+ #ifdef CONFIG_VIRGL
+ #include <virglrenderer.h>
+ #define VIRGL(_g, _virgl, _simple, ...)                     \
+@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+                                         struct virtio_gpu_simple_resource *res)
+ {
+     pixman_image_unref(res->image);
++    virtio_gpu_cleanup_mapping(res);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
+ }
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
new file mode 100644
index 0000000..9db7466
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
@@ -0,0 +1,43 @@
+From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device
+ unrealize
+
+Unrealize should undo things that were set during realize in
+reverse order. So should do in the error path in realize.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index fc4f2cd..ced7b4c 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+     rc = 0;
+ out:
+     if (rc) {
+-        g_free(s->ctx.fs_root);
+         g_free(s->tag);
++        g_free(s->ctx.fs_root);
+         v9fs_path_free(&path);
+     }
+     return rc;
+@@ -3499,8 +3499,8 @@ out:
+ 
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
+-    g_free(s->ctx.fs_root);
+     g_free(s->tag);
++    g_free(s->ctx.fs_root);
+ }
+ 
+ static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
new file mode 100644
index 0000000..c6fc38d
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
@@ -0,0 +1,56 @@
+From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations
+
+Currently, the backend of VirtFS doesn't have a cleanup
+function. This will lead resource leak issues if the backed
+driver allocates resources. This patch addresses this issue.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ fsdev/file-op-9p.h | 1 +
+ hw/9pfs/9p.c       | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
+index 6db9fea..a56dc84 100644
+--- a/fsdev/file-op-9p.h
++++ b/fsdev/file-op-9p.h
+@@ -100,6 +100,7 @@ struct FileOperations
+ {
+     int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
+     int (*init)(struct FsContext *);
++    void (*cleanup)(struct FsContext *);
+     int (*lstat)(FsContext *, V9fsPath *, struct stat *);
+     ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
+     int (*chmod)(FsContext *, V9fsPath *, FsCred *);
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index ced7b4c..f2a90d4 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
+     rc = 0;
+ out:
+     if (rc) {
++        if (s->ops->cleanup && s->ctx.private) {
++            s->ops->cleanup(&s->ctx);
++        }
+         g_free(s->tag);
+         g_free(s->ctx.fs_root);
+         v9fs_path_free(&path);
+@@ -3499,6 +3502,9 @@ out:
+ 
+ void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
+ {
++    if (s->ops->cleanup) {
++        s->ops->cleanup(&s->ctx);
++    }
+     g_free(s->tag);
+     g_free(s->ctx.fs_root);
+ }
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
new file mode 100644
index 0000000..cc78623
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
@@ -0,0 +1,47 @@
+From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver
+
+In the init operation of handle backend dirver, it allocates a
+handle_data struct and opens a mount file. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p-handle.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
+index 3d77594..1687661 100644
+--- a/hw/9pfs/9p-handle.c
++++ b/hw/9pfs/9p-handle.c
+@@ -649,6 +649,14 @@ out:
+     return ret;
+ }
+ 
++static void handle_cleanup(FsContext *ctx)
++{
++    struct handle_data *data = ctx->private;
++
++    close(data->mountfd);
++    g_free(data);
++}
++
+ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ {
+     const char *sec_model = qemu_opt_get(opts, "security_model");
+@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
+ FileOperations handle_ops = {
+     .parse_opts   = handle_parse_opts,
+     .init         = handle_init,
++    .cleanup      = handle_cleanup,
+     .lstat        = handle_lstat,
+     .readlink     = handle_readlink,
+     .close        = handle_close,
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
new file mode 100644
index 0000000..78c49cb
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
@@ -0,0 +1,47 @@
+From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea at gmail.com>
+Date: Wed, 23 Nov 2016 13:53:34 +0100
+Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver
+
+In the init operation of proxy backend dirver, it allocates a
+V9fsProxy struct and some other resources. We should free these
+resources when the 9pfs device is unrealized. This is what this
+patch does.
+
+Signed-off-by: Li Qiang <liq3ea at gmail.com>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p-proxy.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
+index f265501..336e9fe 100644
+--- a/hw/9pfs/9p-proxy.c
++++ b/hw/9pfs/9p-proxy.c
+@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)
+     return 0;
+ }
+ 
++static void proxy_cleanup(FsContext *ctx)
++{
++    V9fsProxy *proxy = ctx->private;
++
++    g_free(proxy->out_iovec.iov_base);
++    g_free(proxy->in_iovec.iov_base);
++    if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
++        close(proxy->sockfd);
++    }
++    g_free(proxy);
++}
++
+ FileOperations proxy_ops = {
+     .parse_opts   = proxy_parse_opts,
+     .init         = proxy_init,
++    .cleanup      = proxy_cleanup,
+     .lstat        = proxy_lstat,
+     .readlink     = proxy_readlink,
+     .close        = proxy_close,
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
new file mode 100644
index 0000000..acaeb95
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
@@ -0,0 +1,81 @@
+From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 18 Oct 2016 13:15:17 +0530
+Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
+
+In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
+'cirrus_get_bpp' returns zero(0), which could lead to a divide
+by zero error in while copying pixel data. The same could occur
+via blit pitch values. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-id: 1476776717-24807-1-git-send-email-ppandit at redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+
+Notes:
+    CVE-2016-9921
+    CVE-2016-9922
+
+ hw/display/cirrus_vga.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 3d712d5..bdb092e 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
+ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+                                   int32_t pitch, int32_t addr)
+ {
++    if (!pitch) {
++        return true;
++    }
+     if (pitch < 0) {
+         int64_t min = addr
+             + ((int64_t)s->cirrus_blt_height-1) * pitch;
+@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+                                             s->cirrus_addr_mask));
+ }
+ 
+-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ {
+     int sx = 0, sy = 0;
+     int dx = 0, dy = 0;
+@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+         int width, height;
+ 
+         depth = s->vga.get_bpp(&s->vga) / 8;
++        if (!depth) {
++            return 0;
++        }
+         s->vga.get_resolution(&s->vga, &width, &height);
+ 
+         /* extra x, y */
+@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+ 				s->cirrus_blt_dstpitch, s->cirrus_blt_width,
+ 				s->cirrus_blt_height);
++
++    return 1;
+ }
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+     if (blit_is_unsafe(s))
+         return 0;
+ 
+-    cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
++    return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+             s->cirrus_blt_srcaddr - s->vga.start_addr,
+             s->cirrus_blt_width, s->cirrus_blt_height);
+-
+-    return 1;
+ }
+ 
+ /***************************************
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index bc87c7a..f868c7e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -77,3 +77,15 @@ extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
 extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
 extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
 extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
+extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch
+extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
+extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
+extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
+extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
+extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
+extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
+extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
+extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch
+extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
+extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
+extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
-- 
2.1.4





More information about the pve-devel mailing list