[pve-devel] [PATCH kvm] Several fixes
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Jan 7 09:59:21 CET 2016
CVE-2015-8613 scsi: initialise info object with appropriate size
CVE-2015-8619 hmp: avoid redundant null termination of buffer
CVE-2015-8666 acpi: fix buffer overrun on migration
CVE-2015-8701 net: rocker: fix an incorrect array bounds check
CVE-2015-8743 net: ne2000: fix bounds check in ioport operations
CVE-2015-8744 net/vmxnet3: Refine l2 header validation
CVE-2015-8745 vmxnet3: Support reading IMR registers on bar0
---
...CVE-2015-8613-scsi-initialize-info-object.patch | 31 +++++++++
debian/patches/CVE-2015-8619-hmp-oob-write.patch | 34 ++++++++++
...8666-acpi-fix-buffer-overrun-on-migration.patch | 45 +++++++++++++
.../CVE-2015-8701-net-rocker-off-by-one.patch | 47 +++++++++++++
.../CVE-2015-8743-ne2000-ioport-bounds-check.patch | 48 ++++++++++++++
...-8744-vmxnet3-refine-l2-header-validation.patch | 76 ++++++++++++++++++++++
...745-vmxnet3-support-reading-imr-registers.patch | 37 +++++++++++
debian/patches/series | 7 ++
8 files changed, 325 insertions(+)
create mode 100644 debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
create mode 100644 debian/patches/CVE-2015-8619-hmp-oob-write.patch
create mode 100644 debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
create mode 100644 debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
create mode 100644 debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
create mode 100644 debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
create mode 100644 debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
diff --git a/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
new file mode 100644
index 0000000..ee0f36d
--- /dev/null
+++ b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
@@ -0,0 +1,31 @@
+From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 21 Dec 2015 14:48:18 +0530
+Subject: [PATCH] scsi: initialise info object with appropriate size
+
+While processing controller 'CTRL_GET_INFO' command, the routine
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its
+appropriate size to null initialise it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index d7dc667..576f56c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ BusChild *kid;
+ int num_pd_disks = 0;
+
+- memset(&info, 0x0, cmd->iov_size);
++ memset(&info, 0x0, dcmd_size);
+ if (cmd->iov_size < dcmd_size) {
+ trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
+ dcmd_size);
+--
+2.4.3
+===
diff --git a/debian/patches/CVE-2015-8619-hmp-oob-write.patch b/debian/patches/CVE-2015-8619-hmp-oob-write.patch
new file mode 100644
index 0000000..1dd22d4
--- /dev/null
+++ b/debian/patches/CVE-2015-8619-hmp-oob-write.patch
@@ -0,0 +1,34 @@
+From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 17 Dec 2015 17:47:15 +0530
+Subject: [PATCH] hmp: avoid redundant null termination of buffer
+
+When processing 'sendkey' command, hmp_sendkey routine null
+terminates the 'keyname_buf' array. This results in an OOB write
+issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
+Removed the redundant null termination, as pstrcpy routine already
+null terminates the target buffer.
+
+Reported-by: Ling Liu <liuling-it at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hmp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/hmp.c b/hmp.c
+index 2140605..e530c9c 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+ /* Be compatible with old interface, convert user inputted "<" */
+ if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
+ pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+- keyname_len = 4;
+ }
+- keyname_buf[keyname_len] = 0;
+
+ keylist = g_malloc0(sizeof(*keylist));
+ keylist->value = g_malloc0(sizeof(*keylist->value));
+--
+2.4.3
+===
diff --git a/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
new file mode 100644
index 0000000..b46ab48
--- /dev/null
+++ b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
@@ -0,0 +1,45 @@
+From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst at redhat.com>
+Date: Thu, 19 Nov 2015 15:14:07 +0200
+Subject: [PATCH] acpi: fix buffer overrun on migration
+
+ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
+ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
+ICH9_PMIO_GPE0_LEN bytes are migrated.
+
+As a quick work-around, allocate twice the memory.
+We'll probably want to tweak code to avoid
+migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
+but that is a bit trickier to do without breaking
+migration compatibility.
+
+Tested-by: "Dr. David Alan Gilbert" <dgilbert at redhat.com>
+Reported-by: "Dr. David Alan Gilbert" <dgilbert at redhat.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+---
+ hw/acpi/core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index fe6215a..21e113d 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
+ void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
+ {
+ ar->gpe.len = len;
+- ar->gpe.sts = g_malloc0(len / 2);
+- ar->gpe.en = g_malloc0(len / 2);
++ /* Only first len / 2 bytes are ever used,
++ * but the caller in ich9.c migrates full len bytes.
++ * TODO: fix ich9.c and drop the extra allocation.
++ */
++ ar->gpe.sts = g_malloc0(len);
++ ar->gpe.en = g_malloc0(len);
+ }
+
+ void acpi_gpe_reset(ACPIREGS *ar)
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
new file mode 100644
index 0000000..7b17355
--- /dev/null
+++ b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
@@ -0,0 +1,47 @@
+From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 28 Dec 2015 16:24:08 +0530
+Subject: [PATCH] net: rocker: fix an incorrect array bounds check
+
+While processing transmit(tx) descriptors in 'tx_consume' routine
+the switch emulator suffers from an off-by-one error, if a
+descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
+fragments. Fix an incorrect bounds check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/rocker/rocker.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index c57f1a6..2e77e50 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
+ frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
+ frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
+
++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
++ goto err_too_many_frags;
++ }
+ iov[iovcnt].iov_len = frag_len;
+ iov[iovcnt].iov_base = g_malloc(frag_len);
+ if (!iov[iovcnt].iov_base) {
+@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
+ err = -ROCKER_ENXIO;
+ goto err_bad_io;
+ }
+-
+- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
+- goto err_too_many_frags;
+- }
++ iovcnt++;
+ }
+
+ if (iovcnt) {
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
new file mode 100644
index 0000000..5b34ecf
--- /dev/null
+++ b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
@@ -0,0 +1,48 @@
+From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it at 360.cn>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 010f9ef..a3dffff 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+ uint32_t val)
+ {
+ addr &= ~1; /* XXX: check exact behaviour if not even */
+- if (addr < 32 ||
+- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++ if (addr < 32
++ || (addr >= NE2000_PMEM_START
++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+ stl_le_p(s->mem + addr, val);
+ }
+ }
+@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+ addr &= ~1; /* XXX: check exact behaviour if not even */
+- if (addr < 32 ||
+- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++ if (addr < 32
++ || (addr >= NE2000_PMEM_START
++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+ return ldl_le_p(s->mem + addr);
+ } else {
+ return 0xffffffff;
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
new file mode 100644
index 0000000..fbb9f54
--- /dev/null
+++ b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
@@ -0,0 +1,76 @@
+From a7278b36fcab9af469563bd7b9dadebe2ae25e48 Mon Sep 17 00:00:00 2001
+From: Dana Rubin <dana.rubin at ravellosystems.com>
+Date: Tue, 18 Aug 2015 12:45:55 +0300
+Subject: [PATCH] net/vmxnet3: Refine l2 header validation
+
+Validation of l2 header length assumed minimal packet size as
+eth_header + 2 * vlan_header regardless of the actual protocol.
+
+This caused crash for valid non-IP packets shorter than 22 bytes, as
+'tx_pkt->packet_type' hasn't been assigned for such packets, and
+'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
+
+Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
+Check its return value during packet processing flow.
+
+As a side effect, in case IPv4 and IPv6 header validation failure,
+corrupt packets will be dropped.
+
+Signed-off-by: Dana Rubin <dana.rubin at ravellosystems.com>
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c | 4 +---
+ hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 04159c8..48ced71 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
+ }
+
+ if (txd.eop) {
+- if (!s->skip_current_tx_pkt) {
+- vmxnet_tx_pkt_parse(s->tx_pkt);
+-
++ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
+ if (s->needs_vlan) {
+ vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
+ }
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index f7344c4..eb88ddf 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
+
+ bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
+ ETH_MAX_L2_HDR_LEN);
+- if (bytes_read < ETH_MAX_L2_HDR_LEN) {
++ if (bytes_read < sizeof(struct eth_header)) {
++ l2_hdr->iov_len = 0;
++ return false;
++ }
++
++ l2_hdr->iov_len = sizeof(struct eth_header);
++ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
++ case ETH_P_VLAN:
++ l2_hdr->iov_len += sizeof(struct vlan_header);
++ break;
++ case ETH_P_DVLAN:
++ l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
++ break;
++ }
++
++ if (bytes_read < l2_hdr->iov_len) {
+ l2_hdr->iov_len = 0;
+ return false;
+- } else {
+- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
+ }
+
+ l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
new file mode 100644
index 0000000..deb755f
--- /dev/null
+++ b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
@@ -0,0 +1,37 @@
+From c6048f849c7e3f009786df76206e895a69de032c Mon Sep 17 00:00:00 2001
+From: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Date: Mon, 21 Sep 2015 17:09:02 +0300
+Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
+
+Instead of asserting, return the actual IMR register value.
+This is aligned with what's returned on ESXi.
+
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Tested-by: Dana Rubin <dana.rubin at ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 48ced71..057f0dc 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1163,9 +1163,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
+ static uint64_t
+ vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
+ {
++ VMXNET3State *s = opaque;
++
+ if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
+ VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
+- g_assert_not_reached();
++ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
++ VMXNET3_REG_ALIGN);
++ return s->interrupt_states[l].is_masked;
+ }
+
+ VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2dcbd1c..6b978ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,10 @@ add_firewall_to_vma.patch
CVE-2015-7549-msix-pba-write-ro.patch
CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
vmxnet3-host-memory-leakage.patch
+CVE-2015-8613-scsi-initialize-info-object.patch
+CVE-2015-8619-hmp-oob-write.patch
+CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
+CVE-2015-8701-net-rocker-off-by-one.patch
+CVE-2015-8743-ne2000-ioport-bounds-check.patch
+CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
+CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
--
2.1.4
More information about the pve-devel
mailing list