[pve-devel] [stable/3 kvm 1/2] fixes for CVEs 2015-7549, 2015-8858 and for vmxnet3
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Jan 7 11:11:10 CET 2016
The third one has no number assigned yet but was reviewed
and is queued for 2.6 and probably also 2.5.1.
---
.../patches/CVE-2015-7549-msix-pba-write-ro.patch | 52 +++++++++++++
...8558-ehci_make_idt_processing_more_robust.patch | 49 ++++++++++++
debian/patches/series | 3 +
debian/patches/vmxnet3-host-memory-leakage.patch | 91 ++++++++++++++++++++++
4 files changed, 195 insertions(+)
create mode 100644 debian/patches/CVE-2015-7549-msix-pba-write-ro.patch
create mode 100644 debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
create mode 100644 debian/patches/vmxnet3-host-memory-leakage.patch
diff --git a/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch b/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch
new file mode 100644
index 0000000..631ae37
--- /dev/null
+++ b/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch
@@ -0,0 +1,52 @@
+commit 43b11a91dd861a946b231b89b7542856ade23d1b
+Author: Marc-André Lureau <marcandre.lureau at redhat.com>
+Date: Fri Jun 26 14:25:29 2015 +0200
+
+ msix: implement pba write (but read-only)
+
+ qpci_msix_pending() writes on pba region, causing qemu to SEGV:
+
+ Program received signal SIGSEGV, Segmentation fault.
+ [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
+ 0x0000000000000000 in ?? ()
+ (gdb) bt
+ #0 0x0000000000000000 in ()
+ #1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
+ #2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
+ #3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
+ #4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
+ #5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
+ #6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
+ #7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
+ #8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
+ #9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
+ #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
+ #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
+ #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
+
+ (without this patch, this can be reproduced with the ivshmem qtest)
+
+ Implement an empty mmio write to avoid the crash.
+
+ Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
+ Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
+
+diff --git a/hw/pci/msix.c b/hw/pci/msix.c
+index 2fdada4..64c93d8 100644
+--- a/hw/pci/msix.c
++++ b/hw/pci/msix.c
+@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
+ return pci_get_long(dev->msix_pba + addr);
+ }
+
++static void msix_pba_mmio_write(void *opaque, hwaddr addr,
++ uint64_t val, unsigned size)
++{
++}
++
+ static const MemoryRegionOps msix_pba_mmio_ops = {
+ .read = msix_pba_mmio_read,
++ .write = msix_pba_mmio_write,
+ .endianness = DEVICE_LITTLE_ENDIAN,
+ .valid = {
+ .min_access_size = 4,
diff --git a/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch b/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
new file mode 100644
index 0000000..743b68d
--- /dev/null
+++ b/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
@@ -0,0 +1,49 @@
+From: Gerd Hoffmann
+Subject: [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction. That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable at nongnu.org
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Tested-by: P J P <ppandit at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..d07f228 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+ USBDevice *dev;
+ USBEndpoint *ep;
+- uint32_t i, len, pid, dir, devaddr, endp;
++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+ uint32_t pg, off, ptr1, ptr2, max, mult;
+
+ ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+ ehci_raise_irq(ehci, USBSTS_INT);
+ }
+ itd->transact[i] &= ~ITD_XACT_ACTIVE;
++ xfers++;
+ }
+ }
+- return 0;
++ return xfers ? 0 : -1;
+ }
+
+
+--
+1.8.3.1
+
+
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 5ee8bb8..364a7af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,6 @@ net-add-checks-to-validate-ring-buffer-pointers.patch
CVE-2015-1779-incrementally-decode-websocket-frames.patch
CVE-2015-1779-limit-size-of-HTTP-headers-from-websockets-clients.patch
0001-ui-vnc-avoid-floating-point-exception.patch
+CVE-2015-7549-msix-pba-write-ro.patch
+CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
+vmxnet3-host-memory-leakage.patch
diff --git a/debian/patches/vmxnet3-host-memory-leakage.patch b/debian/patches/vmxnet3-host-memory-leakage.patch
new file mode 100644
index 0000000..dcc76b9
--- /dev/null
+++ b/debian/patches/vmxnet3-host-memory-leakage.patch
@@ -0,0 +1,91 @@
+From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Tue, 15 Dec 2015 12:17:28 +0530
+Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
+
+Vmxnet3 device emulator does not check if the device is active
+before activating it, also it did not free the transmit & receive
+buffers while deactivating the device, thus resulting in memory
+leakage on the host. This patch fixes both these issues to avoid
+host memory leakage.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Dmitry Fleytman <dmitry at daynix.com>
+---
+ hw/net/vmxnet3.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 37373e5..2b4aad7 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
+
+ static void vmxnet3_deactivate_device(VMXNET3State *s)
+ {
+- VMW_CBPRN("Deactivating vmxnet3...");
+- s->device_active = false;
++ if (s->device_active) {
++ VMW_CBPRN("Deactivating vmxnet3...");
++ vmxnet_tx_pkt_reset(s->tx_pkt);
++ vmxnet_tx_pkt_uninit(s->tx_pkt);
++ vmxnet_rx_pkt_uninit(s->rx_pkt);
++ s->device_active = false;
++ }
+ }
+
+ static void vmxnet3_reset(VMXNET3State *s)
+@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
+
+ vmxnet3_deactivate_device(s);
+ vmxnet3_reset_interrupt_states(s);
+- vmxnet_tx_pkt_reset(s->tx_pkt);
+ s->drv_shmem = 0;
+ s->tx_sop = true;
+ s->skip_current_tx_pkt = false;
+@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ return;
+ }
+
++ /* Verify if device is active */
++ if (s->device_active) {
++ VMW_CFPRN("Vmxnet3 device is active");
++ return;
++ }
++
+ vmxnet3_adjust_by_guest_type(s);
+ vmxnet3_update_features(s);
+ vmxnet3_update_pm_state(s);
+@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
+ break;
+
+ case VMXNET3_CMD_QUIESCE_DEV:
+- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
+ vmxnet3_deactivate_device(s);
+ break;
+
+@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
+ * shared address only after we get the high part
+ */
+ if (val == 0) {
+- s->device_active = false;
++ vmxnet3_deactivate_device(s);
+ }
+ s->temp_shared_guest_driver_memory = val;
+ s->drv_shmem = 0;
+@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
+ static void vmxnet3_net_uninit(VMXNET3State *s)
+ {
+ g_free(s->mcast_list);
+- vmxnet_tx_pkt_reset(s->tx_pkt);
+- vmxnet_tx_pkt_uninit(s->tx_pkt);
+- vmxnet_rx_pkt_uninit(s->rx_pkt);
++ vmxnet3_deactivate_device(s);
+ qemu_del_nic(s->nic);
+ }
+
+--
+2.4.3
+
--
2.1.4
More information about the pve-devel
mailing list