[pve-devel] [stable-3 kvm] fix CVE-2016-1714 - fw_cfg oob r/w access

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Jan 13 10:20:38 CET 2016


---
 ...w_cfg-add-check-to-validate-current-entry.patch | 50 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch

diff --git a/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch b/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
new file mode 100644
index 0000000..011d65f
--- /dev/null
+++ b/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
@@ -0,0 +1,50 @@
+From: Prasad J Pandit <pjp at fedoraproject.org>
+
+When processing firmware configurations, an OOB r/w access occurs
+if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
+Add a check to validate 's->cur_entry' to avoid such access.
+
+Reported-by: Donghai Zdh <donghai.zdh at alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/nvram/fw_cfg.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index 68eff77..ce026bc 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -233,12 +233,15 @@ static void fw_cfg_reboot(FWCfgState *s)
+ static void fw_cfg_write(FWCfgState *s, uint8_t value)
+ {
+     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ 
+     trace_fw_cfg_write(s, value);
+ 
+-    if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback &&
+-        s->cur_offset < e->len) {
++    if (s->cur_entry != FW_CFG_INVALID
++        && s->cur_entry & FW_CFG_WRITE_CHANNEL
++        && e->callback
++        && s->cur_offset < e->len) {
+         e->data[s->cur_offset++] = value;
+         if (s->cur_offset == e->len) {
+             e->callback(e->callback_opaque, e->data);
+@@ -267,7 +270,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
+ static uint8_t fw_cfg_read(FWCfgState *s)
+ {
+     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+     uint8_t ret;
+ 
+     if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
+-- 
+2.4.3
+
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 868bfd4..393a35e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,3 +51,4 @@ CVE-2015-8743-ne2000-ioport-bounds-check.patch
 CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
 CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
 CVE-2015-8619-hmp-sendkey-oob-fix.patch
+CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
-- 
2.1.4





More information about the pve-devel mailing list