[pve-devel] [stable-3 kvm] fix CVE-2016-1714 - fw_cfg oob r/w access
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Jan 13 10:20:38 CET 2016
---
...w_cfg-add-check-to-validate-current-entry.patch | 50 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 51 insertions(+)
create mode 100644 debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
diff --git a/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch b/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
new file mode 100644
index 0000000..011d65f
--- /dev/null
+++ b/debian/patches/CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
@@ -0,0 +1,50 @@
+From: Prasad J Pandit <pjp at fedoraproject.org>
+
+When processing firmware configurations, an OOB r/w access occurs
+if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
+Add a check to validate 's->cur_entry' to avoid such access.
+
+Reported-by: Donghai Zdh <donghai.zdh at alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/nvram/fw_cfg.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index 68eff77..ce026bc 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -233,12 +233,15 @@ static void fw_cfg_reboot(FWCfgState *s)
+ static void fw_cfg_write(FWCfgState *s, uint8_t value)
+ {
+ int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+ trace_fw_cfg_write(s, value);
+
+- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback &&
+- s->cur_offset < e->len) {
++ if (s->cur_entry != FW_CFG_INVALID
++ && s->cur_entry & FW_CFG_WRITE_CHANNEL
++ && e->callback
++ && s->cur_offset < e->len) {
+ e->data[s->cur_offset++] = value;
+ if (s->cur_offset == e->len) {
+ e->callback(e->callback_opaque, e->data);
+@@ -267,7 +270,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
+ static uint8_t fw_cfg_read(FWCfgState *s)
+ {
+ int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ uint8_t ret;
+
+ if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
+--
+2.4.3
+
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 868bfd4..393a35e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,3 +51,4 @@ CVE-2015-8743-ne2000-ioport-bounds-check.patch
CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
CVE-2015-8619-hmp-sendkey-oob-fix.patch
+CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
--
2.1.4
More information about the pve-devel
mailing list