[pve-devel] [stable-3 kvm] Fix CVE-2016-1922: i386: avoid null pointer dereference

[Wolfgang Bumiller]

---
 ...-1922-i386-avoid-null-pointer-dereference.patch | 64 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 debian/patches/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch

diff --git a/debian/patches/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch b/debian/patches/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
new file mode 100644
index 0000000..e294b22
--- /dev/null
+++ b/debian/patches/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
@@ -0,0 +1,64 @@
+From 47568e18c6599962f711bc2ae3cc45fe6900130d Mon Sep 17 00:00:00 2001
+From: P J P <ppandit at redhat.com>
+Date: Fri, 18 Dec 2015 11:35:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+    Hello,
+
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
+occurs while doing I/O port write operations via hmp interface. In that,
+'current_cpu' remains null as it is not called from cpu_exec loop, which
+results in the said issue.
+
+Below is a proposed (tested)patch to fix this issue; Does it look okay?
+
+===
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Fri, 18 Dec 2015 11:16:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+When I/O port write operation is called from hmp interface,
+'current_cpu' remains null, as it is not called from cpu_exec()
+loop. This leads to a null pointer dereference in vapic_write
+routine. Add check to avoid it.
+
+Reported-by: Ling Liu <liuling-it at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512181129320.9805 at wniryva>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ hw/i386/kvmvapic.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index c6d34b2..f0922da 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+                         unsigned int size)
+ {
+-    CPUState *cs = current_cpu;
+-    X86CPU *cpu = X86_CPU(cs);
+-    CPUX86State *env = &cpu->env;
+-    hwaddr rom_paddr;
+     VAPICROMState *s = opaque;
++    X86CPU *cpu;
++    CPUX86State *env;
++    hwaddr rom_paddr;
+ 
+-    cpu_synchronize_state(cs);
++    if (!current_cpu) {
++        return;
++    }
++
++    cpu_synchronize_state(current_cpu);
++    cpu = X86_CPU(current_cpu);
++    env = &cpu->env;
+ 
+     /*
+      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 393a35e..41629b3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@ CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
 CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
 CVE-2015-8619-hmp-sendkey-oob-fix.patch
 CVE-2016-1714-fw_cfg-add-check-to-validate-current-entry.patch
+CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
-- 
2.1.4