[pve-devel] [stable-3 kvm] Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Mar 7 11:13:27 CET 2016


CVE-2016-2841: net: ne2000: check ring buffer control registers
CVE-2016-2857: net: check packet payload length
CVE-2016-2858: rng: add request queue support to rng-random
---
 ...move-the-unused-request-cancellation-code.patch |  98 +++++++++++
 ...e-request-queue-from-RngEgd-to-RngBackend.patch | 135 ++++++++++++++++
 ...quest-queue-cleanup-from-RngEgd-to-RngBac.patch | 163 +++++++++++++++++++
 ...ask-for-more-data-if-queue-is-not-fully-d.patch |  47 ++++++
 ...e2000-check-ring-buffer-control-registers.patch |  37 +++++
 ...2016-2857-net-check-packet-payload-length.patch |  47 ++++++
 ...g-add-request-queue-support-to-rng-random.patch | 179 +++++++++++++++++++++
 debian/patches/series                              |   7 +
 8 files changed, 713 insertions(+)
 create mode 100644 debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
 create mode 100644 debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
 create mode 100644 debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
 create mode 100644 debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
 create mode 100644 debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
 create mode 100644 debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
 create mode 100644 debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch

diff --git a/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch b/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
new file mode 100644
index 0000000..5db5a8e
--- /dev/null
+++ b/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
@@ -0,0 +1,98 @@
+From d615099455e3a6cc71c17182cabd851d4340354d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH 1/5] rng: remove the unused request cancellation code
+
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c   | 12 ------------
+ backends/rng.c       |  9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 6c13409..3c6362e 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
+     s->requests = NULL;
+ }
+ 
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+-    RngEgd *s = RNG_EGD(b);
+-
+-    /* We simply delete the list of pending requests.  If there is data in the 
+-     * queue waiting to be read, this is okay, because there will always be
+-     * more data than we requested originally
+-     */
+-    rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
+     RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+ 
+     rbc->request_entropy = rng_egd_request_entropy;
+-    rbc->cancel_requests = rng_egd_cancel_requests;
+     rbc->opened = rng_egd_opened;
+ }
+ 
+diff --git a/backends/rng.c b/backends/rng.c
+index 5065fdc..5d1876c 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+     }
+ }
+ 
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+-    RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+-    if (k->cancel_requests) {
+-        k->cancel_requests(s);
+-    }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+     RngBackend *s = RNG_BACKEND(obj);
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 0a27c9b..c7da17d 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -38,7 +38,6 @@ struct RngBackendClass
+ 
+     void (*request_entropy)(RngBackend *s, size_t size,
+                             EntropyReceiveFunc *receive_entropy, void *opaque);
+-    void (*cancel_requests)(RngBackend *s);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -69,14 +68,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy.  This
+- * should be used by a device during reset or in preparation for live migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif
+-- 
+2.1.4
+
diff --git a/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch b/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
new file mode 100644
index 0000000..a9d6e4b
--- /dev/null
+++ b/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
@@ -0,0 +1,135 @@
+From 8cd5c28840888a32dab08ef1387864723c092a1d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH 2/5] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c   | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 3c6362e..19eee70 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+ 
+     CharDriverState *chr;
+     char *chr_name;
+-
+-    GSList *requests;
+ } RngEgd;
+ 
+-typedef struct RngRequest
+-{
+-    EntropyReceiveFunc *receive_entropy;
+-    uint8_t *data;
+-    void *opaque;
+-    size_t offset;
+-    size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+                                     EntropyReceiveFunc *receive_entropy,
+                                     void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+         size -= len;
+     }
+ 
+-    s->requests = g_slist_append(s->requests, req);
++    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
+     GSList *i;
+     int size = 0;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         RngRequest *req = i->data;
+         size += req->size - req->offset;
+     }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+     RngEgd *s = RNG_EGD(opaque);
+     size_t buf_offset = 0;
+ 
+-    while (size > 0 && s->requests) {
+-        RngRequest *req = s->requests->data;
++    while (size > 0 && s->parent.requests) {
++        RngRequest *req = s->parent.requests->data;
+         int len = MIN(size, req->size - req->offset);
+ 
+         memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->requests = g_slist_remove_link(s->requests, s->requests);
++            s->parent.requests = g_slist_remove_link(s->parent.requests,
++                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
+ {
+     GSList *i;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         rng_egd_free_request(i->data);
+     }
+ 
+-    g_slist_free(s->requests);
+-    s->requests = NULL;
++    g_slist_free(s->parent.requests);
++    s->parent.requests = NULL;
+ }
+ 
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c7da17d..084164c 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+ 
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+ 
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
+                                   const void *data,
+                                   size_t size);
+ 
++struct RngRequest
++{
++    EntropyReceiveFunc *receive_entropy;
++    uint8_t *data;
++    void *opaque;
++    size_t offset;
++    size_t size;
++};
++
+ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+@@ -48,6 +58,7 @@ struct RngBackend
+ 
+     /*< protected >*/
+     bool opened;
++    GSList *requests;
+ };
+ 
+ /**
+-- 
+2.1.4
+
diff --git a/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch b/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
new file mode 100644
index 0000000..d14453a
--- /dev/null
+++ b/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
@@ -0,0 +1,163 @@
+From 33809b9b455fa58d9c011bec6aac462204169560 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH 3/5] rng: move request queue cleanup from RngEgd to RngBackend
+
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c   | 25 +------------------------
+ backends/rng.c       | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 19eee70..08301a7 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+     s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+-static void rng_egd_free_request(RngRequest *req)
+-{
+-    g_free(req->data);
+-    g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+     RngEgd *s = RNG_EGD(opaque);
+@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->parent.requests = g_slist_remove_link(s->parent.requests,
+-                                                     s->parent.requests);
+-
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+-            rng_egd_free_request(req);
++            rng_backend_finalize_request(&s->parent, req);
+         }
+     }
+ }
+ 
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+-    GSList *i;
+-
+-    for (i = s->parent.requests; i; i = i->next) {
+-        rng_egd_free_request(i->data);
+-    }
+-
+-    g_slist_free(s->parent.requests);
+-    s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj)
+     }
+ 
+     g_free(s->chr_name);
+-
+-    rng_egd_free_requests(s);
+ }
+ 
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+diff --git a/backends/rng.c b/backends/rng.c
+index 5d1876c..0d9978b 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
+     s->opened = true;
+ }
+ 
++static void rng_backend_free_request(RngRequest *req)
++{
++    g_free(req->data);
++    g_free(req);
++}
++
++static void rng_backend_free_requests(RngBackend *s)
++{
++    GSList *i;
++
++    for (i = s->requests; i; i = i->next) {
++        rng_backend_free_request(i->data);
++    }
++
++    g_slist_free(s->requests);
++    s->requests = NULL;
++}
++
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
++{
++    s->requests = g_slist_remove(s->requests, req);
++    rng_backend_free_request(req);
++}
++
+ static void rng_backend_init(Object *obj)
+ {
+     object_property_add_bool(obj, "opened",
+@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
+                              NULL);
+ }
+ 
++static void rng_backend_finalize(Object *obj)
++{
++    RngBackend *s = RNG_BACKEND(obj);
++
++    rng_backend_free_requests(s);
++}
++
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
+     .parent = TYPE_OBJECT,
+     .instance_size = sizeof(RngBackend),
+     .instance_init = rng_backend_init,
++    .instance_finalize = rng_backend_finalize,
+     .class_size = sizeof(RngBackendClass),
+     .class_init = rng_backend_class_init,
+     .abstract = true,
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 084164c..c2c9035 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -61,6 +61,7 @@ struct RngBackend
+     GSList *requests;
+ };
+ 
++
+ /**
+  * rng_backend_request_entropy:
+  * @s: the backend to request entropy from
+@@ -79,4 +80,15 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
++
++/**
++ * rng_backend_free_request:
++ * @s: the backend that created the request
++ * @req: the request to finalize
++ *
++ * Used by child rng backend classes to finalize requests once they've been
++ * processed. The request is removed from the list of active requests and
++ * deleted.
++ */
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
+ #endif
+-- 
+2.1.4
+
diff --git a/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch b/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
new file mode 100644
index 0000000..3f48a29
--- /dev/null
+++ b/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
@@ -0,0 +1,47 @@
+From b5f29c3cdd14243de19d974320f49fb3bdd37a6d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 10:48:34 +0100
+Subject: [PATCH 5/5] virtio-rng: ask for more data if queue is not fully
+ drained
+
+This commit effectively reverts:
+
+  commit 4621c1768ef5d12171cca2aa1473595ecb9f1c9e
+  Author: Amit Shah <amit.shah at redhat.com>
+  Date:   Wed Nov 21 11:21:19 2012 +0530
+
+  virtio-rng: remove extra request for entropy
+
+but instead of calling virtio_rng_process unconditionally, it
+first checks to see if the queue is empty as a little bit of
+optimization.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456998514-19271-1-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ hw/virtio/virtio-rng.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
+index 97d1541..3124461 100644
+--- a/hw/virtio/virtio-rng.c
++++ b/hw/virtio/virtio-rng.c
+@@ -66,6 +66,13 @@ static void chr_read(void *opaque, const void *buf, size_t size)
+         trace_virtio_rng_pushed(vrng, len);
+     }
+     virtio_notify(vdev, vrng->vq);
++
++    if (!virtio_queue_empty(vrng->vq)) {
++        /* If we didn't drain the queue, call virtio_rng_process
++         * to take care of asking for more data as appropriate.
++         */
++        virtio_rng_process(vrng);
++    }
+ }
+ 
+ static void virtio_rng_process(VirtIORNG *vrng)
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch b/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
new file mode 100644
index 0000000..e312716
--- /dev/null
+++ b/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
@@ -0,0 +1,37 @@
+From 1f42922e61feff85f92e4eef77a50d1bc0c2498e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 24 Feb 2016 11:41:33 +0530
+Subject: [PATCH] net: ne2000: check ring buffer control registers
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. Registers PSTART & PSTOP
+define ring buffer size & location. Setting these registers
+to invalid values could lead to infinite loop or OOB r/w
+access issues. Add check to avoid it.
+
+Reported-by: Yang Hongke <yanghongke at huawei.com>
+Tested-by: Yang Hongke <yanghongke at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/ne2000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3ab2d03..a1c7f23 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
+ {
+     int avail, index, boundary;
+ 
++    if (s->stop <= s->start) {
++        return 1;
++    }
++
+     index = s->curpag << 8;
+     boundary = s->boundary << 8;
+     if (index < boundary)
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch b/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
new file mode 100644
index 0000000..58ee714
--- /dev/null
+++ b/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
@@ -0,0 +1,47 @@
+From 8878799dd147abb25f184e9a6c1133d65ac76e37 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 2 Mar 2016 17:29:58 +0530
+Subject: [PATCH] net: check packet payload length
+
+While computing IP checksum, 'net_checksum_calculate' reads
+payload length from the packet. It could exceed the given 'data'
+buffer size. Add a check to avoid it.
+
+Reported-by: Liu Ling <liuling-it at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ net/checksum.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/checksum.c b/net/checksum.c
+index 14c0855..0942437 100644
+--- a/net/checksum.c
++++ b/net/checksum.c
+@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
+     int hlen, plen, proto, csum_offset;
+     uint16_t csum;
+ 
++    /* Ensure data has complete L2 & L3 headers. */
++    if (length < 14 + 20) {
++        return;
++    }
++
+     if ((data[14] & 0xf0) != 0x40)
+ 	return; /* not IPv4 */
+     hlen  = (data[14] & 0x0f) * 4;
+@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
+ 	return;
+     }
+ 
+-    if (plen < csum_offset+2)
+-	return;
++    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
++        return;
++    }
+ 
+     data[14+hlen+csum_offset]   = 0;
+     data[14+hlen+csum_offset+1] = 0;
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch b/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
new file mode 100644
index 0000000..305b8c8
--- /dev/null
+++ b/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
@@ -0,0 +1,179 @@
+From c33f9c1b4eb6142f6d49a72465395f111b6c968b Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH 4/5] rng: add request queue support to rng-random
+
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c    | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c        | 13 ++++++++++++-
+ include/sysemu/rng.h  |  3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 08301a7..de6c8d4 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -26,20 +26,10 @@ typedef struct RngEgd
+     char *chr_name;
+ } RngEgd;
+ 
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+-                                    EntropyReceiveFunc *receive_entropy,
+-                                    void *opaque)
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RngEgd *s = RNG_EGD(b);
+-    RngRequest *req;
+-
+-    req = g_malloc(sizeof(*req));
+-
+-    req->offset = 0;
+-    req->size = size;
+-    req->receive_entropy = receive_entropy;
+-    req->opaque = opaque;
+-    req->data = g_malloc(req->size);
++    size_t size = req->size;
+ 
+     while (size > 0) {
+         uint8_t header[2];
+@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ 
+         size -= len;
+     }
+-
+-    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static int rng_egd_chr_can_read(void *opaque)
+diff --git a/backends/rng-random.c b/backends/rng-random.c
+index 4e51f46..c2d8c03 100644
+--- a/backends/rng-random.c
++++ b/backends/rng-random.c
+@@ -21,10 +21,6 @@ struct RndRandom
+ 
+     int fd;
+     char *filename;
+-
+-    EntropyReceiveFunc *receive_func;
+-    void *opaque;
+-    size_t size;
+ };
+ 
+ /**
+@@ -37,36 +33,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+     RndRandom *s = RNG_RANDOM(opaque);
+-    uint8_t buffer[s->size];
+-    ssize_t len;
+ 
+-    len = read(s->fd, buffer, s->size);
+-    if (len < 0 && errno == EAGAIN) {
+-        return;
+-    }
+-    g_assert(len != -1);
++    while (s->parent.requests != NULL) {
++        RngRequest *req = s->parent.requests->data;
++        ssize_t len;
++
++        len = read(s->fd, req->data, req->size);
++        if (len < 0 && errno == EAGAIN) {
++            return;
++        }
++        g_assert(len != -1);
+ 
+-    s->receive_func(s->opaque, buffer, len);
+-    s->receive_func = NULL;
++        req->receive_entropy(req->opaque, req->data, len);
+ 
++        rng_backend_finalize_request(&s->parent, req);
++    }
++
++    /* We've drained all requests, the fd handler can be reset. */
+     qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+ 
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+-                                        EntropyReceiveFunc *receive_entropy,
+-                                        void *opaque)
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RndRandom *s = RNG_RANDOM(b);
+ 
+-    if (s->receive_func) {
+-        s->receive_func(s->opaque, NULL, 0);
++    if (s->parent.requests == NULL) {
++        /* If there are no pending requests yet, we need to
++         * install our fd handler. */
++        qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+     }
+-
+-    s->receive_func = receive_entropy;
+-    s->opaque = opaque;
+-    s->size = size;
+-
+-    qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+ 
+ static void rng_random_opened(RngBackend *b, Error **errp)
+diff --git a/backends/rng.c b/backends/rng.c
+index 0d9978b..4066268 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  void *opaque)
+ {
+     RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
++    RngRequest *req;
+ 
+     if (k->request_entropy) {
+-        k->request_entropy(s, size, receive_entropy, opaque);
++        req = g_malloc(sizeof(*req));
++
++        req->offset = 0;
++        req->size = size;
++        req->receive_entropy = receive_entropy;
++        req->opaque = opaque;
++        req->data = g_malloc(req->size);
++
++        k->request_entropy(s, req);
++
++        s->requests = g_slist_append(s->requests, req);
+     }
+ }
+ 
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c2c9035..a7ed580 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -46,8 +46,7 @@ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+ 
+-    void (*request_entropy)(RngBackend *s, size_t size,
+-                            EntropyReceiveFunc *receive_entropy, void *opaque);
++    void (*request_entropy)(RngBackend *s, RngRequest *req);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index f8e218f..77fe977 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,3 +66,10 @@ CVE-2015-8817-exec-Respect-as_tranlsate_internal-length-clamp.patch
 0002-exec-do-not-clamp-accesses-to-MMIO-regions.patch
 CVE-2015-8818-exec-skip-MMIO-regions-correctly-in-cpu_physical_mem.patch
 0004-exec-clamp-accesses-against-the-MemoryRegionSection.patch
+CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
+CVE-2016-2857-net-check-packet-payload-length.patch
+0001-rng-remove-the-unused-request-cancellation-code.patch
+0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
+0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
+0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
+CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
-- 
2.1.4





More information about the pve-devel mailing list