[pve-devel] [stable-3 kvm] Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Mar 7 11:13:27 CET 2016
CVE-2016-2841: net: ne2000: check ring buffer control registers
CVE-2016-2857: net: check packet payload length
CVE-2016-2858: rng: add request queue support to rng-random
---
...move-the-unused-request-cancellation-code.patch | 98 +++++++++++
...e-request-queue-from-RngEgd-to-RngBackend.patch | 135 ++++++++++++++++
...quest-queue-cleanup-from-RngEgd-to-RngBac.patch | 163 +++++++++++++++++++
...ask-for-more-data-if-queue-is-not-fully-d.patch | 47 ++++++
...e2000-check-ring-buffer-control-registers.patch | 37 +++++
...2016-2857-net-check-packet-payload-length.patch | 47 ++++++
...g-add-request-queue-support-to-rng-random.patch | 179 +++++++++++++++++++++
debian/patches/series | 7 +
8 files changed, 713 insertions(+)
create mode 100644 debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
create mode 100644 debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
create mode 100644 debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
create mode 100644 debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
create mode 100644 debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
create mode 100644 debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
create mode 100644 debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
diff --git a/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch b/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
new file mode 100644
index 0000000..5db5a8e
--- /dev/null
+++ b/debian/patches/0001-rng-remove-the-unused-request-cancellation-code.patch
@@ -0,0 +1,98 @@
+From d615099455e3a6cc71c17182cabd851d4340354d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH 1/5] rng: remove the unused request cancellation code
+
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c | 12 ------------
+ backends/rng.c | 9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 6c13409..3c6362e 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s)
+ s->requests = NULL;
+ }
+
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+- RngEgd *s = RNG_EGD(b);
+-
+- /* We simply delete the list of pending requests. If there is data in the
+- * queue waiting to be read, this is okay, because there will always be
+- * more data than we requested originally
+- */
+- rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+ RngEgd *s = RNG_EGD(b);
+@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
+ RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+
+ rbc->request_entropy = rng_egd_request_entropy;
+- rbc->cancel_requests = rng_egd_cancel_requests;
+ rbc->opened = rng_egd_opened;
+ }
+
+diff --git a/backends/rng.c b/backends/rng.c
+index 5065fdc..5d1876c 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ }
+ }
+
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+- if (k->cancel_requests) {
+- k->cancel_requests(s);
+- }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+ RngBackend *s = RNG_BACKEND(obj);
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 0a27c9b..c7da17d 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -38,7 +38,6 @@ struct RngBackendClass
+
+ void (*request_entropy)(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy, void *opaque);
+- void (*cancel_requests)(RngBackend *s);
+
+ void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -69,14 +68,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
+- * should be used by a device during reset or in preparation for live migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif
+--
+2.1.4
+
diff --git a/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch b/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
new file mode 100644
index 0000000..a9d6e4b
--- /dev/null
+++ b/debian/patches/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
@@ -0,0 +1,135 @@
+From 8cd5c28840888a32dab08ef1387864723c092a1d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH 2/5] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 3c6362e..19eee70 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+
+ CharDriverState *chr;
+ char *chr_name;
+-
+- GSList *requests;
+ } RngEgd;
+
+-typedef struct RngRequest
+-{
+- EntropyReceiveFunc *receive_entropy;
+- uint8_t *data;
+- void *opaque;
+- size_t offset;
+- size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ size -= len;
+ }
+
+- s->requests = g_slist_append(s->requests, req);
++ s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque)
+ GSList *i;
+ int size = 0;
+
+- for (i = s->requests; i; i = i->next) {
++ for (i = s->parent.requests; i; i = i->next) {
+ RngRequest *req = i->data;
+ size += req->size - req->offset;
+ }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+ RngEgd *s = RNG_EGD(opaque);
+ size_t buf_offset = 0;
+
+- while (size > 0 && s->requests) {
+- RngRequest *req = s->requests->data;
++ while (size > 0 && s->parent.requests) {
++ RngRequest *req = s->parent.requests->data;
+ int len = MIN(size, req->size - req->offset);
+
+ memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+ size -= len;
+
+ if (req->offset == req->size) {
+- s->requests = g_slist_remove_link(s->requests, s->requests);
++ s->parent.requests = g_slist_remove_link(s->parent.requests,
++ s->parent.requests);
+
+ req->receive_entropy(req->opaque, req->data, req->size);
+
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s)
+ {
+ GSList *i;
+
+- for (i = s->requests; i; i = i->next) {
++ for (i = s->parent.requests; i; i = i->next) {
+ rng_egd_free_request(i->data);
+ }
+
+- g_slist_free(s->requests);
+- s->requests = NULL;
++ g_slist_free(s->parent.requests);
++ s->parent.requests = NULL;
+ }
+
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c7da17d..084164c 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+ OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
+ const void *data,
+ size_t size);
+
++struct RngRequest
++{
++ EntropyReceiveFunc *receive_entropy;
++ uint8_t *data;
++ void *opaque;
++ size_t offset;
++ size_t size;
++};
++
+ struct RngBackendClass
+ {
+ ObjectClass parent_class;
+@@ -48,6 +58,7 @@ struct RngBackend
+
+ /*< protected >*/
+ bool opened;
++ GSList *requests;
+ };
+
+ /**
+--
+2.1.4
+
diff --git a/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch b/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
new file mode 100644
index 0000000..d14453a
--- /dev/null
+++ b/debian/patches/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
@@ -0,0 +1,163 @@
+From 33809b9b455fa58d9c011bec6aac462204169560 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH 3/5] rng: move request queue cleanup from RngEgd to RngBackend
+
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c | 25 +------------------------
+ backends/rng.c | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 19eee70..08301a7 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+-static void rng_egd_free_request(RngRequest *req)
+-{
+- g_free(req->data);
+- g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+ RngEgd *s = RNG_EGD(opaque);
+@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
+ size -= len;
+
+ if (req->offset == req->size) {
+- s->parent.requests = g_slist_remove_link(s->parent.requests,
+- s->parent.requests);
+-
+ req->receive_entropy(req->opaque, req->data, req->size);
+
+- rng_egd_free_request(req);
++ rng_backend_finalize_request(&s->parent, req);
+ }
+ }
+ }
+
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+- GSList *i;
+-
+- for (i = s->parent.requests; i; i = i->next) {
+- rng_egd_free_request(i->data);
+- }
+-
+- g_slist_free(s->parent.requests);
+- s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+ RngEgd *s = RNG_EGD(b);
+@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj)
+ }
+
+ g_free(s->chr_name);
+-
+- rng_egd_free_requests(s);
+ }
+
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+diff --git a/backends/rng.c b/backends/rng.c
+index 5d1876c..0d9978b 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
+ s->opened = true;
+ }
+
++static void rng_backend_free_request(RngRequest *req)
++{
++ g_free(req->data);
++ g_free(req);
++}
++
++static void rng_backend_free_requests(RngBackend *s)
++{
++ GSList *i;
++
++ for (i = s->requests; i; i = i->next) {
++ rng_backend_free_request(i->data);
++ }
++
++ g_slist_free(s->requests);
++ s->requests = NULL;
++}
++
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
++{
++ s->requests = g_slist_remove(s->requests, req);
++ rng_backend_free_request(req);
++}
++
+ static void rng_backend_init(Object *obj)
+ {
+ object_property_add_bool(obj, "opened",
+@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj)
+ NULL);
+ }
+
++static void rng_backend_finalize(Object *obj)
++{
++ RngBackend *s = RNG_BACKEND(obj);
++
++ rng_backend_free_requests(s);
++}
++
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = {
+ .parent = TYPE_OBJECT,
+ .instance_size = sizeof(RngBackend),
+ .instance_init = rng_backend_init,
++ .instance_finalize = rng_backend_finalize,
+ .class_size = sizeof(RngBackendClass),
+ .class_init = rng_backend_class_init,
+ .abstract = true,
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 084164c..c2c9035 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -61,6 +61,7 @@ struct RngBackend
+ GSList *requests;
+ };
+
++
+ /**
+ * rng_backend_request_entropy:
+ * @s: the backend to request entropy from
+@@ -79,4 +80,15 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque);
++
++/**
++ * rng_backend_free_request:
++ * @s: the backend that created the request
++ * @req: the request to finalize
++ *
++ * Used by child rng backend classes to finalize requests once they've been
++ * processed. The request is removed from the list of active requests and
++ * deleted.
++ */
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
+ #endif
+--
+2.1.4
+
diff --git a/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch b/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
new file mode 100644
index 0000000..3f48a29
--- /dev/null
+++ b/debian/patches/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
@@ -0,0 +1,47 @@
+From b5f29c3cdd14243de19d974320f49fb3bdd37a6d Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 10:48:34 +0100
+Subject: [PATCH 5/5] virtio-rng: ask for more data if queue is not fully
+ drained
+
+This commit effectively reverts:
+
+ commit 4621c1768ef5d12171cca2aa1473595ecb9f1c9e
+ Author: Amit Shah <amit.shah at redhat.com>
+ Date: Wed Nov 21 11:21:19 2012 +0530
+
+ virtio-rng: remove extra request for entropy
+
+but instead of calling virtio_rng_process unconditionally, it
+first checks to see if the queue is empty as a little bit of
+optimization.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456998514-19271-1-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ hw/virtio/virtio-rng.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
+index 97d1541..3124461 100644
+--- a/hw/virtio/virtio-rng.c
++++ b/hw/virtio/virtio-rng.c
+@@ -66,6 +66,13 @@ static void chr_read(void *opaque, const void *buf, size_t size)
+ trace_virtio_rng_pushed(vrng, len);
+ }
+ virtio_notify(vdev, vrng->vq);
++
++ if (!virtio_queue_empty(vrng->vq)) {
++ /* If we didn't drain the queue, call virtio_rng_process
++ * to take care of asking for more data as appropriate.
++ */
++ virtio_rng_process(vrng);
++ }
+ }
+
+ static void virtio_rng_process(VirtIORNG *vrng)
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch b/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
new file mode 100644
index 0000000..e312716
--- /dev/null
+++ b/debian/patches/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
@@ -0,0 +1,37 @@
+From 1f42922e61feff85f92e4eef77a50d1bc0c2498e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 24 Feb 2016 11:41:33 +0530
+Subject: [PATCH] net: ne2000: check ring buffer control registers
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. Registers PSTART & PSTOP
+define ring buffer size & location. Setting these registers
+to invalid values could lead to infinite loop or OOB r/w
+access issues. Add check to avoid it.
+
+Reported-by: Yang Hongke <yanghongke at huawei.com>
+Tested-by: Yang Hongke <yanghongke at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/ne2000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3ab2d03..a1c7f23 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
+ {
+ int avail, index, boundary;
+
++ if (s->stop <= s->start) {
++ return 1;
++ }
++
+ index = s->curpag << 8;
+ boundary = s->boundary << 8;
+ if (index < boundary)
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch b/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
new file mode 100644
index 0000000..58ee714
--- /dev/null
+++ b/debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch
@@ -0,0 +1,47 @@
+From 8878799dd147abb25f184e9a6c1133d65ac76e37 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 2 Mar 2016 17:29:58 +0530
+Subject: [PATCH] net: check packet payload length
+
+While computing IP checksum, 'net_checksum_calculate' reads
+payload length from the packet. It could exceed the given 'data'
+buffer size. Add a check to avoid it.
+
+Reported-by: Liu Ling <liuling-it at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ net/checksum.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/checksum.c b/net/checksum.c
+index 14c0855..0942437 100644
+--- a/net/checksum.c
++++ b/net/checksum.c
+@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
+ int hlen, plen, proto, csum_offset;
+ uint16_t csum;
+
++ /* Ensure data has complete L2 & L3 headers. */
++ if (length < 14 + 20) {
++ return;
++ }
++
+ if ((data[14] & 0xf0) != 0x40)
+ return; /* not IPv4 */
+ hlen = (data[14] & 0x0f) * 4;
+@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
+ return;
+ }
+
+- if (plen < csum_offset+2)
+- return;
++ if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
++ return;
++ }
+
+ data[14+hlen+csum_offset] = 0;
+ data[14+hlen+csum_offset+1] = 0;
+--
+2.1.4
+
diff --git a/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch b/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
new file mode 100644
index 0000000..305b8c8
--- /dev/null
+++ b/debian/patches/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
@@ -0,0 +1,179 @@
+From c33f9c1b4eb6142f6d49a72465395f111b6c968b Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek at redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH 4/5] rng: add request queue support to rng-random
+
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+
+Signed-off-by: Ladi Prosek <lprosek at redhat.com>
+Reviewed-by: Amit Shah <amit.shah at redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lprosek at redhat.com>
+Signed-off-by: Amit Shah <amit.shah at redhat.com>
+---
+ backends/rng-egd.c | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c | 13 ++++++++++++-
+ include/sysemu/rng.h | 3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 08301a7..de6c8d4 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -26,20 +26,10 @@ typedef struct RngEgd
+ char *chr_name;
+ } RngEgd;
+
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+- EntropyReceiveFunc *receive_entropy,
+- void *opaque)
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+ RngEgd *s = RNG_EGD(b);
+- RngRequest *req;
+-
+- req = g_malloc(sizeof(*req));
+-
+- req->offset = 0;
+- req->size = size;
+- req->receive_entropy = receive_entropy;
+- req->opaque = opaque;
+- req->data = g_malloc(req->size);
++ size_t size = req->size;
+
+ while (size > 0) {
+ uint8_t header[2];
+@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+
+ size -= len;
+ }
+-
+- s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+ static int rng_egd_chr_can_read(void *opaque)
+diff --git a/backends/rng-random.c b/backends/rng-random.c
+index 4e51f46..c2d8c03 100644
+--- a/backends/rng-random.c
++++ b/backends/rng-random.c
+@@ -21,10 +21,6 @@ struct RndRandom
+
+ int fd;
+ char *filename;
+-
+- EntropyReceiveFunc *receive_func;
+- void *opaque;
+- size_t size;
+ };
+
+ /**
+@@ -37,36 +33,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+ RndRandom *s = RNG_RANDOM(opaque);
+- uint8_t buffer[s->size];
+- ssize_t len;
+
+- len = read(s->fd, buffer, s->size);
+- if (len < 0 && errno == EAGAIN) {
+- return;
+- }
+- g_assert(len != -1);
++ while (s->parent.requests != NULL) {
++ RngRequest *req = s->parent.requests->data;
++ ssize_t len;
++
++ len = read(s->fd, req->data, req->size);
++ if (len < 0 && errno == EAGAIN) {
++ return;
++ }
++ g_assert(len != -1);
+
+- s->receive_func(s->opaque, buffer, len);
+- s->receive_func = NULL;
++ req->receive_entropy(req->opaque, req->data, len);
+
++ rng_backend_finalize_request(&s->parent, req);
++ }
++
++ /* We've drained all requests, the fd handler can be reset. */
+ qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+- EntropyReceiveFunc *receive_entropy,
+- void *opaque)
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+ RndRandom *s = RNG_RANDOM(b);
+
+- if (s->receive_func) {
+- s->receive_func(s->opaque, NULL, 0);
++ if (s->parent.requests == NULL) {
++ /* If there are no pending requests yet, we need to
++ * install our fd handler. */
++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+-
+- s->receive_func = receive_entropy;
+- s->opaque = opaque;
+- s->size = size;
+-
+- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+
+ static void rng_random_opened(RngBackend *b, Error **errp)
+diff --git a/backends/rng.c b/backends/rng.c
+index 0d9978b..4066268 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ void *opaque)
+ {
+ RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
++ RngRequest *req;
+
+ if (k->request_entropy) {
+- k->request_entropy(s, size, receive_entropy, opaque);
++ req = g_malloc(sizeof(*req));
++
++ req->offset = 0;
++ req->size = size;
++ req->receive_entropy = receive_entropy;
++ req->opaque = opaque;
++ req->data = g_malloc(req->size);
++
++ k->request_entropy(s, req);
++
++ s->requests = g_slist_append(s->requests, req);
+ }
+ }
+
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c2c9035..a7ed580 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -46,8 +46,7 @@ struct RngBackendClass
+ {
+ ObjectClass parent_class;
+
+- void (*request_entropy)(RngBackend *s, size_t size,
+- EntropyReceiveFunc *receive_entropy, void *opaque);
++ void (*request_entropy)(RngBackend *s, RngRequest *req);
+
+ void (*opened)(RngBackend *s, Error **errp);
+ };
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index f8e218f..77fe977 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,3 +66,10 @@ CVE-2015-8817-exec-Respect-as_tranlsate_internal-length-clamp.patch
0002-exec-do-not-clamp-accesses-to-MMIO-regions.patch
CVE-2015-8818-exec-skip-MMIO-regions-correctly-in-cpu_physical_mem.patch
0004-exec-clamp-accesses-against-the-MemoryRegionSection.patch
+CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch
+CVE-2016-2857-net-check-packet-payload-length.patch
+0001-rng-remove-the-unused-request-cancellation-code.patch
+0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch
+0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch
+0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
+CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
--
2.1.4
More information about the pve-devel
mailing list