[pve-devel] [PATCH kvm 1/2] fix various CVEs
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue May 31 16:33:32 CEST 2016
CVE-2016-5105: scsi: megasas: initialise local configuration data buffer
CVE-2016-5106: scsi: megasas: use appropriate property buffer size
CVE-2016-5107: scsi: megasas: check 'read_queue_head' index value
CVE-2016-5126: block/iscsi: avoid potential overflow of acb->task->cdb
CVE-2016-4454:
vmsvga: move fifo sanity checks to vmsvga_fifo_length
vmsvga: add more fifo checks
vmsvga: shadow fifo registers
CVE-2016-4453:
vmsvga: don't process more than 1024 fifo commands at
---
...-fifo-sanity-checks-to-vmsvga_fifo_length.patch | 71 ++++++++++
.../extra/0005-vmsvga-add-more-fifo-checks.patch | 37 ++++++
.../extra/0006-vmsvga-shadow-fifo-registers.patch | 144 +++++++++++++++++++++
...t-process-more-than-1024-fifo-commands-at.patch | 44 +++++++
...s-initialise-local-configuration-data-buf.patch | 38 ++++++
...asas-use-appropriate-property-buffer-size.patch | 38 ++++++
...megasas-check-read_queue_head-index-value.patch | 40 ++++++
...-avoid-potential-overflow-of-acb-task-cdb.patch | 41 ++++++
debian/patches/series | 8 ++
9 files changed, 461 insertions(+)
create mode 100644 debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
create mode 100644 debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
create mode 100644 debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
create mode 100644 debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
create mode 100644 debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
create mode 100644 debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
create mode 100644 debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
create mode 100644 debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
diff --git a/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
new file mode 100644
index 0000000..8182db1
--- /dev/null
+++ b/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
@@ -0,0 +1,71 @@
+From 4aa79a8818711d475bd79b906cd7d060d4e8a441 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 30 May 2016 09:09:18 +0200
+Subject: [PATCH 4/9] vmsvga: move fifo sanity checks to vmsvga_fifo_length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sanity checks are applied when the fifo is enabled by the guest
+(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
+changes the fifo registers afterwards. Move the checks to
+vmsvga_fifo_length so they are done each time qemu is about to read
+from the fifo.
+
+Fixes: CVE-2016-4454
+Cc: P J P <ppandit at redhat.com>
+Reported-by: 李强 <liqiang6-s at 360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/vmware_vga.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 9354037..3ce1717 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -553,6 +553,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+ if (!s->config || !s->enable) {
+ return 0;
+ }
++
++ /* Check range and alignment. */
++ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
++ return 0;
++ }
++ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
++ return 0;
++ }
++ if (CMD(max) > SVGA_FIFO_SIZE) {
++ return 0;
++ }
++ if (CMD(max) < CMD(min) + 10 * 1024) {
++ return 0;
++ }
++
+ num = CMD(next_cmd) - CMD(stop);
+ if (num < 0) {
+ num += CMD(max) - CMD(min);
+@@ -1003,19 +1018,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
+ case SVGA_REG_CONFIG_DONE:
+ if (value) {
+ s->fifo = (uint32_t *) s->fifo_ptr;
+- /* Check range and alignment. */
+- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+- break;
+- }
+- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+- break;
+- }
+- if (CMD(max) > SVGA_FIFO_SIZE) {
+- break;
+- }
+- if (CMD(max) < CMD(min) + 10 * 1024) {
+- break;
+- }
+ vga_dirty_log_stop(&s->vga);
+ }
+ s->config = !!value;
+--
+2.1.4
+
diff --git a/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch b/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
new file mode 100644
index 0000000..59fa672
--- /dev/null
+++ b/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
@@ -0,0 +1,37 @@
+From aafca5995f11e0cd69e0607bfb7b3b7333f96be8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 30 May 2016 09:09:19 +0200
+Subject: [PATCH 5/9] vmsvga: add more fifo checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make sure all fifo ptrs are within range.
+
+Fixes: CVE-2016-4454
+Cc: P J P <ppandit at redhat.com>
+Reported-by: 李强 <liqiang6-s at 360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/vmware_vga.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 3ce1717..f2663ee 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -561,7 +561,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+ return 0;
+ }
+- if (CMD(max) > SVGA_FIFO_SIZE) {
++ if (CMD(max) > SVGA_FIFO_SIZE ||
++ CMD(min) >= SVGA_FIFO_SIZE ||
++ CMD(stop) >= SVGA_FIFO_SIZE ||
++ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+ return 0;
+ }
+ if (CMD(max) < CMD(min) + 10 * 1024) {
+--
+2.1.4
+
diff --git a/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch b/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
new file mode 100644
index 0000000..402e952
--- /dev/null
+++ b/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
@@ -0,0 +1,144 @@
+From a2273296a948a2f6f36d858c18893315030702d6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 30 May 2016 09:09:20 +0200
+Subject: [PATCH 6/9] vmsvga: shadow fifo registers
+
+The fifo is normal ram. So kvm vcpu threads and qemu iothread can
+access the fifo in parallel without syncronization. Which in turn
+implies we can't use the fifo pointers in-place because the guest
+can try changing them underneath us. So add shadows for them, to
+make sure the guest can't modify them after we've applied sanity
+checks.
+
+Fixes: CVE-2016-4454
+Cc: P J P <ppandit at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index f2663ee..99e128b 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -64,17 +64,11 @@ struct vmsvga_state_s {
+ uint8_t *fifo_ptr;
+ unsigned int fifo_size;
+
+- union {
+- uint32_t *fifo;
+- struct QEMU_PACKED {
+- uint32_t min;
+- uint32_t max;
+- uint32_t next_cmd;
+- uint32_t stop;
+- /* Add registers here when adding capabilities. */
+- uint32_t fifo[0];
+- } *cmd;
+- };
++ uint32_t *fifo;
++ uint32_t fifo_min;
++ uint32_t fifo_max;
++ uint32_t fifo_next;
++ uint32_t fifo_stop;
+
+ #define REDRAW_FIFO_LEN 512
+ struct vmsvga_rect_s {
+@@ -196,7 +190,7 @@ enum {
+ */
+ SVGA_FIFO_MIN = 0,
+ SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
+- SVGA_FIFO_NEXT_CMD,
++ SVGA_FIFO_NEXT,
+ SVGA_FIFO_STOP,
+
+ /*
+@@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+ }
+ #endif
+
+-#define CMD(f) le32_to_cpu(s->cmd->f)
+-
+ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+ {
+ int num;
+@@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
+ return 0;
+ }
+
++ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
++ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
++ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
++ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
++
+ /* Check range and alignment. */
+- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
++ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
+ return 0;
+ }
+- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
++ if (s->fifo_min < sizeof(uint32_t) * 4) {
+ return 0;
+ }
+- if (CMD(max) > SVGA_FIFO_SIZE ||
+- CMD(min) >= SVGA_FIFO_SIZE ||
+- CMD(stop) >= SVGA_FIFO_SIZE ||
+- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
++ if (s->fifo_max > SVGA_FIFO_SIZE ||
++ s->fifo_min >= SVGA_FIFO_SIZE ||
++ s->fifo_stop >= SVGA_FIFO_SIZE ||
++ s->fifo_next >= SVGA_FIFO_SIZE) {
+ return 0;
+ }
+- if (CMD(max) < CMD(min) + 10 * 1024) {
++ if (s->fifo_max < s->fifo_min + 10 * 1024) {
+ return 0;
+ }
+
+- num = CMD(next_cmd) - CMD(stop);
++ num = s->fifo_next - s->fifo_stop;
+ if (num < 0) {
+- num += CMD(max) - CMD(min);
++ num += s->fifo_max - s->fifo_min;
+ }
+ return num >> 2;
+ }
+
+ static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
+ {
+- uint32_t cmd = s->fifo[CMD(stop) >> 2];
++ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
+
+- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
+- if (CMD(stop) >= CMD(max)) {
+- s->cmd->stop = s->cmd->min;
++ s->fifo_stop += 4;
++ if (s->fifo_stop >= s->fifo_max) {
++ s->fifo_stop = s->fifo_min;
+ }
++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
+ return cmd;
+ }
+
+@@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ len = vmsvga_fifo_length(s);
+ while (len > 0) {
+ /* May need to go back to the start of the command if incomplete */
+- cmd_start = s->cmd->stop;
++ cmd_start = s->fifo_stop;
+
+ switch (cmd = vmsvga_fifo_read(s)) {
+ case SVGA_CMD_UPDATE:
+@@ -764,7 +762,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ break;
+
+ rewind:
+- s->cmd->stop = cmd_start;
++ s->fifo_stop = cmd_start;
++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
+ break;
+ }
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
new file mode 100644
index 0000000..4c4f486
--- /dev/null
+++ b/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
@@ -0,0 +1,44 @@
+From 6e964a410da04c4519a4e1e3e7196bc7dcfd59b7 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 30 May 2016 09:09:21 +0200
+Subject: [PATCH 7/9] vmsvga: don't process more than 1024 fifo commands at
+ once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+vmsvga_fifo_run is called in regular intervals (on each display update)
+and will resume where it left off. So we can simply exit the loop,
+without having to worry about how processing will continue.
+
+Fixes: CVE-2016-4453
+Cc: P J P <ppandit at redhat.com>
+Reported-by: 李强 <liqiang6-s at 360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/display/vmware_vga.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 99e128b..b143a86 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
+ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ {
+ uint32_t cmd, colour;
+- int args, len;
++ int args, len, maxloop = 1024;
+ int x, y, dx, dy, width, height;
+ struct vmsvga_cursor_definition_s cursor;
+ uint32_t cmd_start;
+
+ len = vmsvga_fifo_length(s);
+- while (len > 0) {
++ while (len > 0 && --maxloop > 0) {
+ /* May need to go back to the start of the command if incomplete */
+ cmd_start = s->fifo_stop;
+
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch b/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
new file mode 100644
index 0000000..e6be3b5
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
@@ -0,0 +1,38 @@
+From e74703fab04c39c9a01385bbe3d79e47f7db4ccb Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 25 May 2016 17:41:44 +0530
+Subject: [PATCH 1/9] scsi: megasas: initialise local configuration data buffer
+
+When reading MegaRAID SAS controller configuration via MegaRAID
+Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
+uses an uninitialised local data buffer. Initialise this buffer
+to avoid stack information leakage.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-Id: <1464178304-12831-1-git-send-email-ppandit at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+
+Notes:
+ CVE-2016-5105
+
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 576f56c..8526c01 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1292,7 +1292,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
+
+ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
+ {
+- uint8_t data[4096];
++ uint8_t data[4096] = { 0 };
+ struct mfi_config_data *info;
+ int num_pd_disks = 0, array_offset, ld_offset;
+ BusChild *kid;
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch b/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
new file mode 100644
index 0000000..c4c2523
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
@@ -0,0 +1,38 @@
+From fdcbd7ebf09947c2b65cbb10366eba6382e3c0d6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 25 May 2016 16:01:29 +0530
+Subject: [PATCH 2/9] scsi: megasas: use appropriate property buffer size
+
+When setting MegaRAID SAS controller properties via MegaRAID
+Firmware Interface(MFI) commands, a user supplied size parameter
+is used to set property value. Use appropriate size value to avoid
+OOB access issues.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-Id: <1464172291-2856-2-git-send-email-ppandit at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+
+Notes:
+ CVE-2016-5106
+
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 8526c01..05c72b0 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -1445,7 +1445,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
+ dcmd_size);
+ return MFI_STAT_INVALID_PARAMETER;
+ }
+- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
+ trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
+ return MFI_STAT_OK;
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch b/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
new file mode 100644
index 0000000..6321e22
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
@@ -0,0 +1,40 @@
+From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 25 May 2016 17:55:10 +0530
+Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value
+
+While doing MegaRAID SAS controller command frame lookup, routine
+'megasas_lookup_frame' uses 'read_queue_head' value as an index
+into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
+within array bounds to avoid any OOB access.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Message-Id: <1464179110-18593-1-git-send-email-ppandit at redhat.com>
+Reviewed-by: Alexander Graf <agraf at suse.de>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+
+Notes:
+ CVE-2016-5107
+
+ hw/scsi/megasas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 05c72b0..ebbe270 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
+ pa_hi = le32_to_cpu(initq->pi_addr_hi);
+ s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
+ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
++ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
+ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
++ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
+ flags = le32_to_cpu(initq->flags);
+ if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
+ s->flags |= MEGASAS_MASK_USE_QUEUE64;
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
new file mode 100644
index 0000000..e0e2262
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
@@ -0,0 +1,41 @@
+From f684109f3a14cfe0c7a9aa7b478dd6da67ea6b6c Mon Sep 17 00:00:00 2001
+From: Peter Lieven <pl at kamp.de>
+Date: Tue, 24 May 2016 10:59:28 +0200
+Subject: [PATCH 8/9] block/iscsi: avoid potential overflow of acb->task->cdb
+
+at least in the path via virtio-blk the maximum size is not
+restricted.
+
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Peter Lieven <pl at kamp.de>
+Message-Id: <1464080368-29584-1-git-send-email-pl at kamp.de>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+
+Notes:
+ CVE-2016-5126
+
+ block/iscsi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index bd1f1bf..e424f7d 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -834,6 +834,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
+ return &acb->common;
+ }
+
++ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
++ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
++ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
++ qemu_aio_unref(acb);
++ return NULL;
++ }
++
+ acb->task = malloc(sizeof(struct scsi_task));
+ if (acb->task == NULL) {
+ error_report("iSCSI: Failed to allocate task for scsi command. %s",
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index fe89dd1..10e5d46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -55,3 +55,11 @@ extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
extra/0001-vga-add-sr_vbe-register-set.patch
extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
+extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
+extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
+extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
+extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
+extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
+extra/0005-vmsvga-add-more-fifo-checks.patch
+extra/0006-vmsvga-shadow-fifo-registers.patch
+extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
--
2.1.4
More information about the pve-devel
mailing list