[pve-devel] applied: [PATCH kvm] various fixes
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Nov 7 11:39:25 CET 2016
CVE-2016-8909:
audio: intel-hda: check stream entry count during transfer
CVE-2016-8910:
net: rtl8139: limit processing of ring descriptors
CVE-2016-9101:
net: eepro100: fix memory leak in device uninit
CVE-2016-9102:
9pfs: fix memory leak in v9fs_xattrcreate
CVE-2016-9103:
9pfs: fix information leak in xattr read
CVE-2016-9104:
9pfs: fix integer overflow issue in xattr read/write
CVE-2016-9105:
9pfs: fix memory leak in v9fs_link
CVE-2016-9106:
9pfs: fix memory leak in v9fs_write
---
...-hda-check-stream-entry-count-during-tran.patch | 39 +++++++++
...8139-limit-processing-of-ring-descriptors.patch | 34 ++++++++
...eepro100-fix-memory-leak-in-device-uninit.patch | 30 +++++++
...-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch | 34 ++++++++
...3-9pfs-fix-information-leak-in-xattr-read.patch | 32 ++++++++
...nteger-overflow-issue-in-xattr-read-write.patch | 92 ++++++++++++++++++++++
...16-9105-9pfs-fix-memory-leak-in-v9fs_link.patch | 32 ++++++++
...6-9106-9pfs-fix-memory-leak-in-v9fs_write.patch | 33 ++++++++
debian/patches/series | 8 ++
9 files changed, 334 insertions(+)
create mode 100644 debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
create mode 100644 debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
create mode 100644 debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
create mode 100644 debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
create mode 100644 debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
create mode 100644 debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
create mode 100644 debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
create mode 100644 debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
diff --git a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
new file mode 100644
index 0000000..d8102b3
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
@@ -0,0 +1,39 @@
+From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 20 Oct 2016 13:10:24 +0530
+Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
+ transfer
+
+Intel HDA emulator uses stream of buffers during DMA data
+transfers. Each entry has buffer length and buffer pointer
+position, which are used to derive bytes to 'copy'. If this
+length and buffer pointer were to be same, 'copy' could be
+set to zero(0), leading to an infinite loop. Add check to
+avoid it.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com>
+Message-id: 1476949224-6865-1-git-send-email-ppandit at redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/audio/intel-hda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index cd95340..537face 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ }
+
+ left = len;
+- while (left > 0) {
++ s = st->bentries;
++ while (left > 0 && s-- > 0) {
+ copy = left;
+ if (copy > st->bsize - st->lpib)
+ copy = st->bsize - st->lpib;
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
new file mode 100644
index 0000000..eedbd17
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
@@ -0,0 +1,34 @@
+From 8dea1624f9166d9dd52074c98f744e4a1e13a616 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Fri, 21 Oct 2016 17:39:29 +0530
+Subject: [PATCH 2/8] net: rtl8139: limit processing of ring descriptors
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson <hendersa at icculus.org>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+ int txcount = 0;
+
+- while (rtl8139_cplus_transmit_one(s))
++ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+ {
+ ++txcount;
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
new file mode 100644
index 0000000..0ae895a
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
@@ -0,0 +1,30 @@
+From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Sat, 8 Oct 2016 05:07:25 -0700
+Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit
+
+The exit dispatch of eepro100 network card device doesn't free
+the 's->vmstate' field which was allocated in device realize thus
+leading a host memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/eepro100.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index bab4dbf..4bf71f2 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
+ EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
+
+ vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
++ g_free(s->vmstate);
+ eeprom93xx_free(&pci_dev->qdev, s->eeprom);
+ qemu_del_nic(s->nic);
+ }
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
new file mode 100644
index 0000000..cad4baf
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
@@ -0,0 +1,34 @@
+From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 3becdd0..f5af4e3 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++ g_free(xattr_fidp->fs.xattr.value);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
new file mode 100644
index 0000000..7d84422
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
@@ -0,0 +1,32 @@
+From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read
+
+9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+reads this memory before writing to it, this will leak host heap memory
+to the guest. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 75ba5f1..3becdd0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+ out_nofid:
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
new file mode 100644
index 0000000..eec6b2a
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
@@ -0,0 +1,92 @@
+From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Tue, 1 Nov 2016 12:00:40 +0100
+Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
+originated offset: they must ensure this offset does not go beyond
+the size of the extended attribute that was set in v9fs_xattrcreate().
+Unfortunately, the current code implement these checks with unsafe
+calculations on 32 and 64 bit values, which may allow a malicious
+guest to cause OOB access anyway.
+
+Fix this by comparing the offset and the xattr size, which are
+both uint64_t, before trying to compute the effective number of bytes
+to read or write.
+
+Suggested-by: Greg Kurz <groug at kaod.org>
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+Reviewed-By: Guido Günther <agx at sigxcpu.org>
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index af07846..fc4f2cd 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ ssize_t err;
+ size_t offset = 7;
+- int read_count;
+- int64_t xattr_len;
++ uint64_t read_count;
+ V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
+ VirtQueueElement *elem = v->elems[pdu->idx];
+
+- xattr_len = fidp->fs.xattr.len;
+- read_count = xattr_len - off;
++ if (fidp->fs.xattr.len < off) {
++ read_count = 0;
++ } else {
++ read_count = fidp->fs.xattr.len - off;
++ }
+ if (read_count > max_count) {
+ read_count = max_count;
+- } else if (read_count < 0) {
+- /*
+- * read beyond XATTR value
+- */
+- read_count = 0;
+ }
+ err = pdu_marshal(pdu, offset, "d", read_count);
+ if (err < 0) {
+@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ int i, to_copy;
+ ssize_t err = 0;
+- int write_count;
+- int64_t xattr_len;
++ uint64_t write_count;
+ size_t offset = 7;
+
+
+- xattr_len = fidp->fs.xattr.len;
+- write_count = xattr_len - off;
+- if (write_count > count) {
+- write_count = count;
+- } else if (write_count < 0) {
+- /*
+- * write beyond XATTR value len specified in
+- * xattrcreate
+- */
++ if (fidp->fs.xattr.len < off) {
+ err = -ENOSPC;
+ goto out;
+ }
++ write_count = fidp->fs.xattr.len - off;
++ if (write_count > count) {
++ write_count = count;
++ }
+ err = pdu_marshal(pdu, offset, "d", write_count);
+ if (err < 0) {
+ return err;
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
new file mode 100644
index 0000000..9138249
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
@@ -0,0 +1,32 @@
+From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link
+
+The v9fs_link() function keeps a reference on the source fid object. This
+causes a memory leak since the reference never goes down to 0. This patch
+fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index f5af4e3..aa2b8c0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque)
+ if (!err) {
+ err = offset;
+ }
++ put_fid(pdu, oldfidp);
+ out:
+ put_fid(pdu, dfidp);
+ out_nofid:
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
new file mode 100644
index 0000000..3ee8b50
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
@@ -0,0 +1,33 @@
+From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s at 360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write
+
+If an error occurs when marshalling the transfer length to the guest, the
+v9fs_write() function doesn't free an IO vector, thus leading to a memory
+leak. This patch fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Greg Kurz <groug at kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug at kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index aa2b8c0..af07846 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
+ offset = 7;
+ err = pdu_marshal(pdu, offset, "d", total);
+ if (err < 0) {
+- goto out;
++ goto out_qiov;
+ }
+ err += offset;
+ trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index d025009..6c1c308 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -66,3 +66,11 @@ extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
+extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
+extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
+extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
+extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
+extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
+extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
+extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
+extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
--
2.1.4
More information about the pve-devel
mailing list