[pve-devel] [PATCH kvm] various fixes
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Oct 5 14:35:12 CEST 2016
CVE-2016-7161: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
CVE-2016-7422: virtio: add check for descriptor's mapped address
CVE-2016-7907: net: imx: limit buffer descriptor count
CVE-2016-7908: net: mcf: limit buffer descriptor count
CVE-2016-7909: net: pcnet: check rx/tx descriptor ring length
---
...-a-heap-overflow-in-xlnx.xps-ethernetlite.patch | 35 +++++++++++++++
...add-check-for-descriptor-s-mapped-address.patch | 38 ++++++++++++++++
...907-net-imx-limit-buffer-descriptor-count.patch | 48 ++++++++++++++++++++
...908-net-mcf-limit-buffer-descriptor-count.patch | 52 ++++++++++++++++++++++
...-pcnet-check-rx-tx-descriptor-ring-length.patch | 36 +++++++++++++++
debian/patches/series | 5 +++
6 files changed, 214 insertions(+)
create mode 100644 debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
create mode 100644 debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
create mode 100644 debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
create mode 100644 debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
create mode 100644 debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
diff --git a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
new file mode 100644
index 0000000..1c14d8c
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
@@ -0,0 +1,35 @@
+From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
+From: chaojianhu <chaojianhu at hotmail.com>
+Date: Tue, 9 Aug 2016 11:52:54 +0800
+Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
+
+The .receive callback of xlnx.xps-ethernetlite doesn't check the length
+of data before calling memcpy. As a result, the NetClientState object in
+heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
+will be affected.
+
+Reported-by: chaojianhu <chaojianhu at hotmail.com>
+Signed-off-by: chaojianhu <chaojianhu at hotmail.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/xilinx_ethlite.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
+index bc846e7..12b7419 100644
+--- a/hw/net/xilinx_ethlite.c
++++ b/hw/net/xilinx_ethlite.c
+@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
+ }
+
+ D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
++ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
++ D(qemu_log("ethlite packet is too big, size=%x\n", size));
++ return -1;
++ }
+ memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
+
+ s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch b/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
new file mode 100644
index 0000000..47e5135
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
@@ -0,0 +1,38 @@
+From 77b365c29e9bf143ee4c024daa9f6f0a13213376 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 19 Sep 2016 23:55:45 +0530
+Subject: [PATCH 1/5] virtio: add check for descriptor's mapped address
+
+virtio back end uses set of buffers to facilitate I/O operations.
+If its size is too large, 'cpu_physical_memory_map' could return
+a null address. This would result in a null dereference while
+un-mapping descriptors. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Michael S. Tsirkin <mst at redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+Reviewed-by: Laszlo Ersek <lersek at redhat.com>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 111ad8e..75f5ada 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -471,6 +471,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
+ }
+
+ iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
++ if (!iov[num_sg].iov_base) {
++ error_report("virtio: bogus descriptor or out of resources");
++ exit(1);
++ }
++
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
new file mode 100644
index 0000000..303a481
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
@@ -0,0 +1,48 @@
+From 53102ff7c9c928e2c778a6440f7039ee29dc5acf Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:01:38 +0530
+Subject: [PATCH 3/5] net: imx: limit buffer descriptor count
+
+i.MX Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set an upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/net/imx_fec.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+index e60e338..547fa99 100644
+--- a/hw/net/imx_fec.c
++++ b/hw/net/imx_fec.c
+@@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = {
+ #define PHY_INT_PARFAULT (1 << 2)
+ #define PHY_INT_AUTONEG_PAGE (1 << 1)
+
++#define IMX_MAX_DESC 1024
++
+ static void imx_fec_update(IMXFECState *s);
+
+ /*
+@@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s)
+
+ static void imx_fec_do_tx(IMXFECState *s)
+ {
+- int frame_size = 0;
++ int frame_size = 0, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr = frame;
+ uint32_t addr = s->tx_descriptor;
+
+- while (1) {
++ while (descnt++ < IMX_MAX_DESC) {
+ IMXFECBufDesc bd;
+ int len;
+
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
new file mode 100644
index 0000000..2985778
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
@@ -0,0 +1,52 @@
+From 50e74d1c748bde8d667e452d4d7cac3d8f869520 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 22 Sep 2016 16:02:37 +0530
+Subject: [PATCH 4/5] net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/mcf_fec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index 7c0398e..6d3418e 100644
+--- a/hw/net/mcf_fec.c
++++ b/hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ uint32_t addr;
+ mcf_fec_bd bd;
+ int frame_size;
+- int len;
++ int len, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr;
+
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
+ ptr = frame;
+ frame_size = 0;
+ addr = s->tx_descriptor;
+- while (1) {
++ while (descnt++ < FEC_MAX_DESC) {
+ mcf_fec_read_bd(&bd, addr);
+ DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+ addr, bd.flags, bd.length, bd.data);
+--
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch b/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
new file mode 100644
index 0000000..fab98ba
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
@@ -0,0 +1,36 @@
+From 9d315a91caeb359045b2c730294bba3889911127 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH 5/5] net: pcnet: check rx/tx descriptor ring length
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 5c17cf1..07cf5c4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -78,3 +78,8 @@ extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
extra/x86-lapic-Load-LAPIC-state-at-post_load.patch
+extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
+extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
+extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
+extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
+extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
--
2.1.4
More information about the pve-devel
mailing list