[pve-devel] applied: [PATCH kvm 2/2] various fixes

[Wolfgang Bumiller]

CVE-2016-8668:
 net: rocker: set limit to DMA buffer size
CVE-2016-8669:
 char: serial: check divider value against baud base
---
 ...8-net-rocker-set-limit-to-DMA-buffer-size.patch | 34 +++++++++++++++++++++
 ...ial-check-divider-value-against-baud-base.patch | 35 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 3 files changed, 71 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
 create mode 100644 debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch

diff --git a/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch b/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
new file mode 100644
index 0000000..be0743d
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
@@ -0,0 +1,34 @@
+From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 12 Oct 2016 14:40:55 +0530
+Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
+
+Rocker network switch emulator has test registers to help debug
+DMA operations. While testing host DMA access, a buffer address
+is written to register 'TEST_DMA_ADDR' and its size is written to
+register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
+test, if DMA buffer size was greater than 'INT_MAX', it leads to
+an invalid buffer access. Limit the DMA buffer size to avoid it.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/net/rocker/rocker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index 30f2ce4..e9d215a 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
+         rocker_msix_irq(r, val);
+         break;
+     case ROCKER_TEST_DMA_SIZE:
+-        r->test_dma_size = val;
++        r->test_dma_size = val & 0xFFFF;
+         break;
+     case ROCKER_TEST_DMA_ADDR + 4:
+         r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch b/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
new file mode 100644
index 0000000..4ccf213
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
@@ -0,0 +1,35 @@
+From 7e0ebfd13e55a706396197437f375692bbf75d15 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Wed, 12 Oct 2016 11:28:08 +0530
+Subject: [PATCH 2/2] char: serial: check divider value against baud base
+
+16550A UART device uses an oscillator to generate frequencies
+(baud base), which decide communication speed. This speed could
+be changed by dividing it by a divider. If the divider is
+greater than the baud base, speed is set to zero, leading to a
+divide by zero error. Add check to avoid it.
+
+Reported-by: Huawei PSIRT <psirt at huawei.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/char/serial.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index 3442f47..eec72b7 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
+     int speed, parity, data_bits, stop_bits, frame_size;
+     QEMUSerialSetParams ssp;
+ 
+-    if (s->divider == 0)
++    if (s->divider == 0 || s->divider > s->baudbase) {
+         return;
++    }
+ 
+     /* Start bit. */
+     frame_size = 1;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index b870b21..2821c4c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -63,3 +63,5 @@ extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
 extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
 extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
 extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
+extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
+extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
-- 
2.1.4