From f0208c9e424033437f81781651d1f92290c19e44 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: May 26 2016 15:32:16 +0000 Subject: CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904) CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503) CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506) Fix regression installing windows 7 with qxl/vga (bz #1339267) Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977) --- diff --git a/0006-i386-kvmvapic-initialise-imm32-variable.patch b/0006-i386-kvmvapic-initialise-imm32-variable.patch new file mode 100644 index 0000000..67175b2 --- /dev/null +++ b/0006-i386-kvmvapic-initialise-imm32-variable.patch @@ -0,0 +1,32 @@ +From: Prasad J Pandit +Date: Thu, 7 Apr 2016 12:50:08 +0530 +Subject: [PATCH] i386: kvmvapic: initialise imm32 variable + +When processing Task Priorty Register(TPR) access, it could leak +automatic stack variable 'imm32' in patch_instruction(). +Initialise the variable to avoid it. + +Reported by: Donghai Zdh +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0) +--- + hw/i386/kvmvapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c69f374..ff1e31a 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; diff --git a/0007-esp-check-command-buffer-length-before-write-CVE-201.patch b/0007-esp-check-command-buffer-length-before-write-CVE-201.patch new file mode 100644 index 0000000..c4dc4ca --- /dev/null +++ b/0007-esp-check-command-buffer-length-before-write-CVE-201.patch @@ -0,0 +1,39 @@ +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:30 +0530 +Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 8961be2..01497e6 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { diff --git a/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch b/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch new file mode 100644 index 0000000..a9ffaee --- /dev/null +++ b/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch @@ -0,0 +1,73 @@ +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:31 +0530 +Subject: [PATCH] esp: check dma length before reading scsi + command(CVE-2016-4441) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90) +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 01497e6..591c817 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; diff --git a/0009-vga-add-sr_vbe-register-set.patch b/0009-vga-add-sr_vbe-register-set.patch new file mode 100644 index 0000000..8494fc8 --- /dev/null +++ b/0009-vga-add-sr_vbe-register-set.patch @@ -0,0 +1,233 @@ +From: Gerd Hoffmann +Date: Tue, 17 May 2016 10:54:54 +0200 +Subject: [PATCH] vga: add sr_vbe register set + +Commit "fd3c136 vga: make sure vga register setup for vbe stays intact +(CVE-2016-3712)." causes a regression. The win7 installer is unhappy +because it can't freely modify vga registers any more while in vbe mode. + +This patch introduces a new sr_vbe register set. The vbe_update_vgaregs +will fill sr_vbe[] instead of sr[]. Normal vga register reads and +writes go to sr[]. Any sr register read access happens through a new +sr() helper function which will read from sr_vbe[] with vbe active and +from sr[] otherwise. + +This way we can allow guests update sr[] registers as they want, without +allowing them disrupt vbe video modes that way. + +Cc: qemu-stable@nongnu.org +Reported-by: Thomas Lamprecht +Signed-off-by: Gerd Hoffmann +Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd) +--- + hw/display/vga.c | 50 ++++++++++++++++++++++++++++---------------------- + hw/display/vga_int.h | 1 + + 2 files changed, 29 insertions(+), 22 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 4a55ec6..9ebc54f 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s) + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; + } + ++static inline uint8_t sr(VGACommonState *s, int idx) ++{ ++ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx]; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + hwaddr base, offset, size; +@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s) + s->has_chain4_alias = false; + s->plane_updated = 0xf; + } +- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == +- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == ++ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + offset = 0; + switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { + case 0: +@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s) + ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); + vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; + +- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; ++ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; + clock_sel = (s->msr >> 2) & 3; + dots = (s->msr & 1) ? 8 : 9; + +@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; +- vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s) + + if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { + shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ + } else { + shift_control = 2; + /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; + /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; + } + s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | + (shift_control << 5); +@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; +@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + plane = addr & 3; + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM +@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + addr = ((addr & ~1) << 1) | plane; + if (addr >= s->vram_size) { + return; +@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + + do_write: + /* mask data according to sr[2] */ +- mask = s->sr[VGA_SEQ_PLANE_WRITE]; ++ mask = sr(s, VGA_SEQ_PLANE_WRITE); + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; + if (addr * sizeof(uint32_t) >= s->vram_size) { +@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cwidth = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cwidth = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cwidth = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update) + int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); + + /* compute font data address (in plane 2) */ +- v = s->sr[VGA_SEQ_CHARACTER_MAP]; ++ v = sr(s, VGA_SEQ_CHARACTER_MAP); + offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; + if (offset != s->font_offsets[0]) { + s->font_offsets[0] = offset; +@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + } + + if (shift_control == 0) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } else if (shift_control == 1) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } +@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + if (shift_control == 0) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE4D2; + } else { + v = VGA_DRAW_LINE4; +@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + bits = 4; + } else if (shift_control == 1) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE2D2; + } else { + v = VGA_DRAW_LINE2; +@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + #if 0 + printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", + width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], +- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); ++ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); + #endif + addr1 = (s->start_addr * 4); + bwidth = (width * bits + 7) / 8; +@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s) + { + s->sr_index = 0; + memset(s->sr, '\0', sizeof(s->sr)); ++ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); + s->gr_index = 0; + memset(s->gr, '\0', sizeof(s->gr)); + s->ar_index = 0; +@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cw = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cw = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cw = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id) + + /* force refresh */ + s->graphic_mode = -1; ++ vbe_update_vgaregs(s); + return 0; + } + +diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h +index bdb43a5..3ce5544 100644 +--- a/hw/display/vga_int.h ++++ b/hw/display/vga_int.h +@@ -98,6 +98,7 @@ typedef struct VGACommonState { + MemoryRegion chain4_alias; + uint8_t sr_index; + uint8_t sr[256]; ++ uint8_t sr_vbe[256]; + uint8_t gr_index; + uint8_t gr[256]; + uint8_t ar_index; diff --git a/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch b/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch new file mode 100644 index 0000000..0663a06 --- /dev/null +++ b/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch @@ -0,0 +1,35 @@ +From: Cole Robinson +Date: Thu, 26 May 2016 09:55:21 -0400 +Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM + +If you try to gic-version=host with TCG on a KVM aarch64 host, +qemu segfaults, since host requires KVM APIs. + +Explicitly reject gic-version=host if KVM is not enabled + +https://bugzilla.redhat.com/show_bug.cgi?id=1339977 +(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e) +--- + hw/arm/virt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 56d35c7..a535285 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine) + * KVM is not available yet + */ + if (!gic_version) { ++ if (!kvm_enabled()) { ++ error_report("gic-version=host requires KVM"); ++ exit(1); ++ } ++ + gic_version = kvm_arm_vgic_probe(); + if (!gic_version) { + error_report("Unable to determine GIC version supported by host"); +- error_printf("KVM acceleration is probably not supported\n"); + exit(1); + } + } diff --git a/qemu.spec b/qemu.spec index 54d8069..cb7d412 100644 --- a/qemu.spec +++ b/qemu.spec @@ -49,7 +49,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.6.0 -Release: 2%{?rcrel}%{?dist} +Release: 3%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -92,6 +92,16 @@ Patch0003: 0003-ui-sdl2-Release-grab-before-opening-console-window.patch Patch0004: 0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch # Fix monitor resizing with virgl (bz #1337564) Patch0005: 0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch +# CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904) +Patch0006: 0006-i386-kvmvapic-initialise-imm32-variable.patch +# CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503) +Patch0007: 0007-esp-check-command-buffer-length-before-write-CVE-201.patch +# CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506) +Patch0008: 0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch +# Fix regression installing windows 7 with qxl/vga (bz #1339267) +Patch0009: 0009-vga-add-sr_vbe-register-set.patch +# Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977) +Patch0010: 0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch # documentation deps @@ -1215,6 +1225,13 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu May 26 2016 Cole Robinson - 2:2.6.0-3 +- CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904) +- CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503) +- CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506) +- Fix regression installing windows 7 with qxl/vga (bz #1339267) +- Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977) + * Fri May 20 2016 Cole Robinson - 2:2.6.0-2 - Explicitly error if spice GL setup fails - Fix monitor resizing with virgl (bz #1337564)