From 44d016d6766394acf34ff1615c0faa43194afdd8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 25 2018 17:34:34 +0000 Subject: import qemu-kvm-ma-2.10.0-21.el7_5.4 --- diff --git a/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch new file mode 100644 index 0000000..c861af2 --- /dev/null +++ b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch @@ -0,0 +1,66 @@ +From ebad012fad51bd72c0618face6188086ee9c2be4 Mon Sep 17 00:00:00 2001 +From: Xiao Wang +Date: Wed, 8 Aug 2018 06:01:52 +0200 +Subject: [PATCH 3/3] slirp: Correct size check in m_inc() + +RH-Author: Xiao Wang +Message-id: <1533708112-14286-4-git-send-email-jasowang@redhat.com> +Patchwork-id: 81672 +O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 3/3] slirp: Correct size check in m_inc() +Bugzilla: 1586247 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: wexu@redhat.com +RH-Acked-by: Thomas Huth + +From: Peter Maydell + +The data in an mbuf buffer is not necessarily at the start of the +allocated buffer. (For instance m_adj() allows data to be trimmed +from the start by just advancing the pointer and reducing the length.) +This means that the allocated buffer size (m->m_size) and the +amount of space from the m_data pointer to the end of the +buffer (M_ROOM(m)) are not necessarily the same. + +Commit 864036e251f54c9 tried to change the m_inc() function from +taking the new allocated-buffer-size to taking the new room-size, +but forgot to change the initial "do we already have enough space" +check. This meant that if we were trying to extend a buffer which +had a leading gap between the buffer start and the data, we might +incorrectly decide it didn't need to be extended, and then +overrun the end of the buffer, causing memory corruption and +an eventual crash. + +Change the "already big enough?" condition from checking the +argument against m->m_size to checking against M_ROOM(). +This only makes a difference for the callsite in m_cat(); +the other three callsites all start with a freshly allocated +mbuf from m_get(), which will have m->m_size == M_ROOM(m). + +Fixes: 864036e251f54c9 +Fixes: https://bugs.launchpad.net/qemu/+bug/1785670 +Signed-off-by: Peter Maydell +Reviewed-by: Samuel Thibault +Message-id: 20180807114501.12370-1-peter.maydell@linaro.org +Tested-by: Dr. David Alan Gilbert +(cherry picked from commit 09b94ac0f29db3b022a77a5aa50dc9e37032689d) +Signed-off-by: Miroslav Rezanina +--- + slirp/mbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 0c189e1..1b78683 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size) + int datasize; + + /* some compilers throw up on gotos. This one we can fake. */ +- if (m->m_size > size) { ++ if (M_ROOM(m) > size) { + return; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch new file mode 100644 index 0000000..795b7ef --- /dev/null +++ b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch @@ -0,0 +1,113 @@ +From 8b8438b164750b1e864b8093e0b83b76365b7246 Mon Sep 17 00:00:00 2001 +From: Xiao Wang +Date: Wed, 8 Aug 2018 06:01:50 +0200 +Subject: [PATCH 1/3] slirp: correct size computation while concatenating mbuf + +RH-Author: Xiao Wang +Message-id: <1533708112-14286-2-git-send-email-jasowang@redhat.com> +Patchwork-id: 81669 +O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 1/3] slirp: correct size computation while concatenating mbuf +Bugzilla: 1586247 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: wexu@redhat.com +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1586247 +Brew Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=17635033 +Test status: Tested by myself + +While reassembling incoming fragmented datagrams, 'm_cat' routine +extends the 'mbuf' buffer, if it has insufficient room. It computes +a wrong buffer size, which leads to overwriting adjacent heap buffer +area. Correct this size computation in m_cat. + +Reported-by: ZDI Disclosures +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +(cherry picked from commit 864036e251f54c99d31df124aad7f34f01f5344c) +Signed-off-by: Miroslav Rezanina +--- + slirp/mbuf.c | 11 +++++------ + slirp/mbuf.h | 8 +++----- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 5ff2455..18cbf75 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + * If there's no room, realloc + */ + if (M_FREEROOM(m) < n->m_len) +- m_inc(m,m->m_size+MINCSIZE); ++ m_inc(m, m->m_len + n->m_len); + + memcpy(m->m_data+m->m_len, n->m_data, n->m_len); + m->m_len += n->m_len; +@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + } + + +-/* make m size bytes large */ ++/* make m 'size' bytes large from m_data */ + void + m_inc(struct mbuf *m, int size) + { +@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) + + if (m->m_flags & M_EXT) { + datasize = m->m_data - m->m_ext; +- m->m_ext = g_realloc(m->m_ext, size); ++ m->m_ext = g_realloc(m->m_ext, size + datasize); + m->m_data = m->m_ext + datasize; + } else { + char *dat; + datasize = m->m_data - m->m_dat; +- dat = g_malloc(size); ++ dat = g_malloc(size + datasize); + memcpy(dat, m->m_dat, m->m_size); + + m->m_ext = dat; +@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) + m->m_flags |= M_EXT; + } + +- m->m_size = size; +- ++ m->m_size = size + datasize; + } + + +diff --git a/slirp/mbuf.h b/slirp/mbuf.h +index 893601f..33b8448 100644 +--- a/slirp/mbuf.h ++++ b/slirp/mbuf.h +@@ -33,8 +33,6 @@ + #ifndef MBUF_H + #define MBUF_H + +-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ +- + /* + * Macros for type conversion + * mtod(m,t) - convert mbuf pointer to data pointer of correct type +@@ -72,11 +70,11 @@ struct mbuf { + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + +- int m_size; /* Size of data */ ++ int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + +- caddr_t m_data; /* Location of data */ +- int m_len; /* Amount of data in this mbuf */ ++ caddr_t m_data; /* Current location of data */ ++ int m_len; /* Amount of data in this mbuf, from m_data */ + + Slirp *slirp; + bool resolution_requested; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-reformat-m_inc-routine.patch b/SOURCES/kvm-slirp-reformat-m_inc-routine.patch new file mode 100644 index 0000000..d70ae47 --- /dev/null +++ b/SOURCES/kvm-slirp-reformat-m_inc-routine.patch @@ -0,0 +1,78 @@ +From c97c19773140b2f9941ecd2c4bd390e6c011d730 Mon Sep 17 00:00:00 2001 +From: Xiao Wang +Date: Wed, 8 Aug 2018 06:01:51 +0200 +Subject: [PATCH 2/3] slirp: reformat m_inc routine + +RH-Author: Xiao Wang +Message-id: <1533708112-14286-3-git-send-email-jasowang@redhat.com> +Patchwork-id: 81671 +O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 2/3] slirp: reformat m_inc routine +Bugzilla: 1586247 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: wexu@redhat.com +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +Coding style changes to the m_inc routine and minor refactoring. + +Reported-by: ZDI Disclosures +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +(cherry picked from commit c22098c74a09164797fae6511c5eaf68f32c4dd8) +Signed-off-by: Miroslav Rezanina +--- + slirp/mbuf.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 18cbf75..0c189e1 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -151,27 +151,25 @@ m_cat(struct mbuf *m, struct mbuf *n) + void + m_inc(struct mbuf *m, int size) + { +- int datasize; ++ int datasize; + +- /* some compiles throw up on gotos. This one we can fake. */ +- if(m->m_size>size) return; ++ /* some compilers throw up on gotos. This one we can fake. */ ++ if (m->m_size > size) { ++ return; ++ } + +- if (m->m_flags & M_EXT) { +- datasize = m->m_data - m->m_ext; +- m->m_ext = g_realloc(m->m_ext, size + datasize); +- m->m_data = m->m_ext + datasize; +- } else { +- char *dat; +- datasize = m->m_data - m->m_dat; +- dat = g_malloc(size + datasize); +- memcpy(dat, m->m_dat, m->m_size); +- +- m->m_ext = dat; +- m->m_data = m->m_ext + datasize; +- m->m_flags |= M_EXT; +- } ++ if (m->m_flags & M_EXT) { ++ datasize = m->m_data - m->m_ext; ++ m->m_ext = g_realloc(m->m_ext, size + datasize); ++ } else { ++ datasize = m->m_data - m->m_dat; ++ m->m_ext = g_malloc(size + datasize); ++ memcpy(m->m_ext, m->m_dat, m->m_size); ++ m->m_flags |= M_EXT; ++ } + +- m->m_size = size + datasize; ++ m->m_data = m->m_ext + datasize; ++ m->m_size = size + datasize; + } + + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 98eb28e..6825e64 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -106,7 +106,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.10.0 -Release: 21%{?dist}.3 +Release: 21%{?dist}.4 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -1063,6 +1063,12 @@ Patch453: kvm-scsi-disk-allow-customizing-the-SCSI-version.patch Patch454: kvm-hw-scsi-support-SCSI-2-passthrough-without-PI.patch # For bz#1596553 - RHEL-Alt-7.5 - qemu has error during migration of larger guests [rhel-7.5.z] Patch455: kvm-s390x-fix-storage-attributes-migration-for-non-small.patch +# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z] +Patch456: kvm-slirp-correct-size-computation-while-concatenating-m.patch +# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z] +Patch457: kvm-slirp-reformat-m_inc-routine.patch +# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z] +Patch458: kvm-slirp-Correct-size-check-in-m_inc.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -1695,6 +1701,9 @@ cp %{SOURCE29} pc-bios %patch453 -p1 %patch454 -p1 %patch455 -p1 +%patch456 -p1 +%patch457 -p1 +%patch458 -p1 # for tscdeadline_latency.flat %ifarch x86_64 @@ -2193,6 +2202,13 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Tue Aug 21 2018 Miroslav Rezanina - ma-2.10.0-21.el7_5.4 +- kvm-slirp-correct-size-computation-while-concatenating-m.patch [bz#1586247] +- kvm-slirp-reformat-m_inc-routine.patch [bz#1586247] +- kvm-slirp-Correct-size-check-in-m_inc.patch [bz#1586247] +- Resolves: bz#1586247 + (CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]) + * Mon Jul 02 2018 Miroslav Rezanina - ma-2.10.0-21.el7_5.3 - kvm-scsi-disk-allow-customizing-the-SCSI-version.patch [bz#1593193] - kvm-hw-scsi-support-SCSI-2-passthrough-without-PI.patch [bz#1593193]