diff --git a/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch b/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch new file mode 100644 index 0000000..e1eb3b2 --- /dev/null +++ b/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch @@ -0,0 +1,97 @@ +From 5d12c17191e042a57e02749cedc55104a8251ac3 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 21 Jan 2016 07:17:43 +0100 +Subject: [PATCH] fw_cfg: add check to validate current entry value + (CVE-2016-1714) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <1453360663-5066-1-git-send-email-mrezanin@redhat.com> +Patchwork-id: 68834 +O-Subject: [RHEL-7.2.z/RHEL-7.3 qemu-kvm PATCH] fw_cfg: add check to validate current entry value (CVE-2016-1714) +Bugzilla: 1298047 +RH-Acked-by: Laurent Vivier +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Gerd Hoffmann + +From: Prasad J Pandit + +When processing firmware configurations, an OOB r/w access occurs +if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff). +Add a check to validate 's->cur_entry' to avoid such access. + +This patch is based on upstream commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2 + Author: Gabriel L. Somlo + Date: Thu Nov 5 09:32:50 2015 -0500 + + fw_cfg: avoid calculating invalid current entry pointer + + When calculating a pointer to the currently selected fw_cfg item, the + following is used: + + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + When s->cur_entry is FW_CFG_INVALID, we are calculating the address of + a non-existent element in s->entries[arch][...], which is undefined. + + This patch ensures the resulting entry pointer is set to NULL whenever + s->cur_entry is FW_CFG_INVALID. + + Reported-by: Laszlo Ersek + Reviewed-by: Laszlo Ersek + Signed-off-by: Gabriel Somlo + Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu + Cc: Marc MarĂ­ + Signed-off-by: Gabriel Somlo + Reviewed-by: Laszlo Ersek + Signed-off-by: Gerd Hoffmann + +with added chunk for fw_cfg_write() that was removed in commit +023e3148567ac898c7258138f8e86c3c2bb40d07 +and missing chunk for fw_cfg_dma_transfer that was added in commit +a4c0d1deb785611c96a455f65ec032976b00b36f. + +Reported-by: Donghai Zdh +Signed-off-by: Prasad J Pandit +Signed-off-by: Miroslav Rezanina +--- + hw/nvram/fw_cfg.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index b865c09..fcb3146 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -207,12 +207,15 @@ static void fw_cfg_reboot(FWCfgState *s) + static void fw_cfg_write(FWCfgState *s, uint8_t value) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + trace_fw_cfg_write(s, value); + +- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback && +- s->cur_offset < e->len) { ++ if (s->cur_entry & FW_CFG_WRITE_CHANNEL ++ && e != NULL ++ && e->callback ++ && s->cur_offset < e->len) { + e->data[s->cur_offset++] = value; + if (s->cur_offset == e->len) { + e->callback(e->callback_opaque, e->data); +@@ -241,7 +244,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch b/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch new file mode 100644 index 0000000..841b730 --- /dev/null +++ b/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch @@ -0,0 +1,57 @@ +From 1a4a13c7c0f05f5a423c09607c7ef5151d315242 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Sat, 16 Jan 2016 14:02:12 +0100 +Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned + image size + +Message-id: <1452952932-2466-2-git-send-email-mreitz@redhat.com> +Patchwork-id: 68783 +O-Subject: [RHEL-7.2.z qemu-kvm PATCH 1/1] raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size +Bugzilla: 1298828 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Kevin Wolf + +Image files with an unaligned image size have a final hole that starts +at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is +returned when checking the status of this sector. In qemu-img, this +triggers an assertion failure. + +In order to fix this, one type for the sector that contains EOF must be +found. Treating a hole as data is safe, so this patch rounds the +calculated number of data sectors up, so that a partial sector at EOF is +treated as a full data sector. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394 + +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Tested-by: Cole Robinson +(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + block/raw-posix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/raw-posix.c b/block/raw-posix.c +index 72a9dc0..1f5275f 100644 +--- a/block/raw-posix.c ++++ b/block/raw-posix.c +@@ -1452,8 +1452,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs, + *pnum = nb_sectors; + ret = BDRV_BLOCK_DATA; + } else if (data == start) { +- /* On a data extent, compute sectors to the end of the extent. */ +- *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE); ++ /* On a data extent, compute sectors to the end of the extent, ++ * possibly including a partial sector at EOF. */ ++ *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE)); + ret = BDRV_BLOCK_DATA; + } else { + /* On a hole, compute sectors to the beginning of the next extent. */ +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 72b1d18..5c683ef 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 105%{?dist}.1 +Release: 105%{?dist}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3165,6 +3165,10 @@ Patch1553: kvm-qtest-ide-test-disable-flush-test.patch Patch1554: kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch # For bz#1279389 - ceph.conf properties override qemu's command-line properties Patch1555: kvm-rbd-fix-ceph-settings-precedence.patch +# For bz#1298828 - [abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT +Patch1556: kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch +# For bz#1298047 - CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z] +Patch1557: kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch BuildRequires: zlib-devel @@ -4933,6 +4937,8 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1553 -p1 %patch1554 -p1 %patch1555 -p1 +%patch1556 -p1 +%patch1557 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -5389,6 +5395,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_libdir}/pkgconfig/libcacard.pc %changelog +* Thu Jan 21 2016 Miroslav Rezanina - 1.5.3-105.el7_2.3 +- kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298047] +- Resolves: bz#1298047 + (CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z]) + +* Wed Jan 20 2016 Miroslav Rezanina - 1.5.3-105.el7_2.2 +- kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch [bz#1298828] +- Resolves: bz#1298828 + ([abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT) + * Tue Nov 17 2015 Miroslav Rezanina - 1.5.3-105.el7_2.1 - kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch [bz#1279389] - kvm-rbd-fix-ceph-settings-precedence.patch [bz#1279389]