From b24b7f1644dabd6cf556616e1cb12bef15132bd6 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jan 21 2016 01:17:04 +0000 Subject: CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818) CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz #1294787) CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) Fix modules.d/kvm.conf example syntax (bz #1298823) --- diff --git a/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch b/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch new file mode 100644 index 0000000..518faf7 --- /dev/null +++ b/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch @@ -0,0 +1,90 @@ +From: P J P +Date: Tue, 15 Dec 2015 12:27:54 +0530 +Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device + +Vmxnet3 device emulator does not check if the device is active +before activating it, also it did not free the transmit & receive +buffers while deactivating the device, thus resulting in memory +leakage on the host. This patch fixes both these issues to avoid +host memory leakage. + +Reported-by: Qinghao Tang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470) +--- + hw/net/vmxnet3.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 37373e5..2b4aad7 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) + + static void vmxnet3_deactivate_device(VMXNET3State *s) + { +- VMW_CBPRN("Deactivating vmxnet3..."); +- s->device_active = false; ++ if (s->device_active) { ++ VMW_CBPRN("Deactivating vmxnet3..."); ++ vmxnet_tx_pkt_reset(s->tx_pkt); ++ vmxnet_tx_pkt_uninit(s->tx_pkt); ++ vmxnet_rx_pkt_uninit(s->rx_pkt); ++ s->device_active = false; ++ } + } + + static void vmxnet3_reset(VMXNET3State *s) +@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) + + vmxnet3_deactivate_device(s); + vmxnet3_reset_interrupt_states(s); +- vmxnet_tx_pkt_reset(s->tx_pkt); + s->drv_shmem = 0; + s->tx_sop = true; + s->skip_current_tx_pkt = false; +@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) + return; + } + ++ /* Verify if device is active */ ++ if (s->device_active) { ++ VMW_CFPRN("Vmxnet3 device is active"); ++ return; ++ } ++ + vmxnet3_adjust_by_guest_type(s); + vmxnet3_update_features(s); + vmxnet3_update_pm_state(s); +@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) + break; + + case VMXNET3_CMD_QUIESCE_DEV: +- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); ++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); + vmxnet3_deactivate_device(s); + break; + +@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, + * shared address only after we get the high part + */ + if (val == 0) { +- s->device_active = false; ++ vmxnet3_deactivate_device(s); + } + s->temp_shared_guest_driver_memory = val; + s->drv_shmem = 0; +@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) + static void vmxnet3_net_uninit(VMXNET3State *s) + { + g_free(s->mcast_list); +- vmxnet_tx_pkt_reset(s->tx_pkt); +- vmxnet_tx_pkt_uninit(s->tx_pkt); +- vmxnet_rx_pkt_uninit(s->rx_pkt); ++ vmxnet3_deactivate_device(s); + qemu_del_nic(s->nic); + } + diff --git a/0004-i386-avoid-null-pointer-dereference.patch b/0004-i386-avoid-null-pointer-dereference.patch new file mode 100644 index 0000000..17b2c5c --- /dev/null +++ b/0004-i386-avoid-null-pointer-dereference.patch @@ -0,0 +1,62 @@ +From: P J P +Date: Fri, 18 Dec 2015 11:35:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + + Hello, + +A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It +occurs while doing I/O port write operations via hmp interface. In that, +'current_cpu' remains null as it is not called from cpu_exec loop, which +results in the said issue. + +Below is a proposed (tested)patch to fix this issue; Does it look okay? + +=== +From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 18 Dec 2015 11:16:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + +When I/O port write operation is called from hmp interface, +'current_cpu' remains null, as it is not called from cpu_exec() +loop. This leads to a null pointer dereference in vapic_write +routine. Add check to avoid it. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7) +--- + hw/i386/kvmvapic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c6d34b2..f0922da 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) + static void vapic_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) + { +- CPUState *cs = current_cpu; +- X86CPU *cpu = X86_CPU(cs); +- CPUX86State *env = &cpu->env; +- hwaddr rom_paddr; + VAPICROMState *s = opaque; ++ X86CPU *cpu; ++ CPUX86State *env; ++ hwaddr rom_paddr; + +- cpu_synchronize_state(cs); ++ if (!current_cpu) { ++ return; ++ } ++ ++ cpu_synchronize_state(current_cpu); ++ cpu = X86_CPU(current_cpu); ++ env = &cpu->env; + + /* + * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. diff --git a/0005-scsi-initialise-info-object-with-appropriate-size.patch b/0005-scsi-initialise-info-object-with-appropriate-size.patch new file mode 100644 index 0000000..2d5605c --- /dev/null +++ b/0005-scsi-initialise-info-object-with-appropriate-size.patch @@ -0,0 +1,32 @@ +From: P J P +Date: Mon, 21 Dec 2015 15:13:13 +0530 +Subject: [PATCH] scsi: initialise info object with appropriate size + +While processing controller 'CTRL_GET_INFO' command, the routine +'megasas_ctrl_get_info' overflows the '&info' object size. Use its +appropriate size to null initialise it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-Id: +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811) +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index d7dc667..576f56c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + BusChild *kid; + int num_pd_disks = 0; + +- memset(&info, 0x0, cmd->iov_size); ++ memset(&info, 0x0, dcmd_size); + if (cmd->iov_size < dcmd_size) { + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, + dcmd_size); diff --git a/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch b/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch new file mode 100644 index 0000000..6701693 --- /dev/null +++ b/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch @@ -0,0 +1,44 @@ +From: Prasad J Pandit +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa) +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { diff --git a/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch b/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch new file mode 100644 index 0000000..fcd93bc --- /dev/null +++ b/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch @@ -0,0 +1,45 @@ +From: Prasad J Pandit +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6) +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..a3dffff 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; diff --git a/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch b/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch new file mode 100644 index 0000000..865e17a --- /dev/null +++ b/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch @@ -0,0 +1,36 @@ +From: Prasad J Pandit +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: John Snow +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow +(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab) +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index dd1912e..17f1cbd 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) diff --git a/kvm.conf b/kvm.conf index 594b2f1..84885e9 100644 --- a/kvm.conf +++ b/kvm.conf @@ -7,6 +7,5 @@ ### Set these options to enable nested virtualization ### -#option kvm_intel nested=1 -#option kvm_amd nested=1 - +#options kvm_intel nested=1 +#options kvm_amd nested=1 diff --git a/qemu.spec b/qemu.spec index aa553e2..f6895dc 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,7 +40,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.5.0 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -75,6 +75,19 @@ Source20: kvm.conf Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch # CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) Patch0002: 0002-ehci-make-idt-processing-more-robust.patch +# CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818) +Patch0003: 0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch +# CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) +Patch0004: 0004-i386-avoid-null-pointer-dereference.patch +# CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) +Patch0005: 0005-scsi-initialise-info-object-with-appropriate-size.patch +# CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) +Patch0006: 0006-net-rocker-fix-an-incorrect-array-bounds-check.patch +# CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz +# #1294787) +Patch0007: 0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch +# CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) +Patch0008: 0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1169,6 +1182,16 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed Jan 20 2016 Cole Robinson - 2:2.5.0-4 +- CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818) +- CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) +- CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) +- CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) +- CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz + #1294787) +- CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) +- Fix modules.d/kvm.conf example syntax (bz #1298823) + * Sat Jan 09 2016 Cole Robinson - 2:2.5.0-3 - Fix virtio 9p thread pool usage - CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)