From cf8819083b589a21198683d5a7c7065226df0bd2 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 21 2015 22:01:46 +0000 Subject: CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) --- diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch deleted file mode 100644 index 2b099a4..0000000 --- a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From d233fc09d20fa24f6ee03f8505333d73f559eacf Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:44 +0200 -Subject: [PATCH 1/2] target-ppc: fix vcipher, vcipherlast, vncipherlast and - vpermxor - -For vector instructions, the helpers get pointers to the vector register -in arguments. Some operands might point to the same register, including -the operand holding the result. - -When emulating instructions which access the vector elements in a -non-linear way, we need to store the result in an temporary variable. - -This fixes openssl when emulating a POWER8 CPU. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/int_helper.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c -index 0a55d5e..b122868 100644 ---- a/target-ppc/int_helper.c -+++ b/target-ppc/int_helper.c -@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) - - void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u32) { -- r->AVRW(i) = b->AVRW(i) ^ -+ result.AVRW(i) = b->AVRW(i) ^ - (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ - AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ - AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ - AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); - } -+ *r = result; - } - - void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); - } -+ *r = result; - } - - void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) -@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - - void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); - } -+ *r = result; - } - - #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) -@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) - - void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) - { -+ ppc_avr_t result; - int i; -+ - VECTOR_FOR_INORDER_I(i, u8) { - int indexA = c->u8[i] >> 4; - int indexB = c->u8[i] & 0xF; - #if defined(HOST_WORDS_BIGENDIAN) -- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; -+ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; - #else -- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; -+ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; - #endif - } -+ *r = result; - } - - #undef VECTOR_FOR_INORDER_I --- -2.5.0 - diff --git a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch new file mode 100644 index 0000000..9401ea7 --- /dev/null +++ b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch @@ -0,0 +1,94 @@ +From: Aurelien Jarno +Date: Sun, 13 Sep 2015 23:03:44 +0200 +Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and + vpermxor + +For vector instructions, the helpers get pointers to the vector register +in arguments. Some operands might point to the same register, including +the operand holding the result. + +When emulating instructions which access the vector elements in a +non-linear way, we need to store the result in an temporary variable. + +This fixes openssl when emulating a POWER8 CPU. + +Cc: Tom Musta +Cc: Alexander Graf +Cc: qemu-stable@nongnu.org +Signed-off-by: Aurelien Jarno +--- + target-ppc/int_helper.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c +index 0a55d5e..b122868 100644 +--- a/target-ppc/int_helper.c ++++ b/target-ppc/int_helper.c +@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) + + void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u32) { +- r->AVRW(i) = b->AVRW(i) ^ ++ result.AVRW(i) = b->AVRW(i) ^ + (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ + AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ + AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ + AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); + } ++ *r = result; + } + + void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u8) { +- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); ++ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); + } ++ *r = result; + } + + void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) +@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + + void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u8) { +- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); ++ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); + } ++ *r = result; + } + + #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) +@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) + + void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) + { ++ ppc_avr_t result; + int i; ++ + VECTOR_FOR_INORDER_I(i, u8) { + int indexA = c->u8[i] >> 4; + int indexB = c->u8[i] & 0xF; + #if defined(HOST_WORDS_BIGENDIAN) +- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; ++ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; + #else +- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; ++ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; + #endif + } ++ *r = result; + } + + #undef VECTOR_FOR_INORDER_I diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch deleted file mode 100644 index 94e7b83..0000000 --- a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d539a02e18916c558985f26cf37af1e83851d9fd Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:45 +0200 -Subject: [PATCH 2/2] target-ppc: fix xscmpodp and xscmpudp decoding - -The xscmpodp and xscmpudp instructions only have the AX, BX bits in -there encoding, the lowest bit (usually TX) is marked as an invalid -bit. We therefore can't decode them with GEN_XX2FORM, which decodes -the two lowest bit. - -Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark -the lowest bit as invalid. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/translate.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/target-ppc/translate.c b/target-ppc/translate.c -index 84c5cea..c0eed13 100644 ---- a/target-ppc/translate.c -+++ b/target-ppc/translate.c -@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) - -+#undef GEN_XX2IFORM -+#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) -+ - #undef GEN_XX3_RC_FORM - #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ -@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), - GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), - GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), - GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), --GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), --GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), -+GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), -+GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), - GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), - GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), - GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), --- -2.5.0 - diff --git a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch new file mode 100644 index 0000000..2d2f370 --- /dev/null +++ b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch @@ -0,0 +1,49 @@ +From: Aurelien Jarno +Date: Sun, 13 Sep 2015 23:03:45 +0200 +Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding + +The xscmpodp and xscmpudp instructions only have the AX, BX bits in +there encoding, the lowest bit (usually TX) is marked as an invalid +bit. We therefore can't decode them with GEN_XX2FORM, which decodes +the two lowest bit. + +Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark +the lowest bit as invalid. + +Cc: Tom Musta +Cc: Alexander Graf +Cc: qemu-stable@nongnu.org +Signed-off-by: Aurelien Jarno +--- + target-ppc/translate.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/target-ppc/translate.c b/target-ppc/translate.c +index 84c5cea..c0eed13 100644 +--- a/target-ppc/translate.c ++++ b/target-ppc/translate.c +@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) + ++#undef GEN_XX2IFORM ++#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) ++ + #undef GEN_XX3_RC_FORM + #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ +@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), + GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), + GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), + GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), +-GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), +-GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), ++GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), ++GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), + GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), + GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), + GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), diff --git a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch new file mode 100644 index 0000000..9e77105 --- /dev/null +++ b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch @@ -0,0 +1,35 @@ +From: P J P +Date: Fri, 4 Sep 2015 17:21:06 +0100 +Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor + (CVE-2015-6815) + +While processing transmit descriptors, it could lead to an infinite +loop if 'bytes' was to become zero; Add a check to avoid it. + +[The guest can force 'bytes' to 0 by setting the hdr_len and mss +descriptor fields to 0. +--Stefan] + +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Thomas Huth +Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com +(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7) +--- + hw/net/e1000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 5c6bcd0..09c9e9d 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + memmove(tp->data, tp->header, tp->hdr_len); + tp->size = tp->hdr_len; + } +- } while (split_size -= bytes); ++ split_size -= bytes; ++ } while (bytes && split_size); + } else if (!tp->tse && tp->cptse) { + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentation error\n"); diff --git a/0005-ide-fix-ATAPI-command-permissions.patch b/0005-ide-fix-ATAPI-command-permissions.patch new file mode 100644 index 0000000..7afc084 --- /dev/null +++ b/0005-ide-fix-ATAPI-command-permissions.patch @@ -0,0 +1,141 @@ +From: John Snow +Date: Thu, 17 Sep 2015 14:17:05 -0400 +Subject: [PATCH] ide: fix ATAPI command permissions + +We're a little too lenient with what we'll let an ATAPI drive handle. +Clamp down on the IDE command execution table to remove CD_OK permissions +from commands that are not and have never been ATAPI commands. + +For ATAPI command validity, please see: +- ATA4 Section 6.5 ("PACKET Command feature set") +- ATA8/ACS Section 4.3 ("The PACKET feature set") +- ACS3 Section 4.3 ("The PACKET feature set") + +ACS3 has a historical command validity table in Table B.4 +("Historical Command Assignments") that can be referenced to find when +a command was introduced, deprecated, obsoleted, etc. + +The only reference for ATAPI command validity is by checking that +version's PACKET feature set section. + +ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 +therefore are assumed to have never been ATAPI commands. + +Mandatory commands, as listed in ATA8-ACS3, are: + +- DEVICE RESET +- EXECUTE DEVICE DIAGNOSTIC +- IDENTIFY DEVICE +- IDENTIFY PACKET DEVICE +- NOP +- PACKET +- READ SECTOR(S) +- SET FEATURES + +Optional commands as listed in ATA8-ACS3, are: + +- FLUSH CACHE +- READ LOG DMA EXT +- READ LOG EXT +- WRITE LOG DMA EXT +- WRITE LOG EXT + +All other commands are illegal to send to an ATAPI device and should +be rejected by the device. + +CD_OK removal justifications: + +0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. +0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. +0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. +0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. +0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. +0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. +0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. +0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. +0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. +0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. +0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. + +This patch fixes a divide by zero fault that can be caused by sending +the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to +attempt to use zeroed CHS values to perform sector arithmetic. + +Reported-by: Qinghao Tang +Signed-off-by: John Snow +Reviewed-by: Markus Armbruster +Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com +CC: qemu-stable@nongnu.org +(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) +--- + hw/ide/core.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 50449ca..71caea9 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1747,11 +1747,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1770,12 +1770,12 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, + [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, +@@ -1789,19 +1789,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch new file mode 100644 index 0000000..c1f70ca --- /dev/null +++ b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch @@ -0,0 +1,32 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:46:59 +0530 +Subject: [PATCH] net: avoid infinite loop when receiving + packets(CVE-2015-5278) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, leading to an infinite +loop situation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943) +--- + hw/net/ne2000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 3492db3..44a4264 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + if (index <= s->stop) + avail = s->stop - index; + else +- avail = 0; ++ break; + len = size; + if (len > avail) + len = avail; diff --git a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch new file mode 100644 index 0000000..d197a7e --- /dev/null +++ b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch @@ -0,0 +1,67 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:40:49 +0530 +Subject: [PATCH] net: add checks to validate ring buffer + pointers(CVE-2015-5279) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, which could lead to a +memory buffer overflow. Added other checks at initialisation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) +--- + hw/net/ne2000.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 44a4264..2bdb4c9 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + } + + index = s->curpag << 8; ++ if (index >= NE2000_PMEM_END) { ++ index = s->start; ++ } + /* 4 bytes for header */ + total_len = size + 4; + /* address for next packet (4 bytes for CRC) */ +@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + offset = addr | (page << 4); + switch(offset) { + case EN0_STARTPG: +- s->start = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->start = val << 8; ++ } + break; + case EN0_STOPPG: +- s->stop = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->stop = val << 8; ++ } + break; + case EN0_BOUNDARY: +- s->boundary = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->boundary = val; ++ } + break; + case EN0_IMR: + s->imr = val; +@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + s->phys[offset - EN1_PHYS] = val; + break; + case EN1_CURPAG: +- s->curpag = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->curpag = val; ++ } + break; + case EN1_MULT ... EN1_MULT + 7: + s->mult[offset - EN1_MULT] = val; diff --git a/qemu.spec b/qemu.spec index 1e7d1f8..33b84e6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,7 +40,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.4.0 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -71,10 +71,19 @@ Source13: qemu-kvm.sh # CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface # (bz #1255899) Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch - -# Fix emulation of various instructions, required by libm in F22 ppc64 guests. -Patch0002: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch -Patch0003: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +# Fix emulation of various instructions, required by libm in F22 ppc64 +# guests. +Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch +# CVE-2015-6855: ide: divide by zero issue (bz #1261793) +Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch +# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch +# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz +# #1263287) +Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1207,6 +1216,12 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Sep 21 2015 Cole Robinson - 2:2.4.0-4 +- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +- CVE-2015-6855: ide: divide by zero issue (bz #1261793) +- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) + * Sun Sep 20 2015 Richard W.M. Jones - 2:2.4.0-3 - Fix emulation of various instructions, required by libm in F22 ppc64 guests.