From cf91b1dfd97a54ee9fce7cb8164f16c45e442d5c Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jun 22 2016 13:40:57 +0000 Subject: CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083) CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64 --- diff --git a/0011-net-mipsnet-check-packet-length-against-buffer.patch b/0011-net-mipsnet-check-packet-length-against-buffer.patch new file mode 100644 index 0000000..3e2aac7 --- /dev/null +++ b/0011-net-mipsnet-check-packet-length-against-buffer.patch @@ -0,0 +1,32 @@ +From: Prasad J Pandit +Date: Thu, 7 Apr 2016 15:56:02 +0530 +Subject: [PATCH] net: mipsnet: check packet length against buffer + +When receiving packets over MIPSnet network device, it uses +receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f) +--- + hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c +index 740cd98..cf8b823 100644 +--- a/hw/net/mipsnet.c ++++ b/hw/net/mipsnet.c +@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si + if (!mipsnet_can_receive(nc)) + return 0; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return 0; ++ } + s->busy = 1; + + /* Just accept everything. */ diff --git a/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch new file mode 100644 index 0000000..9e4c4d7 --- /dev/null +++ b/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch @@ -0,0 +1,100 @@ +From: Prasad J Pandit +Date: Mon, 23 May 2016 16:18:05 +0530 +Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size + (CVE-2016-4952) + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the ring buffer size to an arbitrary +value leading to OOB access issue. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> +Reviewed-by: Shmulik Ladkani +Reviewed-by: Dmitry Fleytman +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff) +--- + hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index e690b4e..e1d6d06 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) + return log; + } + +-static void ++static int + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + ++ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) ++ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { ++ return -1; ++ } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + +-static void ++static int + pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + { + int i; + uint32_t len_log2; + uint32_t ring_size; + ++ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ return -1; ++ } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; + len_log2 = pvscsi_log2(ring_size - 1); + +@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + + static void +@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + + pvscsi_dbg_dump_tx_rings_config(rc); +- pvscsi_ring_init_data(&s->rings, rc); ++ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } +@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) + } + + if (s->rings_info_valid) { +- pvscsi_ring_init_msg(&s->rings, rc); ++ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } + s->msg_ring_info_valid = TRUE; + } + return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); diff --git a/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch b/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch new file mode 100644 index 0000000..40d736d --- /dev/null +++ b/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch @@ -0,0 +1,46 @@ +From: Prasad J Pandit +Date: Tue, 24 May 2016 13:37:44 +0530 +Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests + +The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically +looks for requests and fetches them. A loop doing that in +mptsas_fetch_requests() could run infinitely if 's->state' was +not operational. Move check to avoid such a loop. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd) +--- + hw/scsi/mptsas.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 499c146..be88e16 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s) + hwaddr addr; + int size; + +- if (s->state != MPI_IOC_STATE_OPERATIONAL) { +- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); +- return; +- } +- + /* Read the message header from the guest first. */ + addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post); + pci_dma_read(pci, addr, req, sizeof(hdr)); +@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque) + { + MPTSASState *s = opaque; + ++ if (s->state != MPI_IOC_STATE_OPERATIONAL) { ++ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); ++ return; ++ } + while (!MPTSAS_FIFO_EMPTY(s, request_post)) { + mptsas_fetch_request(s); + } diff --git a/0014-scsi-megasas-use-appropriate-property-buffer-size.patch b/0014-scsi-megasas-use-appropriate-property-buffer-size.patch new file mode 100644 index 0000000..b38c361 --- /dev/null +++ b/0014-scsi-megasas-use-appropriate-property-buffer-size.patch @@ -0,0 +1,31 @@ +From: Prasad J Pandit +Date: Wed, 25 May 2016 16:01:29 +0530 +Subject: [PATCH] scsi: megasas: use appropriate property buffer size + +When setting MegaRAID SAS controller properties via MegaRAID +Firmware Interface(MFI) commands, a user supplied size parameter +is used to set property value. Use appropriate size value to avoid +OOB access issues. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731) +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index a63a581..dcbd3e1 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); ++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } diff --git a/0015-scsi-megasas-initialise-local-configuration-data-buf.patch b/0015-scsi-megasas-initialise-local-configuration-data-buf.patch new file mode 100644 index 0000000..fb33b43 --- /dev/null +++ b/0015-scsi-megasas-initialise-local-configuration-data-buf.patch @@ -0,0 +1,31 @@ +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:41:44 +0530 +Subject: [PATCH] scsi: megasas: initialise local configuration data buffer + +When reading MegaRAID SAS controller configuration via MegaRAID +Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read +uses an uninitialised local data buffer. Initialise this buffer +to avoid stack information leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf) +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index dcbd3e1..bf642d4 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) + + static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + { +- uint8_t data[4096]; ++ uint8_t data[4096] = { 0 }; + struct mfi_config_data *info; + int num_pd_disks = 0, array_offset, ld_offset; + BusChild *kid; diff --git a/0016-scsi-megasas-check-read_queue_head-index-value.patch b/0016-scsi-megasas-check-read_queue_head-index-value.patch new file mode 100644 index 0000000..6dae842 --- /dev/null +++ b/0016-scsi-megasas-check-read_queue_head-index-value.patch @@ -0,0 +1,33 @@ +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:55:10 +0530 +Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value + +While doing MegaRAID SAS controller command frame lookup, routine +'megasas_lookup_frame' uses 'read_queue_head' value as an index +into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value +within array bounds to avoid any OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> +Reviewed-by: Alexander Graf +Signed-off-by: Paolo Bonzini +(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2) +--- + hw/scsi/megasas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index bf642d4..cc66d36 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; + s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head %= MEGASAS_MAX_FRAMES; + s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { + s->flags |= MEGASAS_MASK_USE_QUEUE64; diff --git a/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch new file mode 100644 index 0000000..d200db7 --- /dev/null +++ b/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch @@ -0,0 +1,70 @@ +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:18 +0200 +Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sanity checks are applied when the fifo is enabled by the guest +(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest +changes the fifo registers afterwards. Move the checks to +vmsvga_fifo_length so they are done each time qemu is about to read +from the fifo. + +Fixes: CVE-2016-4454 +Cc: qemu-stable@nongnu.org +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com +(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8) +--- + hw/display/vmware_vga.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 0c63fa8..63a7c05 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + if (!s->config || !s->enable) { + return 0; + } ++ ++ /* Check range and alignment. */ ++ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { ++ return 0; ++ } ++ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { ++ return 0; ++ } ++ if (CMD(max) > SVGA_FIFO_SIZE) { ++ return 0; ++ } ++ if (CMD(max) < CMD(min) + 10 * 1024) { ++ return 0; ++ } ++ + num = CMD(next_cmd) - CMD(stop); + if (num < 0) { + num += CMD(max) - CMD(min); +@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) + case SVGA_REG_CONFIG_DONE: + if (value) { + s->fifo = (uint32_t *) s->fifo_ptr; +- /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { +- break; +- } +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { +- break; +- } +- if (CMD(max) > SVGA_FIFO_SIZE) { +- break; +- } +- if (CMD(max) < CMD(min) + 10 * 1024) { +- break; +- } + vga_dirty_log_stop(&s->vga); + } + s->config = !!value; diff --git a/0018-vmsvga-add-more-fifo-checks.patch b/0018-vmsvga-add-more-fifo-checks.patch new file mode 100644 index 0000000..16ef5f0 --- /dev/null +++ b/0018-vmsvga-add-more-fifo-checks.patch @@ -0,0 +1,36 @@ +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:19 +0200 +Subject: [PATCH] vmsvga: add more fifo checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make sure all fifo ptrs are within range. + +Fixes: CVE-2016-4454 +Cc: qemu-stable@nongnu.org +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com +(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e) +--- + hw/display/vmware_vga.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 63a7c05..a26e62e 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { + return 0; + } +- if (CMD(max) > SVGA_FIFO_SIZE) { ++ if (CMD(max) > SVGA_FIFO_SIZE || ++ CMD(min) >= SVGA_FIFO_SIZE || ++ CMD(stop) >= SVGA_FIFO_SIZE || ++ CMD(next_cmd) >= SVGA_FIFO_SIZE) { + return 0; + } + if (CMD(max) < CMD(min) + 10 * 1024) { diff --git a/0019-vmsvga-shadow-fifo-registers.patch b/0019-vmsvga-shadow-fifo-registers.patch new file mode 100644 index 0000000..54b6416 --- /dev/null +++ b/0019-vmsvga-shadow-fifo-registers.patch @@ -0,0 +1,143 @@ +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:20 +0200 +Subject: [PATCH] vmsvga: shadow fifo registers + +The fifo is normal ram. So kvm vcpu threads and qemu iothread can +access the fifo in parallel without syncronization. Which in turn +implies we can't use the fifo pointers in-place because the guest +can try changing them underneath us. So add shadows for them, to +make sure the guest can't modify them after we've applied sanity +checks. + +Fixes: CVE-2016-4454 +Cc: qemu-stable@nongnu.org +Cc: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com +(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2) +--- + hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++------------------------- + 1 file changed, 28 insertions(+), 29 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index a26e62e..de2567b 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -66,17 +66,11 @@ struct vmsvga_state_s { + uint8_t *fifo_ptr; + unsigned int fifo_size; + +- union { +- uint32_t *fifo; +- struct QEMU_PACKED { +- uint32_t min; +- uint32_t max; +- uint32_t next_cmd; +- uint32_t stop; +- /* Add registers here when adding capabilities. */ +- uint32_t fifo[0]; +- } *cmd; +- }; ++ uint32_t *fifo; ++ uint32_t fifo_min; ++ uint32_t fifo_max; ++ uint32_t fifo_next; ++ uint32_t fifo_stop; + + #define REDRAW_FIFO_LEN 512 + struct vmsvga_rect_s { +@@ -198,7 +192,7 @@ enum { + */ + SVGA_FIFO_MIN = 0, + SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ +- SVGA_FIFO_NEXT_CMD, ++ SVGA_FIFO_NEXT, + SVGA_FIFO_STOP, + + /* +@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + } + #endif + +-#define CMD(f) le32_to_cpu(s->cmd->f) +- + static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + { + int num; +@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + return 0; + } + ++ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); ++ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); ++ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); ++ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); ++ + /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { ++ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { + return 0; + } +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { ++ if (s->fifo_min < sizeof(uint32_t) * 4) { + return 0; + } +- if (CMD(max) > SVGA_FIFO_SIZE || +- CMD(min) >= SVGA_FIFO_SIZE || +- CMD(stop) >= SVGA_FIFO_SIZE || +- CMD(next_cmd) >= SVGA_FIFO_SIZE) { ++ if (s->fifo_max > SVGA_FIFO_SIZE || ++ s->fifo_min >= SVGA_FIFO_SIZE || ++ s->fifo_stop >= SVGA_FIFO_SIZE || ++ s->fifo_next >= SVGA_FIFO_SIZE) { + return 0; + } +- if (CMD(max) < CMD(min) + 10 * 1024) { ++ if (s->fifo_max < s->fifo_min + 10 * 1024) { + return 0; + } + +- num = CMD(next_cmd) - CMD(stop); ++ num = s->fifo_next - s->fifo_stop; + if (num < 0) { +- num += CMD(max) - CMD(min); ++ num += s->fifo_max - s->fifo_min; + } + return num >> 2; + } + + static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) + { +- uint32_t cmd = s->fifo[CMD(stop) >> 2]; ++ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; + +- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); +- if (CMD(stop) >= CMD(max)) { +- s->cmd->stop = s->cmd->min; ++ s->fifo_stop += 4; ++ if (s->fifo_stop >= s->fifo_max) { ++ s->fifo_stop = s->fifo_min; + } ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + return cmd; + } + +@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + len = vmsvga_fifo_length(s); + while (len > 0) { + /* May need to go back to the start of the command if incomplete */ +- cmd_start = s->cmd->stop; ++ cmd_start = s->fifo_stop; + + switch (cmd = vmsvga_fifo_read(s)) { + case SVGA_CMD_UPDATE: +@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + break; + + rewind: +- s->cmd->stop = cmd_start; ++ s->fifo_stop = cmd_start; ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + break; + } + } diff --git a/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch new file mode 100644 index 0000000..37dd5e6 --- /dev/null +++ b/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch @@ -0,0 +1,42 @@ +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:21 +0200 +Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +vmsvga_fifo_run is called in regular intervals (on each display update) +and will resume where it left off. So we can simply exit the loop, +without having to worry about how processing will continue. + +Fixes: CVE-2016-4453 +Cc: qemu-stable@nongnu.org +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com +(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2) +--- + hw/display/vmware_vga.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index de2567b..e51a05e 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) + static void vmsvga_fifo_run(struct vmsvga_state_s *s) + { + uint32_t cmd, colour; +- int args, len; ++ int args, len, maxloop = 1024; + int x, y, dx, dy, width, height; + struct vmsvga_cursor_definition_s cursor; + uint32_t cmd_start; + + len = vmsvga_fifo_length(s); +- while (len > 0) { ++ while (len > 0 && --maxloop > 0) { + /* May need to go back to the start of the command if incomplete */ + cmd_start = s->fifo_stop; + diff --git a/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch new file mode 100644 index 0000000..80c8c37 --- /dev/null +++ b/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch @@ -0,0 +1,34 @@ +From: Peter Lieven +Date: Tue, 24 May 2016 10:59:28 +0200 +Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb + +at least in the path via virtio-blk the maximum size is not +restricted. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> +Signed-off-by: Paolo Bonzini +(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196) +--- + block/iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 302baf8..172e6cf 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs, + return &acb->common; + } + ++ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) { ++ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)", ++ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE); ++ qemu_aio_unref(acb); ++ return NULL; ++ } ++ + acb->task = malloc(sizeof(struct scsi_task)); + if (acb->task == NULL) { + error_report("iSCSI: Failed to allocate task for scsi command. %s", diff --git a/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch b/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch new file mode 100644 index 0000000..eba1a41 --- /dev/null +++ b/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch @@ -0,0 +1,33 @@ +From: Prasad J Pandit +Date: Tue, 31 May 2016 23:23:27 +0530 +Subject: [PATCH] scsi: esp: check buffer length before reading scsi command + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi +command into a buffer. Add check to validate command length against +buffer size to avoid any overrun. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a) +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 591c817..c2f6f8f 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; ++ if (dmalen > TI_BUFSZ) { ++ return 0; ++ } + memcpy(buf, s->ti_buf, dmalen); + buf[0] = buf[2] >> 5; + } diff --git a/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch b/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch new file mode 100644 index 0000000..bd8f5da --- /dev/null +++ b/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch @@ -0,0 +1,26 @@ +From: Paolo Bonzini +Date: Tue, 14 Jun 2016 15:10:24 +0200 +Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase + +The FIFO contains two bytes; hence the write ptr should be two bytes ahead +of the read pointer. + +Signed-off-by: Paolo Bonzini +(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e) +--- + hw/scsi/esp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index c2f6f8f..6407844 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -222,7 +222,7 @@ static void write_response(ESPState *s) + } else { + s->ti_size = 2; + s->ti_rptr = 0; +- s->ti_wptr = 0; ++ s->ti_wptr = 2; + s->rregs[ESP_RFLAGS] = 2; + } + esp_raise_irq(s); diff --git a/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch b/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch new file mode 100644 index 0000000..e88d722 --- /dev/null +++ b/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch @@ -0,0 +1,76 @@ +From: Paolo Bonzini +Date: Wed, 15 Jun 2016 14:29:33 +0200 +Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd + +Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma +has the same code that handle_ti contains after the call to esp_do_dma; +but the code in handle_ti is never reached because it is in an "else if". +Remove the else and also the pointless return. + +esp_do_dma also has a partially dead assignment of the to_device +variable. Sink it to the point where it's actually used. + +Finally, assert that the other caller of esp_do_dma (esp_transfer_data) +only transfers data and not a command. This is true because get_cmd +cancels the old request synchronously before its caller handle_satn_stop +sets do_cmd to 1. + +Reviewed-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f) +--- + hw/scsi/esp.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 6407844..68d3e4d 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s) + uint32_t len; + int to_device; + +- to_device = (s->ti_size < 0); + len = s->dma_left; + if (s->do_cmd) { + trace_esp_do_dma(s->cmdlen, len); + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); +- s->ti_size = 0; +- s->cmdlen = 0; +- s->do_cmd = 0; +- do_cmd(s, s->cmdbuf); + return; + } + if (s->async_len == 0) { +@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s) + if (len > s->async_len) { + len = s->async_len; + } ++ to_device = (s->ti_size < 0); + if (to_device) { + s->dma_memory_read(s->dma_opaque, s->async_buf, len); + } else { +@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len) + { + ESPState *s = req->hba_private; + ++ assert(!s->do_cmd); + trace_esp_transfer_data(s->dma_left, s->ti_size); + s->async_len = len; + s->async_buf = scsi_req_get_buf(req); +@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s) + s->dma_left = minlen; + s->rregs[ESP_RSTAT] &= ~STAT_TC; + esp_do_dma(s); +- } else if (s->do_cmd) { ++ } ++ if (s->do_cmd) { + trace_esp_handle_ti_cmd(s->cmdlen); + s->ti_size = 0; + s->cmdlen = 0; + s->do_cmd = 0; + do_cmd(s, s->cmdbuf); +- return; + } + } + diff --git a/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch new file mode 100644 index 0000000..e999e83 --- /dev/null +++ b/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch @@ -0,0 +1,70 @@ +From: Prasad J Pandit +Date: Thu, 16 Jun 2016 00:22:35 +0200 +Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size + +While doing DMA read into ESP command buffer 's->cmdbuf', it could +write past the 's->cmdbuf' area, if it was transferring more than 16 +bytes. Increase the command buffer size to 32, which is maximum when +'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Paolo Bonzini +(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11) +--- + hw/scsi/esp.c | 6 ++++-- + include/hw/scsi/esp.h | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 68d3e4d..b4601ad 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s) + len = s->dma_left; + if (s->do_cmd) { + trace_esp_do_dma(s->cmdlen, len); ++ assert (s->cmdlen <= sizeof(s->cmdbuf) && ++ len <= sizeof(s->cmdbuf) - s->cmdlen); + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } +@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s) + s->dma_counter = dmalen; + + if (s->do_cmd) +- minlen = (dmalen < 32) ? dmalen : 32; ++ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; + else if (s->ti_size < 0) + minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; + else +@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- if (s->cmdlen < TI_BUFSZ) { ++ if (s->cmdlen < ESP_CMDBUF_SZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + trace_esp_error_fifo_overrun(); +diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h +index 6c79527..d2c4886 100644 +--- a/include/hw/scsi/esp.h ++++ b/include/hw/scsi/esp.h +@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, + + #define ESP_REGS 16 + #define TI_BUFSZ 16 ++#define ESP_CMDBUF_SZ 32 + + typedef struct ESPState ESPState; + +@@ -31,7 +32,7 @@ struct ESPState { + SCSIBus bus; + SCSIDevice *current_dev; + SCSIRequest *current_req; +- uint8_t cmdbuf[TI_BUFSZ]; ++ uint8_t cmdbuf[ESP_CMDBUF_SZ]; + uint32_t cmdlen; + uint32_t do_cmd; + diff --git a/0026-scsi-megasas-null-terminate-bios-version-buffer.patch b/0026-scsi-megasas-null-terminate-bios-version-buffer.patch new file mode 100644 index 0000000..9a2f6f3 --- /dev/null +++ b/0026-scsi-megasas-null-terminate-bios-version-buffer.patch @@ -0,0 +1,29 @@ +From: Prasad J Pandit +Date: Tue, 7 Jun 2016 16:44:03 +0530 +Subject: [PATCH] scsi: megasas: null terminate bios version buffer + +While reading information via 'megasas_ctrl_get_info' routine, +a local bios version buffer isn't null terminated. Add the +terminating null byte to avoid any OOB access. + +Reported-by: Li Qiang +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Signed-off-by: Paolo Bonzini +(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6) +--- + hw/scsi/megasas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index cc66d36..a9ffc32 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + + ptr = memory_region_get_ram_ptr(&pci_dev->rom); + memcpy(biosver, ptr + 0x41, 31); ++ biosver[31] = 0; + memcpy(info.image_component[1].name, "BIOS", 4); + memcpy(info.image_component[1].version, biosver, + strlen((const char *)biosver)); diff --git a/0027-sdl2-skip-init-without-outputs.patch b/0027-sdl2-skip-init-without-outputs.patch new file mode 100644 index 0000000..17c7b15 --- /dev/null +++ b/0027-sdl2-skip-init-without-outputs.patch @@ -0,0 +1,26 @@ +From: Gerd Hoffmann +Date: Wed, 1 Jun 2016 16:08:36 +0200 +Subject: [PATCH] sdl2: skip init without outputs + +Signed-off-by: Gerd Hoffmann +Tested-by: Cole Robinson +Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24) +--- + ui/sdl2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ui/sdl2.c b/ui/sdl2.c +index 909038f..30d2a3c 100644 +--- a/ui/sdl2.c ++++ b/ui/sdl2.c +@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame) + } + } + sdl2_num_outputs = i; ++ if (sdl2_num_outputs == 0) { ++ return; ++ } + sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs); + for (i = 0; i < sdl2_num_outputs; i++) { + QemuConsole *con = qemu_console_lookup_by_index(i); diff --git a/qemu.spec b/qemu.spec index 14788f0..2e81028 100644 --- a/qemu.spec +++ b/qemu.spec @@ -49,7 +49,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.6.0 -Release: 3%{?rcrel}%{?dist} +Release: 4%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -102,6 +102,36 @@ Patch0008: 0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch Patch0009: 0009-vga-add-sr_vbe-register-set.patch # Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977) Patch0010: 0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch +# CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083) +Patch0011: 0011-net-mipsnet-check-packet-length-against-buffer.patch +# CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue +Patch0012: 0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch +# CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) +Patch0013: 0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch +# CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) +Patch0014: 0014-scsi-megasas-use-appropriate-property-buffer-size.patch +# CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) +Patch0015: 0015-scsi-megasas-initialise-local-configuration-data-buf.patch +# CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) +Patch0016: 0016-scsi-megasas-check-read_queue_head-index-value.patch +# CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) +Patch0017: 0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch +Patch0018: 0018-vmsvga-add-more-fifo-checks.patch +Patch0019: 0019-vmsvga-shadow-fifo-registers.patch +# CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) +Patch0020: 0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch +# CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) +Patch0021: 0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch +# CVE-2016-5238: scsi: esp: OOB write (bz #1341932) +Patch0022: 0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch +Patch0023: 0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch +Patch0024: 0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch +# CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) +Patch0025: 0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch +# CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) +Patch0026: 0026-scsi-megasas-null-terminate-bios-version-buffer.patch +# Fix crash with -nodefaults -sdl (bz #1340931) +Patch0027: 0027-sdl2-skip-init-without-outputs.patch # documentation deps @@ -1227,6 +1257,22 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed Jun 22 2016 Cole Robinson - 2:2.6.0-4 +- CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083) +- CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue +- CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) +- CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) +- CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) +- CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) +- CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) +- CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) +- CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) +- CVE-2016-5238: scsi: esp: OOB write (bz #1341932) +- CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) +- CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) +- Fix crash with -nodefaults -sdl (bz #1340931) +- Add deps on edk2-ovmf and edk2-aarch64 + * Thu May 26 2016 Cole Robinson - 2:2.6.0-3 - CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904) - CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503)