From 06fb051380ba5259ad1c307e42ccbab939d981c9 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 31 May 2016 16:33:32 +0200 Subject: [PATCH] fix various CVEs CVE-2016-5105: scsi: megasas: initialise local configuration data buffer CVE-2016-5106: scsi: megasas: use appropriate property buffer size CVE-2016-5107: scsi: megasas: check 'read_queue_head' index value CVE-2016-5126: block/iscsi: avoid potential overflow of acb->task->cdb CVE-2016-4454: vmsvga: move fifo sanity checks to vmsvga_fifo_length vmsvga: add more fifo checks vmsvga: shadow fifo registers CVE-2016-4453: vmsvga: don't process more than 1024 fifo commands at --- ...-fifo-sanity-checks-to-vmsvga_fifo_length.patch | 71 ++++++++++ .../extra/0005-vmsvga-add-more-fifo-checks.patch | 37 ++++++ .../extra/0006-vmsvga-shadow-fifo-registers.patch | 144 +++++++++++++++++++++ ...t-process-more-than-1024-fifo-commands-at.patch | 44 +++++++ ...s-initialise-local-configuration-data-buf.patch | 38 ++++++ ...asas-use-appropriate-property-buffer-size.patch | 38 ++++++ ...megasas-check-read_queue_head-index-value.patch | 40 ++++++ ...-avoid-potential-overflow-of-acb-task-cdb.patch | 41 ++++++ debian/patches/series | 8 ++ 9 files changed, 461 insertions(+) create mode 100644 debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch create mode 100644 debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch create mode 100644 debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch create mode 100644 debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch create mode 100644 debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch create mode 100644 debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch create mode 100644 debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch create mode 100644 debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch diff --git a/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch new file mode 100644 index 0000000..8182db1 --- /dev/null +++ b/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch @@ -0,0 +1,71 @@ +From 4aa79a8818711d475bd79b906cd7d060d4e8a441 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:18 +0200 +Subject: [PATCH 4/9] vmsvga: move fifo sanity checks to vmsvga_fifo_length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sanity checks are applied when the fifo is enabled by the guest +(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest +changes the fifo registers afterwards. Move the checks to +vmsvga_fifo_length so they are done each time qemu is about to read +from the fifo. + +Fixes: CVE-2016-4454 +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 9354037..3ce1717 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -553,6 +553,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + if (!s->config || !s->enable) { + return 0; + } ++ ++ /* Check range and alignment. */ ++ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { ++ return 0; ++ } ++ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { ++ return 0; ++ } ++ if (CMD(max) > SVGA_FIFO_SIZE) { ++ return 0; ++ } ++ if (CMD(max) < CMD(min) + 10 * 1024) { ++ return 0; ++ } ++ + num = CMD(next_cmd) - CMD(stop); + if (num < 0) { + num += CMD(max) - CMD(min); +@@ -1003,19 +1018,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) + case SVGA_REG_CONFIG_DONE: + if (value) { + s->fifo = (uint32_t *) s->fifo_ptr; +- /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { +- break; +- } +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { +- break; +- } +- if (CMD(max) > SVGA_FIFO_SIZE) { +- break; +- } +- if (CMD(max) < CMD(min) + 10 * 1024) { +- break; +- } + vga_dirty_log_stop(&s->vga); + } + s->config = !!value; +-- +2.1.4 + diff --git a/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch b/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch new file mode 100644 index 0000000..59fa672 --- /dev/null +++ b/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch @@ -0,0 +1,37 @@ +From aafca5995f11e0cd69e0607bfb7b3b7333f96be8 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:19 +0200 +Subject: [PATCH 5/9] vmsvga: add more fifo checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make sure all fifo ptrs are within range. + +Fixes: CVE-2016-4454 +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 3ce1717..f2663ee 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -561,7 +561,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { + return 0; + } +- if (CMD(max) > SVGA_FIFO_SIZE) { ++ if (CMD(max) > SVGA_FIFO_SIZE || ++ CMD(min) >= SVGA_FIFO_SIZE || ++ CMD(stop) >= SVGA_FIFO_SIZE || ++ CMD(next_cmd) >= SVGA_FIFO_SIZE) { + return 0; + } + if (CMD(max) < CMD(min) + 10 * 1024) { +-- +2.1.4 + diff --git a/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch b/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch new file mode 100644 index 0000000..402e952 --- /dev/null +++ b/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch @@ -0,0 +1,144 @@ +From a2273296a948a2f6f36d858c18893315030702d6 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:20 +0200 +Subject: [PATCH 6/9] vmsvga: shadow fifo registers + +The fifo is normal ram. So kvm vcpu threads and qemu iothread can +access the fifo in parallel without syncronization. Which in turn +implies we can't use the fifo pointers in-place because the guest +can try changing them underneath us. So add shadows for them, to +make sure the guest can't modify them after we've applied sanity +checks. + +Fixes: CVE-2016-4454 +Cc: P J P +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++------------------------- + 1 file changed, 28 insertions(+), 29 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index f2663ee..99e128b 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -64,17 +64,11 @@ struct vmsvga_state_s { + uint8_t *fifo_ptr; + unsigned int fifo_size; + +- union { +- uint32_t *fifo; +- struct QEMU_PACKED { +- uint32_t min; +- uint32_t max; +- uint32_t next_cmd; +- uint32_t stop; +- /* Add registers here when adding capabilities. */ +- uint32_t fifo[0]; +- } *cmd; +- }; ++ uint32_t *fifo; ++ uint32_t fifo_min; ++ uint32_t fifo_max; ++ uint32_t fifo_next; ++ uint32_t fifo_stop; + + #define REDRAW_FIFO_LEN 512 + struct vmsvga_rect_s { +@@ -196,7 +190,7 @@ enum { + */ + SVGA_FIFO_MIN = 0, + SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ +- SVGA_FIFO_NEXT_CMD, ++ SVGA_FIFO_NEXT, + SVGA_FIFO_STOP, + + /* +@@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + } + #endif + +-#define CMD(f) le32_to_cpu(s->cmd->f) +- + static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + { + int num; +@@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + return 0; + } + ++ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); ++ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); ++ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); ++ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); ++ + /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { ++ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { + return 0; + } +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { ++ if (s->fifo_min < sizeof(uint32_t) * 4) { + return 0; + } +- if (CMD(max) > SVGA_FIFO_SIZE || +- CMD(min) >= SVGA_FIFO_SIZE || +- CMD(stop) >= SVGA_FIFO_SIZE || +- CMD(next_cmd) >= SVGA_FIFO_SIZE) { ++ if (s->fifo_max > SVGA_FIFO_SIZE || ++ s->fifo_min >= SVGA_FIFO_SIZE || ++ s->fifo_stop >= SVGA_FIFO_SIZE || ++ s->fifo_next >= SVGA_FIFO_SIZE) { + return 0; + } +- if (CMD(max) < CMD(min) + 10 * 1024) { ++ if (s->fifo_max < s->fifo_min + 10 * 1024) { + return 0; + } + +- num = CMD(next_cmd) - CMD(stop); ++ num = s->fifo_next - s->fifo_stop; + if (num < 0) { +- num += CMD(max) - CMD(min); ++ num += s->fifo_max - s->fifo_min; + } + return num >> 2; + } + + static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) + { +- uint32_t cmd = s->fifo[CMD(stop) >> 2]; ++ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; + +- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); +- if (CMD(stop) >= CMD(max)) { +- s->cmd->stop = s->cmd->min; ++ s->fifo_stop += 4; ++ if (s->fifo_stop >= s->fifo_max) { ++ s->fifo_stop = s->fifo_min; + } ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + return cmd; + } + +@@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + len = vmsvga_fifo_length(s); + while (len > 0) { + /* May need to go back to the start of the command if incomplete */ +- cmd_start = s->cmd->stop; ++ cmd_start = s->fifo_stop; + + switch (cmd = vmsvga_fifo_read(s)) { + case SVGA_CMD_UPDATE: +@@ -764,7 +762,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + break; + + rewind: +- s->cmd->stop = cmd_start; ++ s->fifo_stop = cmd_start; ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + break; + } + } +-- +2.1.4 + diff --git a/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch new file mode 100644 index 0000000..4c4f486 --- /dev/null +++ b/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch @@ -0,0 +1,44 @@ +From 6e964a410da04c4519a4e1e3e7196bc7dcfd59b7 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:21 +0200 +Subject: [PATCH 7/9] vmsvga: don't process more than 1024 fifo commands at + once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +vmsvga_fifo_run is called in regular intervals (on each display update) +and will resume where it left off. So we can simply exit the loop, +without having to worry about how processing will continue. + +Fixes: CVE-2016-4453 +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 99e128b..b143a86 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) + static void vmsvga_fifo_run(struct vmsvga_state_s *s) + { + uint32_t cmd, colour; +- int args, len; ++ int args, len, maxloop = 1024; + int x, y, dx, dy, width, height; + struct vmsvga_cursor_definition_s cursor; + uint32_t cmd_start; + + len = vmsvga_fifo_length(s); +- while (len > 0) { ++ while (len > 0 && --maxloop > 0) { + /* May need to go back to the start of the command if incomplete */ + cmd_start = s->fifo_stop; + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch b/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch new file mode 100644 index 0000000..e6be3b5 --- /dev/null +++ b/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch @@ -0,0 +1,38 @@ +From e74703fab04c39c9a01385bbe3d79e47f7db4ccb Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:41:44 +0530 +Subject: [PATCH 1/9] scsi: megasas: initialise local configuration data buffer + +When reading MegaRAID SAS controller configuration via MegaRAID +Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read +uses an uninitialised local data buffer. Initialise this buffer +to avoid stack information leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + +Notes: + CVE-2016-5105 + + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 576f56c..8526c01 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1292,7 +1292,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) + + static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + { +- uint8_t data[4096]; ++ uint8_t data[4096] = { 0 }; + struct mfi_config_data *info; + int num_pd_disks = 0, array_offset, ld_offset; + BusChild *kid; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch b/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch new file mode 100644 index 0000000..c4c2523 --- /dev/null +++ b/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch @@ -0,0 +1,38 @@ +From fdcbd7ebf09947c2b65cbb10366eba6382e3c0d6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 16:01:29 +0530 +Subject: [PATCH 2/9] scsi: megasas: use appropriate property buffer size + +When setting MegaRAID SAS controller properties via MegaRAID +Firmware Interface(MFI) commands, a user supplied size parameter +is used to set property value. Use appropriate size value to avoid +OOB access issues. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + +Notes: + CVE-2016-5106 + + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8526c01..05c72b0 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1445,7 +1445,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); ++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch b/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch new file mode 100644 index 0000000..6321e22 --- /dev/null +++ b/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch @@ -0,0 +1,40 @@ +From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:55:10 +0530 +Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value + +While doing MegaRAID SAS controller command frame lookup, routine +'megasas_lookup_frame' uses 'read_queue_head' value as an index +into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value +within array bounds to avoid any OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> +Reviewed-by: Alexander Graf +Signed-off-by: Paolo Bonzini +--- + +Notes: + CVE-2016-5107 + + hw/scsi/megasas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 05c72b0..ebbe270 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; + s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head %= MEGASAS_MAX_FRAMES; + s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { + s->flags |= MEGASAS_MASK_USE_QUEUE64; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch new file mode 100644 index 0000000..e0e2262 --- /dev/null +++ b/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch @@ -0,0 +1,41 @@ +From f684109f3a14cfe0c7a9aa7b478dd6da67ea6b6c Mon Sep 17 00:00:00 2001 +From: Peter Lieven +Date: Tue, 24 May 2016 10:59:28 +0200 +Subject: [PATCH 8/9] block/iscsi: avoid potential overflow of acb->task->cdb + +at least in the path via virtio-blk the maximum size is not +restricted. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> +Signed-off-by: Paolo Bonzini +--- + +Notes: + CVE-2016-5126 + + block/iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/block/iscsi.c b/block/iscsi.c +index bd1f1bf..e424f7d 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -834,6 +834,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs, + return &acb->common; + } + ++ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) { ++ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)", ++ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE); ++ qemu_aio_unref(acb); ++ return NULL; ++ } ++ + acb->task = malloc(sizeof(struct scsi_task)); + if (acb->task == NULL) { + error_report("iSCSI: Failed to allocate task for scsi command. %s", +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index fe89dd1..10e5d46 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -55,3 +55,11 @@ extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch extra/0001-i386-kvmvapic-initialise-imm32-variable.patch extra/0001-vga-add-sr_vbe-register-set.patch extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch +extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch +extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch +extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch +extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch +extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch +extra/0005-vmsvga-add-more-fifo-checks.patch +extra/0006-vmsvga-shadow-fifo-registers.patch +extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch -- 2.11.4.GIT