From 1c771352d312c745352e7ff989bdbd03c07056e0 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 7 Jan 2016 09:59:21 +0100 Subject: [PATCH] Several fixes CVE-2015-8613 scsi: initialise info object with appropriate size CVE-2015-8619 hmp: avoid redundant null termination of buffer CVE-2015-8666 acpi: fix buffer overrun on migration CVE-2015-8701 net: rocker: fix an incorrect array bounds check CVE-2015-8743 net: ne2000: fix bounds check in ioport operations CVE-2015-8744 net/vmxnet3: Refine l2 header validation CVE-2015-8745 vmxnet3: Support reading IMR registers on bar0 --- ...CVE-2015-8613-scsi-initialize-info-object.patch | 31 +++++++++ debian/patches/CVE-2015-8619-hmp-oob-write.patch | 34 ++++++++++ ...8666-acpi-fix-buffer-overrun-on-migration.patch | 45 +++++++++++++ .../CVE-2015-8701-net-rocker-off-by-one.patch | 47 +++++++++++++ .../CVE-2015-8743-ne2000-ioport-bounds-check.patch | 48 ++++++++++++++ ...-8744-vmxnet3-refine-l2-header-validation.patch | 76 ++++++++++++++++++++++ ...745-vmxnet3-support-reading-imr-registers.patch | 37 +++++++++++ debian/patches/series | 7 ++ 8 files changed, 325 insertions(+) create mode 100644 debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch create mode 100644 debian/patches/CVE-2015-8619-hmp-oob-write.patch create mode 100644 debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch create mode 100644 debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch create mode 100644 debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch create mode 100644 debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch create mode 100644 debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch diff --git a/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch new file mode 100644 index 0000000..ee0f36d --- /dev/null +++ b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch @@ -0,0 +1,31 @@ +From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 21 Dec 2015 14:48:18 +0530 +Subject: [PATCH] scsi: initialise info object with appropriate size + +While processing controller 'CTRL_GET_INFO' command, the routine +'megasas_ctrl_get_info' overflows the '&info' object size. Use its +appropriate size to null initialise it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index d7dc667..576f56c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + BusChild *kid; + int num_pd_disks = 0; + +- memset(&info, 0x0, cmd->iov_size); ++ memset(&info, 0x0, dcmd_size); + if (cmd->iov_size < dcmd_size) { + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, + dcmd_size); +-- +2.4.3 +=== diff --git a/debian/patches/CVE-2015-8619-hmp-oob-write.patch b/debian/patches/CVE-2015-8619-hmp-oob-write.patch new file mode 100644 index 0000000..1dd22d4 --- /dev/null +++ b/debian/patches/CVE-2015-8619-hmp-oob-write.patch @@ -0,0 +1,34 @@ +From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 17 Dec 2015 17:47:15 +0530 +Subject: [PATCH] hmp: avoid redundant null termination of buffer + +When processing 'sendkey' command, hmp_sendkey routine null +terminates the 'keyname_buf' array. This results in an OOB write +issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. +Removed the redundant null termination, as pstrcpy routine already +null terminates the target buffer. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +--- + hmp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/hmp.c b/hmp.c +index 2140605..e530c9c 100644 +--- a/hmp.c ++++ b/hmp.c +@@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) + /* Be compatible with old interface, convert user inputted "<" */ + if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { + pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); +- keyname_len = 4; + } +- keyname_buf[keyname_len] = 0; + + keylist = g_malloc0(sizeof(*keylist)); + keylist->value = g_malloc0(sizeof(*keylist->value)); +-- +2.4.3 +=== diff --git a/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch new file mode 100644 index 0000000..b46ab48 --- /dev/null +++ b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch @@ -0,0 +1,45 @@ +From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 19 Nov 2015 15:14:07 +0200 +Subject: [PATCH] acpi: fix buffer overrun on migration + +ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so +ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full +ICH9_PMIO_GPE0_LEN bytes are migrated. + +As a quick work-around, allocate twice the memory. +We'll probably want to tweak code to avoid +migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes, +but that is a bit trickier to do without breaking +migration compatibility. + +Tested-by: "Dr. David Alan Gilbert" +Reported-by: "Dr. David Alan Gilbert" +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael S. Tsirkin +--- + hw/acpi/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index fe6215a..21e113d 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar) + void acpi_gpe_init(ACPIREGS *ar, uint8_t len) + { + ar->gpe.len = len; +- ar->gpe.sts = g_malloc0(len / 2); +- ar->gpe.en = g_malloc0(len / 2); ++ /* Only first len / 2 bytes are ever used, ++ * but the caller in ich9.c migrates full len bytes. ++ * TODO: fix ich9.c and drop the extra allocation. ++ */ ++ ar->gpe.sts = g_malloc0(len); ++ ar->gpe.en = g_malloc0(len); + } + + void acpi_gpe_reset(ACPIREGS *ar) +-- +2.1.4 + diff --git a/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch new file mode 100644 index 0000000..7b17355 --- /dev/null +++ b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch @@ -0,0 +1,47 @@ +From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { +-- +2.1.4 + diff --git a/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch new file mode 100644 index 0000000..5b34ecf --- /dev/null +++ b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch @@ -0,0 +1,48 @@ +From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..a3dffff 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; +-- +2.1.4 + diff --git a/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch new file mode 100644 index 0000000..fbb9f54 --- /dev/null +++ b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch @@ -0,0 +1,76 @@ +From a7278b36fcab9af469563bd7b9dadebe2ae25e48 Mon Sep 17 00:00:00 2001 +From: Dana Rubin +Date: Tue, 18 Aug 2015 12:45:55 +0300 +Subject: [PATCH] net/vmxnet3: Refine l2 header validation + +Validation of l2 header length assumed minimal packet size as +eth_header + 2 * vlan_header regardless of the actual protocol. + +This caused crash for valid non-IP packets shorter than 22 bytes, as +'tx_pkt->packet_type' hasn't been assigned for such packets, and +'vmxnet3_on_tx_done_update_stats()' expects it to be properly set. + +Refine header length validation in 'vmxnet_tx_pkt_parse_headers'. +Check its return value during packet processing flow. + +As a side effect, in case IPv4 and IPv6 header validation failure, +corrupt packets will be dropped. + +Signed-off-by: Dana Rubin +Signed-off-by: Shmulik Ladkani +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 4 +--- + hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++--- + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 04159c8..48ced71 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx) + } + + if (txd.eop) { +- if (!s->skip_current_tx_pkt) { +- vmxnet_tx_pkt_parse(s->tx_pkt); +- ++ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) { + if (s->needs_vlan) { + vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci); + } +diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c +index f7344c4..eb88ddf 100644 +--- a/hw/net/vmxnet_tx_pkt.c ++++ b/hw/net/vmxnet_tx_pkt.c +@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt) + + bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base, + ETH_MAX_L2_HDR_LEN); +- if (bytes_read < ETH_MAX_L2_HDR_LEN) { ++ if (bytes_read < sizeof(struct eth_header)) { ++ l2_hdr->iov_len = 0; ++ return false; ++ } ++ ++ l2_hdr->iov_len = sizeof(struct eth_header); ++ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) { ++ case ETH_P_VLAN: ++ l2_hdr->iov_len += sizeof(struct vlan_header); ++ break; ++ case ETH_P_DVLAN: ++ l2_hdr->iov_len += 2 * sizeof(struct vlan_header); ++ break; ++ } ++ ++ if (bytes_read < l2_hdr->iov_len) { + l2_hdr->iov_len = 0; + return false; +- } else { +- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base); + } + + l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len); +-- +2.1.4 + diff --git a/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch new file mode 100644 index 0000000..deb755f --- /dev/null +++ b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch @@ -0,0 +1,37 @@ +From c6048f849c7e3f009786df76206e895a69de032c Mon Sep 17 00:00:00 2001 +From: Shmulik Ladkani +Date: Mon, 21 Sep 2015 17:09:02 +0300 +Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0 + +Instead of asserting, return the actual IMR register value. +This is aligned with what's returned on ESXi. + +Signed-off-by: Shmulik Ladkani +Tested-by: Dana Rubin +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 48ced71..057f0dc 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1163,9 +1163,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr, + static uint64_t + vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size) + { ++ VMXNET3State *s = opaque; ++ + if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR, + VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) { +- g_assert_not_reached(); ++ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR, ++ VMXNET3_REG_ALIGN); ++ return s->interrupt_states[l].is_masked; + } + + VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 2dcbd1c..6b978ca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -41,3 +41,10 @@ add_firewall_to_vma.patch CVE-2015-7549-msix-pba-write-ro.patch CVE-2015-8558-ehci_make_idt_processing_more_robust.patch vmxnet3-host-memory-leakage.patch +CVE-2015-8613-scsi-initialize-info-object.patch +CVE-2015-8619-hmp-oob-write.patch +CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch +CVE-2015-8701-net-rocker-off-by-one.patch +CVE-2015-8743-ne2000-ioport-bounds-check.patch +CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch +CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch -- 2.11.4.GIT