From aeae754bb16e15339a13886028f983dd7a78ceaf Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 7 Mar 2016 11:07:17 +0100 Subject: [PATCH] Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858 CVE-2016-2841: net: ne2000: check ring buffer control registers CVE-2016-2857: net: check packet payload length CVE-2016-2858: rng: add request queue support to rng-random --- ...move-the-unused-request-cancellation-code.patch | 98 +++++++++++ ...e-request-queue-from-RngEgd-to-RngBackend.patch | 135 ++++++++++++++++ ...quest-queue-cleanup-from-RngEgd-to-RngBac.patch | 163 +++++++++++++++++++ ...ask-for-more-data-if-queue-is-not-fully-d.patch | 47 ++++++ ...e2000-check-ring-buffer-control-registers.patch | 37 +++++ ...2016-2857-net-check-packet-payload-length.patch | 47 ++++++ ...g-add-request-queue-support-to-rng-random.patch | 179 +++++++++++++++++++++ debian/patches/series | 7 + 8 files changed, 713 insertions(+) create mode 100644 debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch create mode 100644 debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch create mode 100644 debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch create mode 100644 debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch create mode 100644 debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch create mode 100644 debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch create mode 100644 debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch diff --git a/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch b/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch new file mode 100644 index 0000000..5db5a8e --- /dev/null +++ b/debian/patches/extra/0001-rng-remove-the-unused-request-cancellation-code.patch @@ -0,0 +1,98 @@ +From d615099455e3a6cc71c17182cabd851d4340354d Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:15 +0100 +Subject: [PATCH 1/5] rng: remove the unused request cancellation code + +rng_backend_cancel_requests had no callers and none of the code +deleted in this commit ever ran. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 12 ------------ + backends/rng.c | 9 --------- + include/sysemu/rng.h | 11 ----------- + 3 files changed, 32 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 6c13409..3c6362e 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -124,17 +124,6 @@ static void rng_egd_free_requests(RngEgd *s) + s->requests = NULL; + } + +-static void rng_egd_cancel_requests(RngBackend *b) +-{ +- RngEgd *s = RNG_EGD(b); +- +- /* We simply delete the list of pending requests. If there is data in the +- * queue waiting to be read, this is okay, because there will always be +- * more data than we requested originally +- */ +- rng_egd_free_requests(s); +-} +- + static void rng_egd_opened(RngBackend *b, Error **errp) + { + RngEgd *s = RNG_EGD(b); +@@ -212,7 +201,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data) + RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); + + rbc->request_entropy = rng_egd_request_entropy; +- rbc->cancel_requests = rng_egd_cancel_requests; + rbc->opened = rng_egd_opened; + } + +diff --git a/backends/rng.c b/backends/rng.c +index 5065fdc..5d1876c 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, + } + } + +-void rng_backend_cancel_requests(RngBackend *s) +-{ +- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); +- +- if (k->cancel_requests) { +- k->cancel_requests(s); +- } +-} +- + static bool rng_backend_prop_get_opened(Object *obj, Error **errp) + { + RngBackend *s = RNG_BACKEND(obj); +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index 0a27c9b..c7da17d 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -38,7 +38,6 @@ struct RngBackendClass + + void (*request_entropy)(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, void *opaque); +- void (*cancel_requests)(RngBackend *s); + + void (*opened)(RngBackend *s, Error **errp); + }; +@@ -69,14 +68,4 @@ struct RngBackend + void rng_backend_request_entropy(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque); +- +-/** +- * rng_backend_cancel_requests: +- * @s: the backend to cancel all pending requests in +- * +- * Cancels all pending requests submitted by @rng_backend_request_entropy. This +- * should be used by a device during reset or in preparation for live migration +- * to stop tracking any request. +- */ +-void rng_backend_cancel_requests(RngBackend *s); + #endif +-- +2.1.4 + diff --git a/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch b/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch new file mode 100644 index 0000000..a9d6e4b --- /dev/null +++ b/debian/patches/extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch @@ -0,0 +1,135 @@ +From 8cd5c28840888a32dab08ef1387864723c092a1d Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:16 +0100 +Subject: [PATCH 2/5] rng: move request queue from RngEgd to RngBackend + +The 'requests' field now lives in the RngBackend parent class. +There are no functional changes in this commit. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 28 +++++++++------------------- + include/sysemu/rng.h | 11 +++++++++++ + 2 files changed, 20 insertions(+), 19 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 3c6362e..19eee70 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -24,19 +24,8 @@ typedef struct RngEgd + + CharDriverState *chr; + char *chr_name; +- +- GSList *requests; + } RngEgd; + +-typedef struct RngRequest +-{ +- EntropyReceiveFunc *receive_entropy; +- uint8_t *data; +- void *opaque; +- size_t offset; +- size_t size; +-} RngRequest; +- + static void rng_egd_request_entropy(RngBackend *b, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque) +@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + size -= len; + } + +- s->requests = g_slist_append(s->requests, req); ++ s->parent.requests = g_slist_append(s->parent.requests, req); + } + + static void rng_egd_free_request(RngRequest *req) +@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *opaque) + GSList *i; + int size = 0; + +- for (i = s->requests; i; i = i->next) { ++ for (i = s->parent.requests; i; i = i->next) { + RngRequest *req = i->data; + size += req->size - req->offset; + } +@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + RngEgd *s = RNG_EGD(opaque); + size_t buf_offset = 0; + +- while (size > 0 && s->requests) { +- RngRequest *req = s->requests->data; ++ while (size > 0 && s->parent.requests) { ++ RngRequest *req = s->parent.requests->data; + int len = MIN(size, req->size - req->offset); + + memcpy(req->data + req->offset, buf + buf_offset, len); +@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + size -= len; + + if (req->offset == req->size) { +- s->requests = g_slist_remove_link(s->requests, s->requests); ++ s->parent.requests = g_slist_remove_link(s->parent.requests, ++ s->parent.requests); + + req->receive_entropy(req->opaque, req->data, req->size); + +@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd *s) + { + GSList *i; + +- for (i = s->requests; i; i = i->next) { ++ for (i = s->parent.requests; i; i = i->next) { + rng_egd_free_request(i->data); + } + +- g_slist_free(s->requests); +- s->requests = NULL; ++ g_slist_free(s->parent.requests); ++ s->parent.requests = NULL; + } + + static void rng_egd_opened(RngBackend *b, Error **errp) +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index c7da17d..084164c 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -25,6 +25,7 @@ + #define RNG_BACKEND_CLASS(klass) \ + OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) + ++typedef struct RngRequest RngRequest; + typedef struct RngBackendClass RngBackendClass; + typedef struct RngBackend RngBackend; + +@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *opaque, + const void *data, + size_t size); + ++struct RngRequest ++{ ++ EntropyReceiveFunc *receive_entropy; ++ uint8_t *data; ++ void *opaque; ++ size_t offset; ++ size_t size; ++}; ++ + struct RngBackendClass + { + ObjectClass parent_class; +@@ -48,6 +58,7 @@ struct RngBackend + + /*< protected >*/ + bool opened; ++ GSList *requests; + }; + + /** +-- +2.1.4 + diff --git a/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch b/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch new file mode 100644 index 0000000..d14453a --- /dev/null +++ b/debian/patches/extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch @@ -0,0 +1,163 @@ +From 33809b9b455fa58d9c011bec6aac462204169560 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:17 +0100 +Subject: [PATCH 3/5] rng: move request queue cleanup from RngEgd to RngBackend + +RngBackend is now in charge of cleaning up the linked list on +instance finalization. It also exposes a function to finalize +individual RngRequest instances, called by its child classes. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 25 +------------------------ + backends/rng.c | 32 ++++++++++++++++++++++++++++++++ + include/sysemu/rng.h | 12 ++++++++++++ + 3 files changed, 45 insertions(+), 24 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 19eee70..08301a7 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + s->parent.requests = g_slist_append(s->parent.requests, req); + } + +-static void rng_egd_free_request(RngRequest *req) +-{ +- g_free(req->data); +- g_free(req); +-} +- + static int rng_egd_chr_can_read(void *opaque) + { + RngEgd *s = RNG_EGD(opaque); +@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + size -= len; + + if (req->offset == req->size) { +- s->parent.requests = g_slist_remove_link(s->parent.requests, +- s->parent.requests); +- + req->receive_entropy(req->opaque, req->data, req->size); + +- rng_egd_free_request(req); ++ rng_backend_finalize_request(&s->parent, req); + } + } + } + +-static void rng_egd_free_requests(RngEgd *s) +-{ +- GSList *i; +- +- for (i = s->parent.requests; i; i = i->next) { +- rng_egd_free_request(i->data); +- } +- +- g_slist_free(s->parent.requests); +- s->parent.requests = NULL; +-} +- + static void rng_egd_opened(RngBackend *b, Error **errp) + { + RngEgd *s = RNG_EGD(b); +@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj) + } + + g_free(s->chr_name); +- +- rng_egd_free_requests(s); + } + + static void rng_egd_class_init(ObjectClass *klass, void *data) +diff --git a/backends/rng.c b/backends/rng.c +index 5d1876c..0d9978b 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp) + s->opened = true; + } + ++static void rng_backend_free_request(RngRequest *req) ++{ ++ g_free(req->data); ++ g_free(req); ++} ++ ++static void rng_backend_free_requests(RngBackend *s) ++{ ++ GSList *i; ++ ++ for (i = s->requests; i; i = i->next) { ++ rng_backend_free_request(i->data); ++ } ++ ++ g_slist_free(s->requests); ++ s->requests = NULL; ++} ++ ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req) ++{ ++ s->requests = g_slist_remove(s->requests, req); ++ rng_backend_free_request(req); ++} ++ + static void rng_backend_init(Object *obj) + { + object_property_add_bool(obj, "opened", +@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj) + NULL); + } + ++static void rng_backend_finalize(Object *obj) ++{ ++ RngBackend *s = RNG_BACKEND(obj); ++ ++ rng_backend_free_requests(s); ++} ++ + static void rng_backend_class_init(ObjectClass *oc, void *data) + { + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); +@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = { + .parent = TYPE_OBJECT, + .instance_size = sizeof(RngBackend), + .instance_init = rng_backend_init, ++ .instance_finalize = rng_backend_finalize, + .class_size = sizeof(RngBackendClass), + .class_init = rng_backend_class_init, + .abstract = true, +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index 084164c..c2c9035 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -61,6 +61,7 @@ struct RngBackend + GSList *requests; + }; + ++ + /** + * rng_backend_request_entropy: + * @s: the backend to request entropy from +@@ -79,4 +80,15 @@ struct RngBackend + void rng_backend_request_entropy(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque); ++ ++/** ++ * rng_backend_free_request: ++ * @s: the backend that created the request ++ * @req: the request to finalize ++ * ++ * Used by child rng backend classes to finalize requests once they've been ++ * processed. The request is removed from the list of active requests and ++ * deleted. ++ */ ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req); + #endif +-- +2.1.4 + diff --git a/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch b/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch new file mode 100644 index 0000000..3f48a29 --- /dev/null +++ b/debian/patches/extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch @@ -0,0 +1,47 @@ +From b5f29c3cdd14243de19d974320f49fb3bdd37a6d Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 10:48:34 +0100 +Subject: [PATCH 5/5] virtio-rng: ask for more data if queue is not fully + drained + +This commit effectively reverts: + + commit 4621c1768ef5d12171cca2aa1473595ecb9f1c9e + Author: Amit Shah + Date: Wed Nov 21 11:21:19 2012 +0530 + + virtio-rng: remove extra request for entropy + +but instead of calling virtio_rng_process unconditionally, it +first checks to see if the queue is empty as a little bit of +optimization. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456998514-19271-1-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + hw/virtio/virtio-rng.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c +index 97d1541..3124461 100644 +--- a/hw/virtio/virtio-rng.c ++++ b/hw/virtio/virtio-rng.c +@@ -66,6 +66,13 @@ static void chr_read(void *opaque, const void *buf, size_t size) + trace_virtio_rng_pushed(vrng, len); + } + virtio_notify(vdev, vrng->vq); ++ ++ if (!virtio_queue_empty(vrng->vq)) { ++ /* If we didn't drain the queue, call virtio_rng_process ++ * to take care of asking for more data as appropriate. ++ */ ++ virtio_rng_process(vrng); ++ } + } + + static void virtio_rng_process(VirtIORNG *vrng) +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch b/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch new file mode 100644 index 0000000..c92068e --- /dev/null +++ b/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch @@ -0,0 +1,37 @@ +From 081109008ca6f6adae2bcda2bc5c3472553cc110 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 24 Feb 2016 11:41:33 +0530 +Subject: [PATCH] net: ne2000: check ring buffer control registers + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. Registers PSTART & PSTOP +define ring buffer size & location. Setting these registers +to invalid values could lead to infinite loop or OOB r/w +access issues. Add check to avoid it. + +Reported-by: Yang Hongke +Tested-by: Yang Hongke +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..84a7263 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) + { + int avail, index, boundary; + ++ if (s->stop <= s->start) { ++ return 1; ++ } ++ + index = s->curpag << 8; + boundary = s->boundary << 8; + if (index < boundary) +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch b/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch new file mode 100644 index 0000000..4a20cd8 --- /dev/null +++ b/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch @@ -0,0 +1,47 @@ +From c0d732a6233af2f148c59f3b81f95f429ea235cb Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 2 Mar 2016 17:29:58 +0530 +Subject: [PATCH] net: check packet payload length + +While computing IP checksum, 'net_checksum_calculate' reads +payload length from the packet. It could exceed the given 'data' +buffer size. Add a check to avoid it. + +Reported-by: Liu Ling +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + net/checksum.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/checksum.c b/net/checksum.c +index 14c0855..0942437 100644 +--- a/net/checksum.c ++++ b/net/checksum.c +@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) + int hlen, plen, proto, csum_offset; + uint16_t csum; + ++ /* Ensure data has complete L2 & L3 headers. */ ++ if (length < 14 + 20) { ++ return; ++ } ++ + if ((data[14] & 0xf0) != 0x40) + return; /* not IPv4 */ + hlen = (data[14] & 0x0f) * 4; +@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) + return; + } + +- if (plen < csum_offset+2) +- return; ++ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { ++ return; ++ } + + data[14+hlen+csum_offset] = 0; + data[14+hlen+csum_offset+1] = 0; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch b/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch new file mode 100644 index 0000000..305b8c8 --- /dev/null +++ b/debian/patches/extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch @@ -0,0 +1,179 @@ +From c33f9c1b4eb6142f6d49a72465395f111b6c968b Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:18 +0100 +Subject: [PATCH 4/5] rng: add request queue support to rng-random + +Requests are now created in the RngBackend parent class and the +code path is shared by both rng-egd and rng-random. + +This commit fixes the rng-random implementation which processed +only one request at a time and simply discarded all but the most +recent one. In the guest this manifested as delayed completion +of reads from virtio-rng, i.e. a read was completed only after +another read was issued. + +By switching rng-random to use the same request queue as rng-egd, +the unsafe stack-based allocation of the entropy buffer is +eliminated and replaced with g_malloc. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 16 ++-------------- + backends/rng-random.c | 43 +++++++++++++++++++------------------------ + backends/rng.c | 13 ++++++++++++- + include/sysemu/rng.h | 3 +-- + 4 files changed, 34 insertions(+), 41 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 08301a7..de6c8d4 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -26,20 +26,10 @@ typedef struct RngEgd + char *chr_name; + } RngEgd; + +-static void rng_egd_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) + { + RngEgd *s = RNG_EGD(b); +- RngRequest *req; +- +- req = g_malloc(sizeof(*req)); +- +- req->offset = 0; +- req->size = size; +- req->receive_entropy = receive_entropy; +- req->opaque = opaque; +- req->data = g_malloc(req->size); ++ size_t size = req->size; + + while (size > 0) { + uint8_t header[2]; +@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + + size -= len; + } +- +- s->parent.requests = g_slist_append(s->parent.requests, req); + } + + static int rng_egd_chr_can_read(void *opaque) +diff --git a/backends/rng-random.c b/backends/rng-random.c +index 4e51f46..c2d8c03 100644 +--- a/backends/rng-random.c ++++ b/backends/rng-random.c +@@ -21,10 +21,6 @@ struct RndRandom + + int fd; + char *filename; +- +- EntropyReceiveFunc *receive_func; +- void *opaque; +- size_t size; + }; + + /** +@@ -37,36 +33,35 @@ struct RndRandom + static void entropy_available(void *opaque) + { + RndRandom *s = RNG_RANDOM(opaque); +- uint8_t buffer[s->size]; +- ssize_t len; + +- len = read(s->fd, buffer, s->size); +- if (len < 0 && errno == EAGAIN) { +- return; +- } +- g_assert(len != -1); ++ while (s->parent.requests != NULL) { ++ RngRequest *req = s->parent.requests->data; ++ ssize_t len; ++ ++ len = read(s->fd, req->data, req->size); ++ if (len < 0 && errno == EAGAIN) { ++ return; ++ } ++ g_assert(len != -1); + +- s->receive_func(s->opaque, buffer, len); +- s->receive_func = NULL; ++ req->receive_entropy(req->opaque, req->data, len); + ++ rng_backend_finalize_request(&s->parent, req); ++ } ++ ++ /* We've drained all requests, the fd handler can be reset. */ + qemu_set_fd_handler(s->fd, NULL, NULL, NULL); + } + +-static void rng_random_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_random_request_entropy(RngBackend *b, RngRequest *req) + { + RndRandom *s = RNG_RANDOM(b); + +- if (s->receive_func) { +- s->receive_func(s->opaque, NULL, 0); ++ if (s->parent.requests == NULL) { ++ /* If there are no pending requests yet, we need to ++ * install our fd handler. */ ++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } +- +- s->receive_func = receive_entropy; +- s->opaque = opaque; +- s->size = size; +- +- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } + + static void rng_random_opened(RngBackend *b, Error **errp) +diff --git a/backends/rng.c b/backends/rng.c +index 0d9978b..4066268 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, + void *opaque) + { + RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); ++ RngRequest *req; + + if (k->request_entropy) { +- k->request_entropy(s, size, receive_entropy, opaque); ++ req = g_malloc(sizeof(*req)); ++ ++ req->offset = 0; ++ req->size = size; ++ req->receive_entropy = receive_entropy; ++ req->opaque = opaque; ++ req->data = g_malloc(req->size); ++ ++ k->request_entropy(s, req); ++ ++ s->requests = g_slist_append(s->requests, req); + } + } + +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index c2c9035..a7ed580 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -46,8 +46,7 @@ struct RngBackendClass + { + ObjectClass parent_class; + +- void (*request_entropy)(RngBackend *s, size_t size, +- EntropyReceiveFunc *receive_entropy, void *opaque); ++ void (*request_entropy)(RngBackend *s, RngRequest *req); + + void (*opened)(RngBackend *s, Error **errp); + }; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 744a756..f07e028 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -56,3 +56,10 @@ extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch +extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch +extra/CVE-2016-2857-net-check-packet-payload-length.patch +extra/0001-rng-remove-the-unused-request-cancellation-code.patch +extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch +extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch +extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch +extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch -- 2.11.4.GIT