[pve-devel] [PATCH kvm] Several fixes

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Jan 7 09:59:21 CET 2016


CVE-2015-8613 scsi: initialise info object with appropriate size
CVE-2015-8619 hmp: avoid redundant null termination of buffer
CVE-2015-8666 acpi: fix buffer overrun on migration
CVE-2015-8701 net: rocker: fix an incorrect array bounds check
CVE-2015-8743 net: ne2000: fix bounds check in ioport operations
CVE-2015-8744 net/vmxnet3: Refine l2 header validation
CVE-2015-8745 vmxnet3: Support reading IMR registers on bar0
---
 ...CVE-2015-8613-scsi-initialize-info-object.patch | 31 +++++++++
 debian/patches/CVE-2015-8619-hmp-oob-write.patch   | 34 ++++++++++
 ...8666-acpi-fix-buffer-overrun-on-migration.patch | 45 +++++++++++++
 .../CVE-2015-8701-net-rocker-off-by-one.patch      | 47 +++++++++++++
 .../CVE-2015-8743-ne2000-ioport-bounds-check.patch | 48 ++++++++++++++
 ...-8744-vmxnet3-refine-l2-header-validation.patch | 76 ++++++++++++++++++++++
 ...745-vmxnet3-support-reading-imr-registers.patch | 37 +++++++++++
 debian/patches/series                              |  7 ++
 8 files changed, 325 insertions(+)
 create mode 100644 debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
 create mode 100644 debian/patches/CVE-2015-8619-hmp-oob-write.patch
 create mode 100644 debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
 create mode 100644 debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
 create mode 100644 debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
 create mode 100644 debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
 create mode 100644 debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch

diff --git a/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
new file mode 100644
index 0000000..ee0f36d
--- /dev/null
+++ b/debian/patches/CVE-2015-8613-scsi-initialize-info-object.patch
@@ -0,0 +1,31 @@
+From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 21 Dec 2015 14:48:18 +0530
+Subject: [PATCH] scsi: initialise info object with appropriate size
+
+While processing controller 'CTRL_GET_INFO' command, the routine
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its
+appropriate size to null initialise it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+  hw/scsi/megasas.c | 2 +-
+  1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index d7dc667..576f56c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+     BusChild *kid;
+     int num_pd_disks = 0;
+ 
+-    memset(&info, 0x0, cmd->iov_size);
++    memset(&info, 0x0, dcmd_size);
+     if (cmd->iov_size < dcmd_size) {
+         trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
+                                             dcmd_size);
+-- 
+2.4.3
+===
diff --git a/debian/patches/CVE-2015-8619-hmp-oob-write.patch b/debian/patches/CVE-2015-8619-hmp-oob-write.patch
new file mode 100644
index 0000000..1dd22d4
--- /dev/null
+++ b/debian/patches/CVE-2015-8619-hmp-oob-write.patch
@@ -0,0 +1,34 @@
+From b0363f4c0e91671064dd7ffece8a6923c8dcaf20 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 17 Dec 2015 17:47:15 +0530
+Subject: [PATCH] hmp: avoid redundant null termination of buffer
+
+When processing 'sendkey' command, hmp_sendkey routine null
+terminates the 'keyname_buf' array. This results in an OOB write
+issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
+Removed the redundant null termination, as pstrcpy routine already
+null terminates the target buffer.
+
+Reported-by: Ling Liu <liuling-it at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+  hmp.c | 2 --
+  1 file changed, 2 deletions(-)
+
+diff --git a/hmp.c b/hmp.c
+index 2140605..e530c9c 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1746,9 +1746,7 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+         /* Be compatible with old interface, convert user inputted "<" */
+         if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
+             pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+-            keyname_len = 4;
+         }
+-        keyname_buf[keyname_len] = 0;
+ 
+         keylist = g_malloc0(sizeof(*keylist));
+         keylist->value = g_malloc0(sizeof(*keylist->value));
+-- 
+2.4.3
+===
diff --git a/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
new file mode 100644
index 0000000..b46ab48
--- /dev/null
+++ b/debian/patches/CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
@@ -0,0 +1,45 @@
+From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst at redhat.com>
+Date: Thu, 19 Nov 2015 15:14:07 +0200
+Subject: [PATCH] acpi: fix buffer overrun on migration
+
+ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
+ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
+ICH9_PMIO_GPE0_LEN bytes are migrated.
+
+As a quick work-around, allocate twice the memory.
+We'll probably want to tweak code to avoid
+migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
+but that is a bit trickier to do without breaking
+migration compatibility.
+
+Tested-by: "Dr. David Alan Gilbert" <dgilbert at redhat.com>
+Reported-by: "Dr. David Alan Gilbert" <dgilbert at redhat.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+---
+ hw/acpi/core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index fe6215a..21e113d 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar)
+ void acpi_gpe_init(ACPIREGS *ar, uint8_t len)
+ {
+     ar->gpe.len = len;
+-    ar->gpe.sts = g_malloc0(len / 2);
+-    ar->gpe.en = g_malloc0(len / 2);
++    /* Only first len / 2 bytes are ever used,
++     * but the caller in ich9.c migrates full len bytes.
++     * TODO: fix ich9.c and drop the extra allocation.
++     */
++    ar->gpe.sts = g_malloc0(len);
++    ar->gpe.en = g_malloc0(len);
+ }
+ 
+ void acpi_gpe_reset(ACPIREGS *ar)
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
new file mode 100644
index 0000000..7b17355
--- /dev/null
+++ b/debian/patches/CVE-2015-8701-net-rocker-off-by-one.patch
@@ -0,0 +1,47 @@
+From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 28 Dec 2015 16:24:08 +0530
+Subject: [PATCH] net: rocker: fix an incorrect array bounds check
+
+While processing transmit(tx) descriptors in 'tx_consume' routine
+the switch emulator suffers from an off-by-one error, if a
+descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
+fragments. Fix an incorrect bounds check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde at gmail.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/rocker/rocker.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index c57f1a6..2e77e50 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
+         frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
+         frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
+ 
++        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
++            goto err_too_many_frags;
++        }
+         iov[iovcnt].iov_len = frag_len;
+         iov[iovcnt].iov_base = g_malloc(frag_len);
+         if (!iov[iovcnt].iov_base) {
+@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
+             err = -ROCKER_ENXIO;
+             goto err_bad_io;
+         }
+-
+-        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
+-            goto err_too_many_frags;
+-        }
++        iovcnt++;
+     }
+ 
+     if (iovcnt) {
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
new file mode 100644
index 0000000..5b34ecf
--- /dev/null
+++ b/debian/patches/CVE-2015-8743-ne2000-ioport-bounds-check.patch
@@ -0,0 +1,48 @@
+From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it at 360.cn>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 010f9ef..a3dffff 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+                                      uint32_t val)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         stl_le_p(s->mem + addr, val);
+     }
+ }
+@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         return ldl_le_p(s->mem + addr);
+     } else {
+         return 0xffffffff;
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
new file mode 100644
index 0000000..fbb9f54
--- /dev/null
+++ b/debian/patches/CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
@@ -0,0 +1,76 @@
+From a7278b36fcab9af469563bd7b9dadebe2ae25e48 Mon Sep 17 00:00:00 2001
+From: Dana Rubin <dana.rubin at ravellosystems.com>
+Date: Tue, 18 Aug 2015 12:45:55 +0300
+Subject: [PATCH] net/vmxnet3: Refine l2 header validation
+
+Validation of l2 header length assumed minimal packet size as
+eth_header + 2 * vlan_header regardless of the actual protocol.
+
+This caused crash for valid non-IP packets shorter than 22 bytes, as
+'tx_pkt->packet_type' hasn't been assigned for such packets, and
+'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
+
+Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
+Check its return value during packet processing flow.
+
+As a side effect, in case IPv4 and IPv6 header validation failure,
+corrupt packets will be dropped.
+
+Signed-off-by: Dana Rubin <dana.rubin at ravellosystems.com>
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c       |  4 +---
+ hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 04159c8..48ced71 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
+         }
+ 
+         if (txd.eop) {
+-            if (!s->skip_current_tx_pkt) {
+-                vmxnet_tx_pkt_parse(s->tx_pkt);
+-
++            if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
+                 if (s->needs_vlan) {
+                     vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
+                 }
+diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
+index f7344c4..eb88ddf 100644
+--- a/hw/net/vmxnet_tx_pkt.c
++++ b/hw/net/vmxnet_tx_pkt.c
+@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
+ 
+     bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
+                             ETH_MAX_L2_HDR_LEN);
+-    if (bytes_read < ETH_MAX_L2_HDR_LEN) {
++    if (bytes_read < sizeof(struct eth_header)) {
++        l2_hdr->iov_len = 0;
++        return false;
++    }
++
++    l2_hdr->iov_len = sizeof(struct eth_header);
++    switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
++    case ETH_P_VLAN:
++        l2_hdr->iov_len += sizeof(struct vlan_header);
++        break;
++    case ETH_P_DVLAN:
++        l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
++        break;
++    }
++
++    if (bytes_read < l2_hdr->iov_len) {
+         l2_hdr->iov_len = 0;
+         return false;
+-    } else {
+-        l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
+     }
+ 
+     l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);
+-- 
+2.1.4
+
diff --git a/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
new file mode 100644
index 0000000..deb755f
--- /dev/null
+++ b/debian/patches/CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
@@ -0,0 +1,37 @@
+From c6048f849c7e3f009786df76206e895a69de032c Mon Sep 17 00:00:00 2001
+From: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Date: Mon, 21 Sep 2015 17:09:02 +0300
+Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0
+
+Instead of asserting, return the actual IMR register value.
+This is aligned with what's returned on ESXi.
+
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani at ravellosystems.com>
+Tested-by: Dana Rubin <dana.rubin at ravellosystems.com>
+Signed-off-by: Jason Wang <jasowang at redhat.com>
+---
+ hw/net/vmxnet3.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 48ced71..057f0dc 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1163,9 +1163,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
+ static uint64_t
+ vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
+ {
++    VMXNET3State *s = opaque;
++
+     if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
+                         VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
+-        g_assert_not_reached();
++        int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
++                                         VMXNET3_REG_ALIGN);
++        return s->interrupt_states[l].is_masked;
+     }
+ 
+     VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2dcbd1c..6b978ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,10 @@ add_firewall_to_vma.patch
 CVE-2015-7549-msix-pba-write-ro.patch
 CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
 vmxnet3-host-memory-leakage.patch
+CVE-2015-8613-scsi-initialize-info-object.patch
+CVE-2015-8619-hmp-oob-write.patch
+CVE-2015-8666-acpi-fix-buffer-overrun-on-migration.patch
+CVE-2015-8701-net-rocker-off-by-one.patch
+CVE-2015-8743-ne2000-ioport-bounds-check.patch
+CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch
+CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch
-- 
2.1.4





More information about the pve-devel mailing list