[pve-devel] [PATCH kvm] Fix CVE-2016-4952

Tue May 24 12:50:03 CEST 2016

scsi: pvscsi: check command descriptor ring buffer size
---
 ...-check-command-descriptor-ring-buffer-siz.patch | 97 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch

diff --git a/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
new file mode 100644
index 0000000..b3187f9
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
@@ -0,0 +1,97 @@
+From 6b7e3826cdc316808bd6e866320237049665c417 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp at fedoraproject.org>
+Date: Mon, 23 May 2016 16:18:05 +0530
+Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
+
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the ring buffer size to an arbitrary
+value leading to OOB access issue. Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s at 360.cn>
+Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
+---
+ hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 9c71f31..a6c5cc4 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -126,7 +126,7 @@ pvscsi_log2(uint32_t input)
+     return log;
+ }
+ 
+-static void
++static int
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+     int i;
+@@ -134,6 +134,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+     uint32_t req_ring_size, cmp_ring_size;
+     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+ 
++    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
++        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
++        return -1;
++    }
+     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -165,15 +169,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
++
++    return 0;
+ }
+ 
+-static void
++static int
+ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ {
+     int i;
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
++    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++        return -1;
++    }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+     len_log2 = pvscsi_log2(ring_size - 1);
+ 
+@@ -193,6 +202,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
++
++    return 0;
+ }
+ 
+ static void
+@@ -743,7 +754,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+ 
+     pvscsi_dbg_dump_tx_rings_config(rc);
+-    pvscsi_ring_init_data(&s->rings, rc);
++    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
++        return PVSCSI_COMMAND_PROCESSING_FAILED;
++    }
++
+     s->rings_info_valid = TRUE;
+     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+ }
+@@ -823,7 +837,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
+     }
+ 
+     if (s->rings_info_valid) {
+-        pvscsi_ring_init_msg(&s->rings, rc);
++        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
++            return PVSCSI_COMMAND_PROCESSING_FAILED;
++        }
+         s->msg_ring_info_valid = TRUE;
+     }
+     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 6d0d70b..fe89dd1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -54,3 +54,4 @@ extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
 extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
 extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
 extra/0001-vga-add-sr_vbe-register-set.patch
+extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
-- 
2.1.4



