[pve-devel] applied: [PATCH kvm] various CVE fixes
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Sep 20 09:25:04 CEST 2016
applied
On Mon, Sep 19, 2016 at 09:58:14AM +0200, Fabian Grünbichler wrote:
> CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks
> CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size
> CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest object
> ---
> ...vga-correct-bitmap-and-pixmap-size-checks.patch | 45 ++++++++++++++++++++++
> ...pvscsi-limit-process-IO-loop-to-ring-size.patch | 38 ++++++++++++++++++
> ...-use-g_new0-to-allocate-MPTSASRequest-obj.patch | 35 +++++++++++++++++
> debian/patches/series | 3 ++
> 4 files changed, 121 insertions(+)
> create mode 100644 debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
> create mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
> create mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
>
> diff --git a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
> new file mode 100644
> index 0000000..732f679
> --- /dev/null
> +++ b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
> @@ -0,0 +1,45 @@
> +From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp at fedoraproject.org>
> +Date: Thu, 8 Sep 2016 18:15:54 +0530
> +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
> +
> +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
> +the computed BITMAP and PIXMAP size are checked against the
> +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
> +Correct these checks to avoid OOB memory access.
> +
> +Reported-by: Qinghao Tang <luodalongde at gmail.com>
> +Reported-by: Li Qiang <liqiang6-s at 360.cn>
> +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
> +Message-id: 1473338754-15430-1-git-send-email-ppandit at redhat.com
> +Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
> +---
> + hw/display/vmware_vga.c | 12 +++++++-----
> + 1 file changed, 7 insertions(+), 5 deletions(-)
> +
> +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
> +index e51a05e..6599cf0 100644
> +--- a/hw/display/vmware_vga.c
> ++++ b/hw/display/vmware_vga.c
> +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
> + cursor.bpp = vmsvga_fifo_read(s);
> +
> + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
> +- if (cursor.width > 256 ||
> +- cursor.height > 256 ||
> +- cursor.bpp > 32 ||
> +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
> +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
> ++ if (cursor.width > 256
> ++ || cursor.height > 256
> ++ || cursor.bpp > 32
> ++ || SVGA_BITMAP_SIZE(x, y)
> ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
> ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
> ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
> + goto badcmd;
> + }
> +
> +--
> +2.1.4
> +
> diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
> new file mode 100644
> index 0000000..05ab4a5
> --- /dev/null
> +++ b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
> @@ -0,0 +1,38 @@
> +From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp at fedoraproject.org>
> +Date: Wed, 14 Sep 2016 15:09:12 +0530
> +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
> +
> +Vmware Paravirtual SCSI emulator while processing IO requests
> +could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
> +always returned positive value. Limit IO loop to the ring size.
> +
> +Cc: qemu-stable at nongnu.org
> +Reported-by: Li Qiang <liqiang6-s at 360.cn>
> +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
> +Message-Id: <1473845952-30785-1-git-send-email-ppandit at redhat.com>
> +Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> +---
> + hw/scsi/vmw_pvscsi.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
> +index babac5a..a5ce7de 100644
> +--- a/hw/scsi/vmw_pvscsi.c
> ++++ b/hw/scsi/vmw_pvscsi.c
> +@@ -247,8 +247,11 @@ static hwaddr
> + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
> + {
> + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
> ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
> ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
> +
> +- if (ready_ptr != mgr->consumed_ptr) {
> ++ if (ready_ptr != mgr->consumed_ptr
> ++ && ready_ptr - mgr->consumed_ptr < ring_size) {
> + uint32_t next_ready_ptr =
> + mgr->consumed_ptr++ & mgr->txr_len_mask;
> + uint32_t next_ready_page =
> +--
> +2.1.4
> +
> diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
> new file mode 100644
> index 0000000..f1ba947
> --- /dev/null
> +++ b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
> @@ -0,0 +1,35 @@
> +From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
> +From: Li Qiang <liqiang6-s at 360.cn>
> +Date: Mon, 12 Sep 2016 18:14:11 +0530
> +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
> +
> +When processing IO request in mptsas, it uses g_new to allocate
> +a 'req' object. If an error occurs before 'req->sreq' is
> +allocated, It could lead to an OOB write in mptsas_free_request
> +function. Use g_new0 to avoid it.
> +
> +Reported-by: Li Qiang <liqiang6-s at 360.cn>
> +Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
> +Message-Id: <1473684251-17476-1-git-send-email-ppandit at redhat.com>
> +Cc: qemu-stable at nongnu.org
> +Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> +---
> + hw/scsi/mptsas.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
> +index 0e0a22f..eaae1bb 100644
> +--- a/hw/scsi/mptsas.c
> ++++ b/hw/scsi/mptsas.c
> +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
> + goto bad;
> + }
> +
> +- req = g_new(MPTSASRequest, 1);
> ++ req = g_new0(MPTSASRequest, 1);
> + QTAILQ_INSERT_TAIL(&s->pending, req, next);
> + req->scsi_io = *scsi_io;
> + req->dev = s;
> +--
> +2.1.4
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index d1470ba..d6aab89 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -74,3 +74,6 @@ extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
> extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
> extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
> extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
> +extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
> +extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
> +extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
> --
> 2.1.4
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list