- bsc#980724 - VUL-0: CVE-2016-4441: Qemu: scsi: esp: OOB write

while writing to 's->cmdbuf' in get_cmd
  CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
- bsc#980716 - VUL-0: CVE-2016-4439: xen: scsi: esp: OOB write
  while writing to 's->cmdbuf' in esp_reg_write
  CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=432

CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch

@@ -0,0 +1,33 @@
+References: bsc#980716 CVE-2016-4439 
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer. While
+writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
+was missing to validate input length. Add check to avoid OOB write
+access.
+
+Fixes CVE-2016-4439
+Reported-by: Li Qiang <address@hidden>
+
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/esp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+===================================================================
+--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+@@ -471,7 +471,11 @@ static void esp_mem_writeb(void *opaque,
+         break;
+     case ESP_FIFO:
+         if (s->do_cmd) {
+-            s->cmdbuf[s->cmdlen++] = val & 0xff;
++            if (s->cmdlen < TI_BUFSZ) {
++                s->cmdbuf[s->cmdlen++] = val & 0xff;
++            } else {
++                ESP_ERROR("fifo overrun\n");
++            }
+         } else if (s->ti_size == TI_BUFSZ - 1) {
+             ESP_ERROR("fifo overrun\n");
+         } else {

CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch

@@ -0,0 +1,56 @@
+References: bsc#980724 CVE-2016-4441 
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer.
+Routine get_cmd() uses DMA to read scsi commands into this buffer.
+Add check to validate DMA length against buffer size to avoid any
+overrun.
+
+Fixes CVE-2016-4441
+Reported-by: Li Qiang <address@hidden>
+
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/esp.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+===================================================================
+--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+@@ -162,7 +162,7 @@ static void esp_lower_irq(ESPState *s)
+     }
+ }
+ 
+-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+ {
+     uint32_t dmalen;
+     int target;
+@@ -170,6 +170,9 @@ static uint32_t get_cmd(ESPState *s, uin
+     target = s->wregs[ESP_WBUSID] & BUSID_DID;
+     if (s->dma) {
+         dmalen = s->rregs[ESP_TCLO] | (s->rregs[ESP_TCMID] << 8);
++        if (dmalen > buflen) {
++            return 0;
++        }
+         s->dma_memory_read(s->dma_opaque, buf, dmalen);
+     } else {
+         dmalen = s->ti_size;
+@@ -231,14 +234,14 @@ static void handle_satn(ESPState *s)
+     uint8_t buf[32];
+     int len;
+ 
+-    len = get_cmd(s, buf);
++    len = get_cmd(s, buf, sizeof(buf));
+     if (len)
+         do_cmd(s, buf);
+ }
+ 
+ static void handle_satn_stop(ESPState *s)
+ {
+-    s->cmdlen = get_cmd(s, s->cmdbuf);
++    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
+     if (s->cmdlen) {
+         DPRINTF("Set ATN & Stop: cmdlen %d\n", s->cmdlen);
+         s->do_cmd = 1;

ipxe-use-rpm-opt-flags.patch

@@ -12,7 +12,7 @@ Index: xen-4.6.1-testing/tools/firmware/etherboot/patches/ipxe-use-rpm-opt-flags
 + 
 + CLEANUP		:=
 +-CFLAGS		:=
-++CFLAGS		:= $(RPM_OPT_FLAGS) -Wno-error=array-bounds
+++CFLAGS		:= $(RPM_OPT_FLAGS) -Wno-error=array-bounds -Wno-nonnull-compare -Wno-unused-const-variable -Wno-misleading-indentation -Wno-shift-negative-value
 + ASFLAGS		:=
 + LDFLAGS		:=
 + MAKEDEPS	:= Makefile

xen.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu May 19 10:46:53 MDT 2016 - carnold@suse.com
+
+- bsc#980724 - VUL-0: CVE-2016-4441: Qemu: scsi: esp: OOB write
+  while writing to 's->cmdbuf' in get_cmd
+  CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
+- bsc#980716 - VUL-0: CVE-2016-4439: xen: scsi: esp: OOB write
+  while writing to 's->cmdbuf' in esp_reg_write
+  CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
+
 -------------------------------------------------------------------
 Tue May 17 10:16:47 MDT 2016 - carnold@suse.com
 

xen.spec

@@ -228,6 +228,8 @@ Patch273:       CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-v
 Patch274:       CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
 Patch275:       CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
 Patch276:       CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
+Patch277:       CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch
+Patch278:       CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
 # qemu-traditional patches that are not upstream
 Patch350:       blktap.patch
 Patch351:       cdrom-removable.patch
@@ -544,6 +546,8 @@ Authors:
 %patch274 -p1
 %patch275 -p1
 %patch276 -p1
+%patch277 -p1
+%patch278 -p1
 # Qemu traditional
 %patch350 -p1
 %patch351 -p1