diff --git a/CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch b/CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch new file mode 100644 index 0000000..eb266aa --- /dev/null +++ b/CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch @@ -0,0 +1,39 @@ +References: bsc#962642 CVE-2013-4537 + +Subject: ssi-sd: fix buffer overrun on invalid state load +From: Michael S. Tsirkin mst@redhat.com Mon Apr 28 16:08:14 2014 +0300 +Date: Mon May 5 22:15:03 2014 +0200: +Git: a9c380db3b8c6af19546a68145c8d1438a09c92b + +CVE-2013-4537 + +s->arglen is taken from wire and used as idx +in ssi_sd_transfer(). + +Validate it before access. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssi-sd.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ssi-sd.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssi-sd.c +@@ -221,8 +221,17 @@ static int ssi_sd_load(QEMUFile *f, void + for (i = 0; i < 5; i++) + s->response[i] = qemu_get_be32(f); + s->arglen = qemu_get_be32(f); ++ if (s->mode == SSI_SD_CMDARG && ++ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) { ++ return -EINVAL; ++ } + s->response_pos = qemu_get_be32(f); + s->stopping = qemu_get_be32(f); ++ if (s->mode == SSI_SD_RESPONSE && ++ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) || ++ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) { ++ return -EINVAL; ++ } + + return 0; + } diff --git a/CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch b/CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch new file mode 100644 index 0000000..73fb2b8 --- /dev/null +++ b/CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch @@ -0,0 +1,28 @@ +References: bsc#962335 CVE-2013-4538 + +s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. +Possible this field might then be supplied by guest to overwrite a +return addr somewhere. Same for row/col fields, which are indicies into +framebuffer array. + +To fix validate after load. + +Signed-off-by: Michael S. Tsirkin +--- + hw/display/ssd0323.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ssd0323.c +@@ -304,6 +304,9 @@ static int ssd0323_load(QEMUFile *f, voi + return -EINVAL; + + s->cmd_len = qemu_get_be32(f); ++ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) { ++ return -EINVAL; ++ } + s->cmd = qemu_get_be32(f); + for (i = 0; i < 8; i++) + s->cmd_data[i] = qemu_get_be32(f); diff --git a/CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch b/CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch new file mode 100644 index 0000000..3f98e9d --- /dev/null +++ b/CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch @@ -0,0 +1,43 @@ +Subject: tsc210x: fix buffer overrun on invalid state load +From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:52:09 2014 +0300 +Date: Mon May 5 22:15:02 2014 +0200: +Git: 5193be3be35f29a35bc465036cd64ad60d43385f + +CVE-2013-4539 + +s->precision, nextprecision, function and nextfunction +come from wire and are used +as idx into resolution[] in TSC_CUT_RESOLUTION. + +Validate after load to avoid buffer overrun. + +Cc: Andreas Färber +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/tsc210x.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/tsc210x.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/tsc210x.c +@@ -1077,9 +1077,21 @@ static int tsc210x_load(QEMUFile *f, voi + s->enabled = qemu_get_byte(f); + s->host_mode = qemu_get_byte(f); + s->function = qemu_get_byte(f); ++ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) { ++ return -EINVAL; ++ } + s->nextfunction = qemu_get_byte(f); ++ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) { ++ return -EINVAL; ++ } + s->precision = qemu_get_byte(f); ++ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) { ++ return -EINVAL; ++ } + s->nextprecision = qemu_get_byte(f); ++ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) { ++ return -EINVAL; ++ } + s->filter = qemu_get_byte(f); + s->pin_func = qemu_get_byte(f); + s->ref = qemu_get_byte(f); diff --git a/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch b/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch new file mode 100644 index 0000000..667ab73 --- /dev/null +++ b/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch @@ -0,0 +1,44 @@ +References: bsc#962627 CVE-2014-7815 + +Subject: vnc: sanitize bits_per_pixel from the client +From: Petr Matousek pmatouse@redhat.com Mon Oct 27 12:41:44 2014 +0100 +Date: Tue Oct 28 11:51:04 2014 +0100: +Git: e6908bfe8e07f2b452e78e677da1b45b1c0f6829 + +bits_per_pixel that are less than 8 could result in accessing +non-initialized buffers later in the code due to the expectation +that bytes_per_pixel value that is used to initialize these buffers is +never zero. + +To fix this check that bits_per_pixel from the client is one of the +values that the rfb protocol specification allows. + +This is CVE-2014-7815. + +Signed-off-by: Petr Matousek + +[ kraxel: apply codestyle fix ] + +Signed-off-by: Gerd Hoffmann + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +@@ -1633,6 +1633,16 @@ static void set_pixel_format(VncState *v + return; + } + ++ switch (bits_per_pixel) { ++ case 8: ++ case 16: ++ case 32: ++ break; ++ default: ++ vnc_client_error(vs); ++ return; ++ } ++ + vs->clientds = vs->serverds; + vs->clientds.pf.rmax = red_max ? red_max : 0xFF; + count_bits(vs->clientds.pf.rbits, red_max); diff --git a/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch b/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch new file mode 100644 index 0000000..153cbc3 --- /dev/null +++ b/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch @@ -0,0 +1,222 @@ +References: bsc#962632 CVE-2015-1779 + +Subject: CVE-2015-1779: incrementally decode websocket frames +From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:21 2015 +0000 +Date: Wed Apr 1 17:11:34 2015 +0200: +Git: a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e + +The logic for decoding websocket frames wants to fully +decode the frame header and payload, before allowing the +VNC server to see any of the payload data. There is no +size limit on websocket payloads, so this allows a +malicious network client to consume 2^64 bytes in memory +in QEMU. It can trigger this denial of service before +the VNC server even performs any authentication. + +The fix is to decode the header, and then incrementally +decode the payload data as it is needed. With this fix +the websocket decoder will allow at most 4k of data to +be buffered before decoding and processing payload. + +Signed-off-by: Daniel P. Berrange +Signed-off-by: Gerd Hoffmann + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c +@@ -115,7 +115,7 @@ long vnc_client_read_ws(VncState *vs) + { + int ret, err; + uint8_t *payload; +- size_t payload_size, frame_size; ++ size_t payload_size, header_size; + VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer, + vs->ws_input.capacity, vs->ws_input.offset); + buffer_reserve(&vs->ws_input, 4096); +@@ -125,18 +125,39 @@ long vnc_client_read_ws(VncState *vs) + } + vs->ws_input.offset += ret; + +- /* make sure that nothing is left in the ws_input buffer */ ++ ret = 0; ++ /* consume as much of ws_input buffer as possible */ + do { +- err = vncws_decode_frame(&vs->ws_input, &payload, +- &payload_size, &frame_size); +- if (err <= 0) { +- return err; ++ if (vs->ws_payload_remain == 0) { ++ err = vncws_decode_frame_header(&vs->ws_input, ++ &header_size, ++ &vs->ws_payload_remain, ++ &vs->ws_payload_mask); ++ if (err <= 0) { ++ return err; ++ } ++ ++ buffer_advance(&vs->ws_input, header_size); + } ++ if (vs->ws_payload_remain != 0) { ++ err = vncws_decode_frame_payload(&vs->ws_input, ++ &vs->ws_payload_remain, ++ &vs->ws_payload_mask, ++ &payload, ++ &payload_size); ++ if (err < 0) { ++ return err; ++ } ++ if (err == 0) { ++ return ret; ++ } ++ ret += err; + +- buffer_reserve(&vs->input, payload_size); +- buffer_append(&vs->input, payload, payload_size); ++ buffer_reserve(&vs->input, payload_size); ++ buffer_append(&vs->input, payload, payload_size); + +- buffer_advance(&vs->ws_input, frame_size); ++ buffer_advance(&vs->ws_input, payload_size); ++ } + } while (vs->ws_input.offset > 0); + + return ret; +@@ -274,15 +295,14 @@ void vncws_encode_frame(Buffer *output, + buffer_append(output, payload, payload_size); + } + +-int vncws_decode_frame(Buffer *input, uint8_t **payload, +- size_t *payload_size, size_t *frame_size) ++int vncws_decode_frame_header(Buffer *input, ++ size_t *header_size, ++ size_t *payload_remain, ++ WsMask *payload_mask) + { + unsigned char opcode = 0, fin = 0, has_mask = 0; +- size_t header_size = 0; +- uint32_t *payload32; ++ size_t payload_len; + WsHeader *header = (WsHeader *)input->buffer; +- WsMask mask; +- int i; + + if (input->offset < WS_HEAD_MIN_LEN + 4) { + /* header not complete */ +@@ -292,7 +312,7 @@ int vncws_decode_frame(Buffer *input, ui + fin = (header->b0 & 0x80) >> 7; + opcode = header->b0 & 0x0f; + has_mask = (header->b1 & 0x80) >> 7; +- *payload_size = header->b1 & 0x7f; ++ payload_len = header->b1 & 0x7f; + + if (opcode == WS_OPCODE_CLOSE) { + /* disconnect */ +@@ -309,40 +329,57 @@ int vncws_decode_frame(Buffer *input, ui + return -2; + } + +- if (*payload_size < 126) { +- header_size = 6; +- mask = header->u.m; +- } else if (*payload_size == 126 && input->offset >= 8) { +- *payload_size = be16_to_cpu(header->u.s16.l16); +- header_size = 8; +- mask = header->u.s16.m16; +- } else if (*payload_size == 127 && input->offset >= 14) { +- *payload_size = be64_to_cpu(header->u.s64.l64); +- header_size = 14; +- mask = header->u.s64.m64; ++ if (payload_len < 126) { ++ *payload_remain = payload_len; ++ *header_size = 6; ++ *payload_mask = header->u.m; ++ } else if (payload_len == 126 && input->offset >= 8) { ++ *payload_remain = be16_to_cpu(header->u.s16.l16); ++ *header_size = 8; ++ *payload_mask = header->u.s16.m16; ++ } else if (payload_len == 127 && input->offset >= 14) { ++ *payload_remain = be64_to_cpu(header->u.s64.l64); ++ *header_size = 14; ++ *payload_mask = header->u.s64.m64; + } else { + /* header not complete */ + return 0; + } + +- *frame_size = header_size + *payload_size; ++ return 1; ++} + +- if (input->offset < *frame_size) { +- /* frame not complete */ ++int vncws_decode_frame_payload(Buffer *input, ++ size_t *payload_remain, WsMask *payload_mask, ++ uint8_t **payload, size_t *payload_size) ++{ ++ size_t i; ++ uint32_t *payload32; ++ ++ *payload = input->buffer; ++ /* If we aren't at the end of the payload, then drop ++ * off the last bytes, so we're always multiple of 4 ++ * for purpose of unmasking, except at end of payload ++ */ ++ if (input->offset < *payload_remain) { ++ *payload_size = input->offset - (input->offset % 4); ++ } else { ++ *payload_size = *payload_remain; ++ } ++ if (*payload_size == 0) { + return 0; + } +- +- *payload = input->buffer + header_size; ++ *payload_remain -= *payload_size; + + /* unmask frame */ + /* process 1 frame (32 bit op) */ + payload32 = (uint32_t *)(*payload); + for (i = 0; i < *payload_size / 4; i++) { +- payload32[i] ^= mask.u; ++ payload32[i] ^= payload_mask->u; + } + /* process the remaining bytes (if any) */ + for (i *= 4; i < *payload_size; i++) { +- (*payload)[i] ^= mask.c[i % 4]; ++ (*payload)[i] ^= payload_mask->c[i % 4]; + } + + return 1; +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.h ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h +@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs); + void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size); + void vncws_encode_frame(Buffer *output, const void *payload, + const size_t payload_size); +-int vncws_decode_frame(Buffer *input, uint8_t **payload, +- size_t *payload_size, size_t *frame_size); ++int vncws_decode_frame_header(Buffer *input, ++ size_t *header_size, ++ size_t *payload_remain, ++ WsMask *payload_mask); ++int vncws_decode_frame_payload(Buffer *input, ++ size_t *payload_remain, WsMask *payload_mask, ++ uint8_t **payload, size_t *payload_size); + + #endif /* __QEMU_UI_VNC_WS_H */ +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.h ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h +@@ -302,6 +302,8 @@ struct VncState + #ifdef CONFIG_VNC_WS + Buffer ws_input; + Buffer ws_output; ++ size_t ws_payload_remain; ++ WsMask ws_payload_mask; + #endif + /* current output mode information */ + VncWritePixels *write_pixels; diff --git a/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch b/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch new file mode 100644 index 0000000..9b67a1f --- /dev/null +++ b/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch @@ -0,0 +1,53 @@ +References: bsc#962632 CVE-2015-1779 + +Subject: CVE-2015-1779: limit size of HTTP headers from websockets clients +From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:22 2015 +0000 +Date: Wed Apr 1 17:12:55 2015 +0200: +Git: 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 + +The VNC server websockets decoder will read and buffer data from +websockets clients until it sees the end of the HTTP headers, +as indicated by \r\n\r\n. In theory this allows a malicious to +trick QEMU into consuming an arbitrary amount of RAM. In practice, +because QEMU runs g_strstr_len() across the buffered header data, +it will spend increasingly long burning CPU time searching for +the substring match and less & less time reading data. So while +this does cause arbitrary memory growth, the bigger problem is +that QEMU will be burning 100% of available CPU time. + +A novnc websockets client typically sends headers of around +512 bytes in length. As such it is reasonable to place a 4096 +byte limit on the amount of data buffered while searching for +the end of HTTP headers. + +Signed-off-by: Daniel P. Berrange +Signed-off-by: Gerd Hoffmann + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c +@@ -89,8 +89,11 @@ void vncws_handshake_read(void *opaque) + VncState *vs = opaque; + uint8_t *handshake_end; + long ret; +- buffer_reserve(&vs->ws_input, 4096); +- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); ++ /* Typical HTTP headers from novnc are 512 bytes, so limiting ++ * total header size to 4096 is easily enough. */ ++ size_t want = 4096 - vs->ws_input.offset; ++ buffer_reserve(&vs->ws_input, want); ++ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want); + + if (!ret) { + if (vs->csock == -1) { +@@ -107,6 +110,9 @@ void vncws_handshake_read(void *opaque) + vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset); + buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer + + strlen(WS_HANDSHAKE_END)); ++ } else if (vs->ws_input.offset >= 4096) { ++ VNC_DEBUG("End of headers not found in first 4096 bytes\n"); ++ vnc_client_error(vs); + } + } + diff --git a/CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch b/CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch new file mode 100644 index 0000000..1bb2603 --- /dev/null +++ b/CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch @@ -0,0 +1,30 @@ +References: bsc#962360 CVE-2015-7512 + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit +Cc: address@hidden +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c +@@ -1133,6 +1133,12 @@ static void pcnet_receive(void *opaque, + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; diff --git a/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch b/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch new file mode 100644 index 0000000..6ffd9ae --- /dev/null +++ b/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch @@ -0,0 +1,30 @@ +References: bsc#962360 CVE-2015-7512 + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit +Cc: address@hidden +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c +@@ -1086,6 +1086,12 @@ ssize_t pcnet_receive(NetClientState *nc + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; diff --git a/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch b/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch new file mode 100644 index 0000000..ea03b0c --- /dev/null +++ b/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch @@ -0,0 +1,29 @@ +Reference: bsc#961358 CVE-2015-8613 + +From: Prasad J Pandit +Date: Mon, 21 Dec 2015 14:48:18 +0530 +Subject: [PATCH] scsi: initialise info object with appropriate size + +While processing controller 'CTRL_GET_INFO' command, the routine +'megasas_ctrl_get_info' overflows the '&info' object size. Use its +appropriate size to null initialise it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c +@@ -721,7 +721,7 @@ static int megasas_ctrl_get_info(Megasas + BusChild *kid; + int num_pd_disks = 0; + +- memset(&info, 0x0, cmd->iov_size); ++ memset(&info, 0x0, dcmd_size); + if (cmd->iov_size < dcmd_size) { + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, + dcmd_size); diff --git a/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch b/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch new file mode 100644 index 0000000..0f133b5 --- /dev/null +++ b/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch @@ -0,0 +1,43 @@ +From: Prasad J Pandit + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +Updated as per review in + -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04863.html + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/ne2000.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c +@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2 + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw( + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; diff --git a/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch b/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch new file mode 100644 index 0000000..f91610d --- /dev/null +++ b/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch @@ -0,0 +1,69 @@ +Subject: net/vmxnet3: Refine l2 header validation +From: Dana Rubin dana.rubin@ravellosystems.com Tue Aug 18 12:45:55 2015 +0300 +Date: Mon Oct 12 13:19:29 2015 +0800: +Git: a7278b36fcab9af469563bd7b9dadebe2ae25e48 + +Validation of l2 header length assumed minimal packet size as +eth_header + 2 * vlan_header regardless of the actual protocol. + +This caused crash for valid non-IP packets shorter than 22 bytes, as +'tx_pkt->packet_type' hasn't been assigned for such packets, and +'vmxnet3_on_tx_done_update_stats()' expects it to be properly set. + +Refine header length validation in 'vmxnet_tx_pkt_parse_headers'. +Check its return value during packet processing flow. + +As a side effect, in case IPv4 and IPv6 header validation failure, +corrupt packets will be dropped. + +Signed-off-by: Dana Rubin +Signed-off-by: Shmulik Ladkani +Signed-off-by: Jason Wang + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c +@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx) + } + + if (txd.eop) { +- if (!s->skip_current_tx_pkt) { +- vmxnet_tx_pkt_parse(s->tx_pkt); +- ++ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) { + if (s->needs_vlan) { + vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci); + } +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c +@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt) + + bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base, + ETH_MAX_L2_HDR_LEN); +- if (bytes_read < ETH_MAX_L2_HDR_LEN) { ++ if (bytes_read < sizeof(struct eth_header)) { ++ l2_hdr->iov_len = 0; ++ return false; ++ } ++ ++ l2_hdr->iov_len = sizeof(struct eth_header); ++ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) { ++ case ETH_P_VLAN: ++ l2_hdr->iov_len += sizeof(struct vlan_header); ++ break; ++ case ETH_P_DVLAN: ++ l2_hdr->iov_len += 2 * sizeof(struct vlan_header); ++ break; ++ } ++ ++ if (bytes_read < l2_hdr->iov_len) { + l2_hdr->iov_len = 0; + return false; +- } else { +- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base); + } + + l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len); diff --git a/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch b/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch new file mode 100644 index 0000000..5588454 --- /dev/null +++ b/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch @@ -0,0 +1,31 @@ +Subject: vmxnet3: Support reading IMR registers on bar0 +From: Shmulik Ladkani shmulik.ladkani@ravellosystems.com Mon Sep 21 17:09:02 2015 +0300 +Date: Mon Oct 12 13:19:29 2015 +0800: +Git: c6048f849c7e3f009786df76206e895a69de032c + +Instead of asserting, return the actual IMR register value. +This is aligned with what's returned on ESXi. + +Signed-off-by: Shmulik Ladkani +Tested-by: Dana Rubin +Signed-off-by: Jason Wang + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c +@@ -1108,9 +1108,13 @@ vmxnet3_io_bar0_write(void *opaque, hwad + static uint64_t + vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size) + { ++ VMXNET3State *s = opaque; ++ + if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR, + VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) { +- g_assert_not_reached(); ++ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR, ++ VMXNET3_REG_ALIGN); ++ return s->interrupt_states[l].is_masked; + } + + VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size); diff --git a/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch b/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch new file mode 100644 index 0000000..aaa789f --- /dev/null +++ b/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch @@ -0,0 +1,45 @@ +Reference: bsc#961332 CVE-2016-1568 + +From: Prasad J Pandit + +When processing NCQ commands, ACHI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +Update as per review in + -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01175.html + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/ahci.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c +@@ -902,7 +902,10 @@ static void process_ncq_command(AHCIStat + ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2, + s->dev[port].port.ifs[0].nb_sectors - 1); + +- ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0); ++ if (ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0) == -1) { ++ ncq_tfs->used = 0; ++ return; ++ } + ncq_tfs->tag = tag; + + switch(ncq_fis->command) { +@@ -943,6 +946,7 @@ static void process_ncq_command(AHCIStat + "error: tried to process non-NCQ command as NCQ\n"); + } + qemu_sglist_destroy(&ncq_tfs->sglist); ++ ncq_tfs->used = 0; + } + } + diff --git a/CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch b/CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch new file mode 100644 index 0000000..1868582 --- /dev/null +++ b/CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch @@ -0,0 +1,47 @@ +Reference: bsc#961692 CVE-2016-1714 + +When processing firmware configurations, an OOB r/w access occurs +if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff). +Add a check to validate 's->cur_entry' to avoid such access. + +Reported-by: Donghai Zdh +Signed-off-by: Prasad J Pandit +--- + hw/nvram/fw_cfg.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +Updated as per review in + -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00398.html + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/fw_cfg.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/fw_cfg.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/fw_cfg.c +@@ -54,11 +54,15 @@ typedef struct _FWCfgState { + static void fw_cfg_write(FWCfgState *s, uint8_t value) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + FW_CFG_DPRINTF("write %d\n", value); + +- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && s->cur_offset < e->len) { ++ if (s->cur_entry & FW_CFG_WRITE_CHANNEL ++ && e != NULL ++ && e->callback ++ && s->cur_offset < e->len) { + e->data[s->cur_offset++] = value; + if (s->cur_offset == e->len) { + e->callback(e->callback_opaque, e->data); +@@ -88,7 +92,8 @@ static int fw_cfg_select(FWCfgState *s, + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) diff --git a/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch b/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch new file mode 100644 index 0000000..d6817b2 --- /dev/null +++ b/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch @@ -0,0 +1,48 @@ +Reference: bsc#961692 CVE-2016-1714 + +When processing firmware configurations, an OOB r/w access occurs +if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff). +Add a check to validate 's->cur_entry' to avoid such access. + +Reported-by: Donghai Zdh +Signed-off-by: Prasad J Pandit +--- + hw/nvram/fw_cfg.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +Updated as per review in + -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00398.html + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c +@@ -211,12 +211,15 @@ static void fw_cfg_reboot(FWCfgState *s) + static void fw_cfg_write(FWCfgState *s, uint8_t value) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + trace_fw_cfg_write(s, value); + +- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback && +- s->cur_offset < e->len) { ++ if (s->cur_entry & FW_CFG_WRITE_CHANNEL ++ && e != NULL ++ && e->callback ++ && s->cur_offset < e->len) { + e->data[s->cur_offset++] = value; + if (s->cur_offset == e->len) { + e->callback(e->callback_opaque, e->data); +@@ -245,7 +248,8 @@ static int fw_cfg_select(FWCfgState *s, + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) diff --git a/ioemu-vnc-resize.patch b/ioemu-vnc-resize.patch index cf8f327..12b8385 100644 --- a/ioemu-vnc-resize.patch +++ b/ioemu-vnc-resize.patch @@ -1,8 +1,8 @@ -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1751,6 +1751,25 @@ static int protocol_client_msg(VncState +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState } set_encodings(vs, (int32_t *)(data + 4), limit); diff --git a/xen.changes b/xen.changes index 11e4b3d..04d563e 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,82 @@ +------------------------------------------------------------------- +Wed Jan 20 08:21:42 MST 2016 - carnold@suse.com + +- bsc#962758 - VUL-0: CVE-2013-4539: xen: tsc210x: buffer overrun + on invalid state load + CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch + +------------------------------------------------------------------- +Tue Jan 19 09:23:56 MST 2016 - carnold@suse.com + +- bsc#962632 - VUL-0: CVE-2015-1779: xen: vnc: insufficient + resource limiting in VNC websockets decoder + CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch + CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch +- bsc#962642 - VUL-0: CVE-2013-4537: xen: ssi-sd: buffer overrun on + invalid state load + CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +- bsc#962627 - VUL-0: CVE-2014-7815: xen: vnc: insufficient + bits_per_pixel from the client sanitization + CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch + +------------------------------------------------------------------- +Mon Jan 18 09:04:10 MST 2016 - carnold@suse.com + +- bsc#962335 - VUL-0: CVE-2013-4538: xen: ssd0323: fix buffer + overun on invalid state + CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch +- bsc#962360 - VUL-0: CVE-2015-7512: xen: net: pcnet: buffer + overflow in non-loopback mode + CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch + CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch + +------------------------------------------------------------------- +Wed Jan 13 09:56:52 MST 2016 - carnold@suse.com + +- bsc#961692 - VUL-0: CVE-2016-1714: xen: nvram: OOB r/w access in + processing firmware configurations + CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch + CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch + +------------------------------------------------------------------- +Mon Jan 11 11:51:45 MST 2016 - carnold@suse.com + +- bsc#961358 - VUL-0: CVE-2015-8613: xen: qemu: scsi: stack based + buffer overflow in megasas_ctrl_get_info + CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch +- bsc#961332 - VUL-0: CVE-2016-1568: xen: Qemu: ide: ahci + use-after-free vulnerability in aio port commands + CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch + +------------------------------------------------------------------- +Thu Jan 7 10:38:20 MST 2016 - carnold@suse.com + +- bsc#959695 - missing docs for xen + xen.spec + +------------------------------------------------------------------- +Wed Jan 6 10:38:36 MST 2016 - carnold@suse.com + +- bsc#960862 - VUL-0: CVE-2016-1571: xen: VMX: intercept issue with + INVLPG on non-canonical address (XSA-168) + xsa168.patch +- bsc#960861 - VUL-0: CVE-2016-1570: xen: PV superpage + functionality missing sanity checks (XSA-167) + xsa167.patch +- bsc#960836 - VUL-0: CVE-2015-8744: xen: net: vmxnet3: incorrect + l2 header validation leads to a crash via assert(2) call + CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch + +------------------------------------------------------------------- +Tue Jan 5 13:56:08 MST 2016 - carnold@suse.com + +- bsc#960707 - VUL-0: CVE-2015-8745: xen: reading IMR registers + leads to a crash via assert(2) call + CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch +- bsc#960726 - VUL-0: CVE-2015-8743: xen: ne2000: OOB memory access + in ioport r/w functions + CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch + ------------------------------------------------------------------- Mon Jan 4 11:32:10 MST 2016 - carnold@suse.com diff --git a/xen.spec b/xen.spec index ff0cb2d..5702381 100644 --- a/xen.spec +++ b/xen.spec @@ -163,7 +163,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.6.0_06 +Version: 4.6.0_08 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -239,6 +239,8 @@ Patch16202: xsa162-qemut.patch Patch164: xsa164.patch Patch165: xsa165.patch Patch166: xsa166.patch +Patch167: xsa167.patch +Patch168: xsa168.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -260,11 +262,26 @@ Patch266: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch Patch267: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch Patch268: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch Patch269: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch +Patch270: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch +Patch271: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch +Patch272: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch +Patch273: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch +Patch274: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch +Patch275: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch276: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch277: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch +Patch278: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch279: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch280: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch +Patch281: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +Patch282: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch +Patch283: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch +Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch # Our platform specific patches -Patch301: xen-destdir.patch -Patch302: vif-bridge-no-iptables.patch -Patch303: vif-bridge-tap-fix.patch -Patch304: xl-conf-default-bridge.patch +Patch321: xen-destdir.patch +Patch322: vif-bridge-no-iptables.patch +Patch323: vif-bridge-tap-fix.patch +Patch324: xl-conf-default-bridge.patch # Needs to go upstream Patch330: suspend_evtchn_lock.patch Patch331: xenpaging.doc.patch @@ -565,6 +582,8 @@ Authors: %patch164 -p1 %patch165 -p1 %patch166 -p1 +%patch167 -p1 +%patch168 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -586,11 +605,26 @@ Authors: %patch267 -p1 %patch268 -p1 %patch269 -p1 +%patch270 -p1 +%patch271 -p1 +%patch272 -p1 +%patch273 -p1 +%patch274 -p1 +%patch275 -p1 +%patch276 -p1 +%patch277 -p1 +%patch278 -p1 +%patch279 -p1 +%patch280 -p1 +%patch281 -p1 +%patch282 -p1 +%patch283 -p1 +%patch284 -p1 # Our platform specific patches -%patch301 -p1 -%patch302 -p1 -%patch303 -p1 -%patch304 -p1 +%patch321 -p1 +%patch322 -p1 +%patch323 -p1 +%patch324 -p1 # Needs to go upstream %patch330 -p1 %patch331 -p1 @@ -855,8 +889,9 @@ for name in COPYING %SOURCE10 %SOURCE11 %SOURCE12; do install -m 644 $name $RPM_BUILD_ROOT/%{_defaultdocdir}/xen/ done for name in vtpm.txt crashdb.txt \ - xenpaging.txt xl-disk-configuration.txt xl-network-configuration.markdown \ - xl-numa-placement.markdown; do + xenpaging.txt xl-disk-configuration.txt pci-device-reservations.txt \ + xl-network-configuration.markdown xl-numa-placement.markdown \ + xen-command-line.markdown xenstore-paths.markdown; do install -m 644 docs/misc/$name $RPM_BUILD_ROOT/%{_defaultdocdir}/xen/misc/ done diff --git a/xsa167.patch b/xsa167.patch new file mode 100644 index 0000000..54ea44e --- /dev/null +++ b/xsa167.patch @@ -0,0 +1,78 @@ +x86/mm: PV superpage handling lacks sanity checks + +MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before +dereferencing pointers into the superpage frame table. + +get_superpage() has a similar issue. + +This is XSA-167. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +Index: xen-4.6.0-testing/xen/arch/x86/mm.c +=================================================================== +--- xen-4.6.0-testing.orig/xen/arch/x86/mm.c ++++ xen-4.6.0-testing/xen/arch/x86/mm.c +@@ -2624,6 +2624,9 @@ int get_superpage(unsigned long mfn, str + + ASSERT(opt_allow_superpage); + ++ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) ++ return -EINVAL; ++ + spage = mfn_to_spage(mfn); + y = spage->type_info; + do { +@@ -3401,42 +3404,26 @@ long do_mmuext_op( + } + + case MMUEXT_MARK_SUPER: ++ case MMUEXT_UNMARK_SUPER: + { + unsigned long mfn = op.arg1.mfn; + +- if ( unlikely(d != pg_owner) ) +- rc = -EPERM; +- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) +- { +- MEM_LOG("Unaligned superpage reference mfn %lx", mfn); +- okay = 0; +- } +- else if ( !opt_allow_superpage ) ++ if ( !opt_allow_superpage ) + { + MEM_LOG("Superpages disallowed"); + rc = -ENOSYS; + } +- else +- rc = mark_superpage(mfn_to_spage(mfn), d); +- break; +- } +- +- case MMUEXT_UNMARK_SUPER: +- { +- unsigned long mfn = op.arg1.mfn; +- +- if ( unlikely(d != pg_owner) ) ++ else if ( unlikely(d != pg_owner) ) + rc = -EPERM; +- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) ++ else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) ) + { + MEM_LOG("Unaligned superpage reference mfn %lx", mfn); +- okay = 0; +- } +- else if ( !opt_allow_superpage ) +- { +- MEM_LOG("Superpages disallowed"); +- rc = -ENOSYS; ++ rc = -EINVAL; + } ++ else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) ++ rc = -EINVAL; ++ else if ( op.cmd == MMUEXT_MARK_SUPER ) ++ rc = mark_superpage(mfn_to_spage(mfn), d); + else + rc = unmark_superpage(mfn_to_spage(mfn)); + break; diff --git a/xsa168.patch b/xsa168.patch new file mode 100644 index 0000000..522a2d5 --- /dev/null +++ b/xsa168.patch @@ -0,0 +1,29 @@ +x86/VMX: prevent INVVPID failure due to non-canonical guest address + +While INVLPG (and on SVM INVLPGA) don't fault on non-canonical +addresses, INVVPID fails (in the "individual address" case) when passed +such an address. + +Since such intercepted INVLPG are effectively no-ops anyway, don't fix +this in vmx_invlpg_intercept(), but instead have paging_invlpg() never +return true in such a case. + +This is XSA-168. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Acked-by: Ian Campbell + +Index: xen-4.6.0-testing/xen/include/asm-x86/paging.h +=================================================================== +--- xen-4.6.0-testing.orig/xen/include/asm-x86/paging.h ++++ xen-4.6.0-testing/xen/include/asm-x86/paging.h +@@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cp + * or 0 if it's safe not to do so. */ + static inline int paging_invlpg(struct vcpu *v, unsigned long va) + { +- return paging_get_hostmode(v)->invlpg(v, va); ++ return is_canonical_address(va) && paging_get_hostmode(v)->invlpg(v, va); + } + + /* Translate a guest virtual address to the frame number that the