pool/xen
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#968004 - VUL-0: CVE-2016-2538: xen: usb: integer overflow in

Browse Source 
remote NDIS control message handling
  CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
- Update libxl to recognize dmmd and npiv prefix in disk spec
  xen.libxl.dmmd.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=403
This commit is contained in:
Charles Arnold 2016-02-26 20:09:00 +00:00 committed by Git OBS Bridge
parent 4f6abaa92b
commit 5ef52f56fd
4 changed files with 187 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch Normal file
View File

@ -0,0 +1,55 @@
References: bsc#968004 CVE-2016-2538
Subject: usb: check RNDIS buffer offsets & length
From: Prasad J Pandit pjp@fedoraproject.org Wed Feb 17 00:23:41 2016 +0530
Date: Tue Feb 23 10:38:01 2016 +0100:
Git: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e
When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -912,8 +912,9 @@ static int rndis_query_response(USBNetSt
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
buflen = le32_to_cpu(buf->InformationBufferLength);
- if (bufoffs + buflen > length)
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
return USB_RET_STALL;
+ }
infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
bufoffs + (uint8_t *) buf, buflen, infobuf,
@@ -958,8 +959,9 @@ static int rndis_set_response(USBNetStat
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
buflen = le32_to_cpu(buf->InformationBufferLength);
- if (bufoffs + buflen > length)
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
return USB_RET_STALL;
+ }
ret = ndis_set(s, le32_to_cpu(buf->OID),
bufoffs + (uint8_t *) buf, buflen);
@@ -1209,8 +1211,9 @@ static void usb_net_handle_dataout(USBNe
if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
uint32_t size = le32_to_cpu(msg->DataLength);
- if (offs + size <= len)
+ if (offs < len && size < len && offs + size <= len) {
qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
+ }
}
s->out_ptr -= len;
memmove(s->out_buf, &s->out_buf[len], s->out_ptr);

9
xen.changes
View File

@ -1,9 +1,18 @@
-------------------------------------------------------------------
Wed Feb 24 08:05:02 MST 2016 - carnold@suse.com
- bsc#968004 - VUL-0: CVE-2016-2538: xen: usb: integer overflow in
remote NDIS control message handling
CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
-------------------------------------------------------------------
Thu Feb 18 10:39:00 MST 2016 - carnold@suse.com
- bsc#954872 - L3: script block-dmmd not working as expected -
libxl: error: libxl_dm.c
block-dmmd
- Update libxl to recognize dmmd and npiv prefix in disk spec
xen.libxl.dmmd.patch
-------------------------------------------------------------------
Wed Feb 17 08:30:35 MST 2016 - carnold@suse.com

118
xen.libxl.dmmd.patch Normal file
View File

@ -0,0 +1,118 @@
References: bsc#954872
---
tools/libxl/libxl.c | 4 ++++
tools/libxl/libxl_device.c | 3 ++-
tools/libxl/libxl_dm.c | 34 +++++++++++++++++++++++++++++-----
tools/libxl/libxlu_disk_l.l | 2 ++
4 files changed, 37 insertions(+), 6 deletions(-)
Index: xen-4.6.1-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.6.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.6.1-testing/tools/libxl/libxl.c
@@ -2791,6 +2791,10 @@ static void device_disk_add(libxl__egc *
/* now create a phy device to export the device to the guest */
goto do_backend_phy;
case LIBXL_DISK_BACKEND_QDISK:
+ if (disk->script) {
+ script = libxl__abs_path(gc, disk->script, libxl__xen_script_dir_path());
+ flexarray_append_pair(back, "script", script);
+ }
flexarray_append(back, "params");
flexarray_append(back, libxl__sprintf(gc, "%s:%s",
libxl__device_disk_string_of_format(disk->format), disk->pdev_path));
Index: xen-4.6.1-testing/tools/libxl/libxl_device.c
===================================================================
--- xen-4.6.1-testing.orig/tools/libxl/libxl_device.c
+++ xen-4.6.1-testing/tools/libxl/libxl_device.c
@@ -235,7 +235,8 @@ static int disk_try_backend(disk_try_bac
return backend;
case LIBXL_DISK_BACKEND_QDISK:
- if (a->disk->script) goto bad_script;
+ LOG(DEBUG, "Disk vdev=%s, uses script=%s on %s backend",
+ a->disk->vdev, a->disk->script, libxl_disk_backend_to_string(backend));
return backend;
default:
Index: xen-4.6.1-testing/tools/libxl/libxl_dm.c
===================================================================
--- xen-4.6.1-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.6.1-testing/tools/libxl/libxl_dm.c
@@ -700,6 +700,30 @@ static char *dm_spice_options(libxl__gc
return opt;
}
+static void libxl__suse_node_to_path(libxl__gc *gc, int domid, const libxl_device_disk *dp, const char **pdev_path)
+{
+ libxl_ctx *ctx = libxl__gc_owner(gc);
+ char *be_path, *node;
+ libxl__device device;
+ libxl_device_disk disk;
+ int rc;
+
+ disk = *dp;
+ rc = libxl__device_from_disk(gc, domid, &disk, &device);
+ if (rc) {
+ LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "libxl__device_from_disk failed %d", rc);
+ return;
+ }
+ be_path = libxl__device_backend_path(gc, &device);
+
+ node = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/node", be_path));
+ if (!node)
+ return;
+
+ LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "replacing '%s' with '%s' from %s/node, just for qemu-xen", *pdev_path, node, be_path);
+ *pdev_path = node;
+}
+
static int libxl__build_device_model_args_new(libxl__gc *gc,
const char *dm, int guest_domid,
const libxl_domain_config *guest_config,
@@ -1099,7 +1123,9 @@ static int libxl__build_device_model_arg
libxl__device_disk_dev_number(disks[i].vdev, &disk, &part);
const char *format = qemu_disk_format_string(disks[i].format);
char *drive;
- const char *pdev_path;
+ const char *pdev_path = disks[i].pdev_path;
+
+ libxl__suse_node_to_path(gc, guest_domid, disks + i, &pdev_path);
if (dev_number == -1) {
LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "unable to determine"
@@ -1115,7 +1141,7 @@ static int libxl__build_device_model_arg
else
drive = libxl__sprintf
(gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i",
- disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number);
+ pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number);
} else {
if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) {
LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support"
@@ -1131,10 +1157,8 @@ static int libxl__build_device_model_arg
if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) {
format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
- pdev_path = libxl__blktap_devpath(gc, disks[i].pdev_path,
+ pdev_path = libxl__blktap_devpath(gc, pdev_path,
disks[i].format);
- } else {
- pdev_path = disks[i].pdev_path;
}
/*
Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
===================================================================
--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
@@ -210,6 +210,8 @@ target=.* { STRIP(','); SAVESTRING("targ
free(newscript);
}
+dmmd:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); }
+npiv:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); }
tapdisk:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); }
tap2?:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); }
aio:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); }

7
xen.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package xen
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needssslcertforbuild
Name: xen
@ -259,6 +258,7 @@ Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
Patch292: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
Patch293: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
Patch294: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
# Our platform specific patches
Patch321: xen-destdir.patch
Patch322: vif-bridge-no-iptables.patch
@ -314,6 +314,7 @@ Patch471: qemu-xen-enable-spice-support.patch
Patch472: tigervnc-long-press.patch
Patch473: xendomains-libvirtd-conflict.patch
Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
Patch475: xen.libxl.dmmd.patch
# Hypervisor and PV driver Patches
Patch501: x86-ioapic-ack-default.patch
Patch502: x86-cpufreq-report.patch
@ -585,6 +586,7 @@ Authors:
%patch291 -p1
%patch292 -p1
%patch293 -p1
%patch294 -p1
# Our platform specific patches
%patch321 -p1
%patch322 -p1
@ -640,6 +642,7 @@ Authors:
%patch472 -p1
%patch473 -p1
%patch474 -p1
%patch475 -p1
# Hypervisor and PV driver Patches
%patch501 -p1
%patch502 -p1