diff --git a/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch b/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch new file mode 100644 index 0000000..2e512fb --- /dev/null +++ b/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch @@ -0,0 +1,55 @@ +References: bsc#968004 CVE-2016-2538 + +Subject: usb: check RNDIS buffer offsets & length +From: Prasad J Pandit pjp@fedoraproject.org Wed Feb 17 00:23:41 2016 +0530 +Date: Tue Feb 23 10:38:01 2016 +0100: +Git: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e + +When processing remote NDIS control message packets, +the USB Net device emulator uses a fixed length(4096) data buffer. +The incoming informationBufferOffset & Length combination could +overflow and cross that range. Check control message buffer +offsets and length to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann + +Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c ++++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c +@@ -912,8 +912,9 @@ static int rndis_query_response(USBNetSt + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + infobuflen = ndis_query(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen, infobuf, +@@ -958,8 +959,9 @@ static int rndis_set_response(USBNetStat + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + ret = ndis_set(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen); +@@ -1209,8 +1211,9 @@ static void usb_net_handle_dataout(USBNe + if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { + uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); + uint32_t size = le32_to_cpu(msg->DataLength); +- if (offs + size <= len) ++ if (offs < len && size < len && offs + size <= len) { + qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); ++ } + } + s->out_ptr -= len; + memmove(s->out_buf, &s->out_buf[len], s->out_ptr); diff --git a/xen.changes b/xen.changes index 0cfdfac..3d62ebb 100644 --- a/xen.changes +++ b/xen.changes @@ -1,9 +1,18 @@ +------------------------------------------------------------------- +Wed Feb 24 08:05:02 MST 2016 - carnold@suse.com + +- bsc#968004 - VUL-0: CVE-2016-2538: xen: usb: integer overflow in + remote NDIS control message handling + CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch + ------------------------------------------------------------------- Thu Feb 18 10:39:00 MST 2016 - carnold@suse.com - bsc#954872 - L3: script block-dmmd not working as expected - libxl: error: libxl_dm.c block-dmmd +- Update libxl to recognize dmmd and npiv prefix in disk spec + xen.libxl.dmmd.patch ------------------------------------------------------------------- Wed Feb 17 08:30:35 MST 2016 - carnold@suse.com diff --git a/xen.libxl.dmmd.patch b/xen.libxl.dmmd.patch new file mode 100644 index 0000000..3d06601 --- /dev/null +++ b/xen.libxl.dmmd.patch @@ -0,0 +1,118 @@ +References: bsc#954872 + +--- + tools/libxl/libxl.c | 4 ++++ + tools/libxl/libxl_device.c | 3 ++- + tools/libxl/libxl_dm.c | 34 +++++++++++++++++++++++++++++----- + tools/libxl/libxlu_disk_l.l | 2 ++ + 4 files changed, 37 insertions(+), 6 deletions(-) + +Index: xen-4.6.1-testing/tools/libxl/libxl.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/libxl/libxl.c ++++ xen-4.6.1-testing/tools/libxl/libxl.c +@@ -2791,6 +2791,10 @@ static void device_disk_add(libxl__egc * + /* now create a phy device to export the device to the guest */ + goto do_backend_phy; + case LIBXL_DISK_BACKEND_QDISK: ++ if (disk->script) { ++ script = libxl__abs_path(gc, disk->script, libxl__xen_script_dir_path()); ++ flexarray_append_pair(back, "script", script); ++ } + flexarray_append(back, "params"); + flexarray_append(back, libxl__sprintf(gc, "%s:%s", + libxl__device_disk_string_of_format(disk->format), disk->pdev_path)); +Index: xen-4.6.1-testing/tools/libxl/libxl_device.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/libxl/libxl_device.c ++++ xen-4.6.1-testing/tools/libxl/libxl_device.c +@@ -235,7 +235,8 @@ static int disk_try_backend(disk_try_bac + return backend; + + case LIBXL_DISK_BACKEND_QDISK: +- if (a->disk->script) goto bad_script; ++ LOG(DEBUG, "Disk vdev=%s, uses script=%s on %s backend", ++ a->disk->vdev, a->disk->script, libxl_disk_backend_to_string(backend)); + return backend; + + default: +Index: xen-4.6.1-testing/tools/libxl/libxl_dm.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/libxl/libxl_dm.c ++++ xen-4.6.1-testing/tools/libxl/libxl_dm.c +@@ -700,6 +700,30 @@ static char *dm_spice_options(libxl__gc + return opt; + } + ++static void libxl__suse_node_to_path(libxl__gc *gc, int domid, const libxl_device_disk *dp, const char **pdev_path) ++{ ++ libxl_ctx *ctx = libxl__gc_owner(gc); ++ char *be_path, *node; ++ libxl__device device; ++ libxl_device_disk disk; ++ int rc; ++ ++ disk = *dp; ++ rc = libxl__device_from_disk(gc, domid, &disk, &device); ++ if (rc) { ++ LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "libxl__device_from_disk failed %d", rc); ++ return; ++ } ++ be_path = libxl__device_backend_path(gc, &device); ++ ++ node = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/node", be_path)); ++ if (!node) ++ return; ++ ++ LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "replacing '%s' with '%s' from %s/node, just for qemu-xen", *pdev_path, node, be_path); ++ *pdev_path = node; ++} ++ + static int libxl__build_device_model_args_new(libxl__gc *gc, + const char *dm, int guest_domid, + const libxl_domain_config *guest_config, +@@ -1099,7 +1123,9 @@ static int libxl__build_device_model_arg + libxl__device_disk_dev_number(disks[i].vdev, &disk, &part); + const char *format = qemu_disk_format_string(disks[i].format); + char *drive; +- const char *pdev_path; ++ const char *pdev_path = disks[i].pdev_path; ++ ++ libxl__suse_node_to_path(gc, guest_domid, disks + i, &pdev_path); + + if (dev_number == -1) { + LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "unable to determine" +@@ -1115,7 +1141,7 @@ static int libxl__build_device_model_arg + else + drive = libxl__sprintf + (gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i", +- disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number); ++ pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number); + } else { + if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { + LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support" +@@ -1131,10 +1157,8 @@ static int libxl__build_device_model_arg + + if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) { + format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW); +- pdev_path = libxl__blktap_devpath(gc, disks[i].pdev_path, ++ pdev_path = libxl__blktap_devpath(gc, pdev_path, + disks[i].format); +- } else { +- pdev_path = disks[i].pdev_path; + } + + /* +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l +=================================================================== +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l +@@ -210,6 +210,8 @@ target=.* { STRIP(','); SAVESTRING("targ + free(newscript); + } + ++dmmd:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); } ++npiv:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); } + tapdisk:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); } + tap2?:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); } + aio:/.* { DPC->had_depr_prefix=1; DEPRECATE(0); } diff --git a/xen.spec b/xen.spec index a3457db..a00602c 100644 --- a/xen.spec +++ b/xen.spec @@ -1,7 +1,7 @@ # # spec file for package xen # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - # needssslcertforbuild Name: xen @@ -259,6 +258,7 @@ Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch Patch292: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch Patch293: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch +Patch294: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch # Our platform specific patches Patch321: xen-destdir.patch Patch322: vif-bridge-no-iptables.patch @@ -314,6 +314,7 @@ Patch471: qemu-xen-enable-spice-support.patch Patch472: tigervnc-long-press.patch Patch473: xendomains-libvirtd-conflict.patch Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch +Patch475: xen.libxl.dmmd.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch @@ -585,6 +586,7 @@ Authors: %patch291 -p1 %patch292 -p1 %patch293 -p1 +%patch294 -p1 # Our platform specific patches %patch321 -p1 %patch322 -p1 @@ -640,6 +642,7 @@ Authors: %patch472 -p1 %patch473 -p1 %patch474 -p1 +%patch475 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1