From 9b39a3d6504e7649c904c77c84d6baa4875f5dc7dce36f9b9c438020412848e2 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Wed, 3 Feb 2016 21:39:15 +0000 Subject: [PATCH] - bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397 --- ...buffer-overrun-on-incoming-migration.patch | 49 +++++++++++++ ...-blktap-qcow1-validate-l2-table-size.patch | 32 ++++----- ...nite-loop-in-ne2000_receive-function.patch | 30 ++++++++ ...345-qemut-eepro100-infinite-loop-fix.patch | 71 +++++++++++++------ ...345-qemuu-eepro100-infinite-loop-fix.patch | 71 +++++++++++++------ ...inter-dereference-in-ehci_caps_write.patch | 38 ++++++++++ xen.changes | 29 ++++++++ xen.spec | 11 ++- 8 files changed, 265 insertions(+), 66 deletions(-) create mode 100644 CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch rename CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch => CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch (55%) create mode 100644 CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch create mode 100644 CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch diff --git a/CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch b/CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch new file mode 100644 index 0000000..12a942e --- /dev/null +++ b/CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch @@ -0,0 +1,49 @@ +References: bsc#964644 CVE-2013-4533 + +Subject: pxa2xx: avoid buffer overrun on incoming migration +From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300 +Date: Mon May 5 22:15:02 2014 +0200: +Git: caa881abe0e01f9931125a0977ec33c5343e4aa7 + +CVE-2013-4533 + +s->rx_level is read from the wire and used to determine how many bytes +to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the +length of s->rx_fifo[] the buffer can be overrun with arbitrary data +from the wire. + +Fix this by validating rx_level against the size of s->rx_fifo. + +Cc: Don Koch +Reported-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell +Reviewed-by: Don Koch +Signed-off-by: Juan Quintela + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c +@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, + static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) + { + struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque; +- int i; ++ int i, v; + + s->enable = qemu_get_be32(f); + +@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, + qemu_get_8s(f, &s->ssrsa); + qemu_get_8s(f, &s->ssacd); + +- s->rx_level = qemu_get_byte(f); ++ v = qemu_get_byte(f); ++ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) { ++ return -EINVAL; ++ } ++ s->rx_level = v; + s->rx_start = 0; + for (i = 0; i < s->rx_level; i ++) + s->rx_fifo[i] = qemu_get_byte(f); diff --git a/CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch b/CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch similarity index 55% rename from CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch rename to CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch index 69f2ab7..45a526a 100644 --- a/CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch +++ b/CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch @@ -1,4 +1,4 @@ -References: bsc#877642 +References: bsc#964925 Subject: qcow1: Validate L2 table size (CVE-2014-0222) From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200 @@ -21,22 +21,18 @@ Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Benoit Canet -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c +Index: xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/block/qcow.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c -@@ -148,6 +148,14 @@ static int qcow_open(BlockDriverState *b - goto fail; - } +--- xen-4.6.0-testing.orig/tools/blktap2/drivers/block-qcow.c ++++ xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c +@@ -909,6 +909,10 @@ int tdqcow_open (td_driver_t *driver, co -+ /* l2_bits specifies number of entries; storing a uint64_t in each entry, -+ * so bytes = num_entries << 3. */ -+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { -+ error_setg(errp, "L2 table size must be between 512 and 64k"); -+ ret = -EINVAL; -+ goto fail; -+ } -+ - if (header.crypt_method > QCOW_CRYPT_AES) { - error_setg(errp, "invalid encryption method in qcow header"); - ret = -EINVAL; + if (header.size <= 1 || header.cluster_bits < 9) + goto fail; ++ /* l2_bits specifies number of entries; storing a uint64_t in each entry, ++ * so bytes = num_entries << 3. */ ++ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) ++ goto fail; + if (header.crypt_method > QCOW_CRYPT_AES) + goto fail; + s->crypt_method_header = header.crypt_method; diff --git a/CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch b/CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch new file mode 100644 index 0000000..c4d72df --- /dev/null +++ b/CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch @@ -0,0 +1,30 @@ +References: bsc#964947 CVE-2015-5278 + +Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278) +From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530 +Date: Tue Sep 15 12:51:14 2015 +0100: +Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943 + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, leading to an infinite +loop situation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi + +Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c ++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque, + if (index <= s->stop) + avail = s->stop - index; + else +- avail = 0; ++ break; + len = size; + if (len > avail) + len = avail; diff --git a/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch b/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch index 6902981..d15b45b 100644 --- a/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch +++ b/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch @@ -1,34 +1,59 @@ References: bsc#956832 CVE-2015-8345 -From: Prasad J Pandit -Date: Fri, 16 Oct 2015 11:33:27 +0530 -Subject: eepro100: prevent an infinite loop over same command block +Subject: eepro100: Prevent two endless loops +From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100 +Date: Fri Nov 27 10:39:55 2015 +0800: +Git: 00837731d254908a841d69298a4f9f077babaf24 -action_command() routine executes a chain of commands located -in the Command Block List(CBL). Each Command Block(CB) has a -link to the next CB in the list, given by 's->tx.link'. -This is used in conjunction with the base address 's->cu_base'. +http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html +shows an example how an endless loop in function action_command can +be achieved. -An infinite loop unfolds if the 'link' to the next CB is -same as the previous one, the loop ends up executing the same -command over and over again. +During my code review, I noticed a 2nd case which can result in an +endless loop. -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/net/eepro100.c | 2 ++ - 1 file changed, 2 insertions(+) +Reported-by: Qinghao Tang +Signed-off-by: Stefan Weil +Signed-off-by: Jason Wang Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c +++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c -@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100 - next_command: - cb_address = s->cu_base + s->cu_offset; - cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx)); -+ if (tx.link == s->cu_offset) +@@ -657,6 +657,10 @@ static void eepro100_cu_command(EEPRO100 + { + eepro100_tx_t tx; + uint32_t cb_address; ++ /* The loop below won't stop if it gets special handcrafted data. ++ Therefore we limit the number of iterations. */ ++ unsigned max_loop_count = 16; ++ + switch (val) { + case CU_NOP: + /* No operation. */ +@@ -685,6 +689,13 @@ static void eepro100_cu_command(EEPRO100 + bool bit_nc = ((command & 0x0010) != 0); + //~ bool bit_sf = ((command & 0x0008) != 0); + uint16_t cmd = command & 0x0007; ++ ++ if (max_loop_count-- == 0) { ++ /* Prevent an endless loop. (see goto next_command) */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); + break; - uint16_t status = le16_to_cpu(tx.status); - uint16_t command = le16_to_cpu(tx.command); - logout ++ } ++ + s->cu_offset = le32_to_cpu(tx.link); + switch (cmd) { + case CmdNOp: +@@ -726,6 +737,11 @@ static void eepro100_cu_command(EEPRO100 + uint32_t tx_buffer_address = ldl_phys(tbd_address); + uint16_t tx_buffer_size = lduw_phys(tbd_address + 4); + //~ uint16_t tx_buffer_el = lduw_phys(tbd_address + 6); ++ if (tx_buffer_size == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } + tbd_address += 8; + logout + ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", diff --git a/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch b/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch index a366d63..969899d 100644 --- a/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch +++ b/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch @@ -1,34 +1,59 @@ References: bsc#956832 CVE-2015-8345 -From: Prasad J Pandit -Date: Fri, 16 Oct 2015 11:33:27 +0530 -Subject: eepro100: prevent an infinite loop over same command block +Subject: eepro100: Prevent two endless loops +From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100 +Date: Fri Nov 27 10:39:55 2015 +0800: +Git: 00837731d254908a841d69298a4f9f077babaf24 -action_command() routine executes a chain of commands located -in the Command Block List(CBL). Each Command Block(CB) has a -link to the next CB in the list, given by 's->tx.link'. -This is used in conjunction with the base address 's->cu_base'. +http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html +shows an example how an endless loop in function action_command can +be achieved. -An infinite loop unfolds if the 'link' to the next CB is -same as the previous one, the loop ends up executing the same -command over and over again. +During my code review, I noticed a 2nd case which can result in an +endless loop. -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/net/eepro100.c | 2 ++ - 1 file changed, 2 insertions(+) +Reported-by: Qinghao Tang +Signed-off-by: Stefan Weil +Signed-off-by: Jason Wang Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c +++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c -@@ -863,6 +863,8 @@ static void action_command(EEPRO100State - uint16_t ok_status = STATUS_OK; - s->cb_address = s->cu_base + s->cu_offset; - read_cb(s); -+ if (s->tx.link == s->cu_offset) +@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) + #if 0 + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); + #endif ++ if (tx_buffer_size == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); + break; - bit_el = ((s->tx.command & COMMAND_EL) != 0); - bit_s = ((s->tx.command & COMMAND_S) != 0); - bit_i = ((s->tx.command & COMMAND_I) != 0); ++ } + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", +@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S + + static void action_command(EEPRO100State *s) + { ++ /* The loop below won't stop if it gets special handcrafted data. ++ Therefore we limit the number of iterations. */ ++ unsigned max_loop_count = 16; ++ + for (;;) { + bool bit_el; + bool bit_s; +@@ -870,6 +879,13 @@ static void action_command(EEPRO100State + #if 0 + bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); + #endif ++ ++ if (max_loop_count-- == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } ++ + s->cu_offset = s->tx.link; + TRACE(OTHER, + logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", diff --git a/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch b/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch new file mode 100644 index 0000000..0150c8c --- /dev/null +++ b/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch @@ -0,0 +1,38 @@ +References: bsc#964415 CVE-2016-2198 + +USB Ehci emulation supports host controller capability registers. +But its mmio '.write' function was missing, which lead to a null +pointer dereference issue. Add a do nothing 'ehci_caps_write' +definition to avoid it; Do nothing because capability registers +are Read Only(RO). + +Reported-by: Zuozhi Fzz +Signed-off-by: Prasad J Pandit +--- + hw/usb/hcd-ehci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c +@@ -899,6 +899,11 @@ static uint64_t ehci_caps_read(void *ptr + return s->caps[addr]; + } + ++static void ehci_caps_write(void *ptr, hwaddr addr, ++ uint64_t val, unsigned size) ++{ ++} ++ + static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, + unsigned size) + { +@@ -2317,6 +2322,7 @@ static void ehci_frame_timer(void *opaqu + + static const MemoryRegionOps ehci_mmio_caps_ops = { + .read = ehci_caps_read, ++ .write = ehci_caps_write, + .valid.min_access_size = 1, + .valid.max_access_size = 4, + .impl.min_access_size = 1, diff --git a/xen.changes b/xen.changes index 6b75057..ae922b5 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com + +- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in + ne2000_receive() function + CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch +- bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: + infinite loop in processing command block list + CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch + CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch + +------------------------------------------------------------------- +Tue Feb 2 08:45:07 MST 2016 - carnold@suse.com + +- bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on + incoming migration + CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch +- bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table + size to avoid integer overflows + CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch +- Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch + +------------------------------------------------------------------- +Mon Feb 1 13:29:55 MST 2016 - carnold@suse.com + +- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer + dereference in ehci_caps_write + CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch + ------------------------------------------------------------------- Wed Jan 27 08:23:26 MST 2016 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 6eba739..c40d2bd 100644 --- a/xen.spec +++ b/xen.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -252,7 +253,6 @@ Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch -Patch261: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch Patch263: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch Patch264: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch @@ -278,6 +278,9 @@ Patch283: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-c Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch Patch285: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch +Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch +Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch # Our platform specific patches Patch321: xen-destdir.patch Patch322: vif-bridge-no-iptables.patch @@ -332,6 +335,7 @@ Patch470: qemu-xen-upstream-qdisk-cache-unsafe.patch Patch471: qemu-xen-enable-spice-support.patch Patch472: tigervnc-long-press.patch Patch473: xendomains-libvirtd-conflict.patch +Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch @@ -597,7 +601,6 @@ Authors: %patch258 -p1 %patch259 -p1 %patch260 -p1 -%patch261 -p1 %patch262 -p1 %patch263 -p1 %patch264 -p1 @@ -623,6 +626,9 @@ Authors: %patch284 -p1 %patch285 -p1 %patch286 -p1 +%patch287 -p1 +%patch288 -p1 +%patch289 -p1 # Our platform specific patches %patch321 -p1 %patch322 -p1 @@ -677,6 +683,7 @@ Authors: %patch471 -p1 %patch472 -p1 %patch473 -p1 +%patch474 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1