- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in

ne2000_receive() function
  CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
- bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100:
  infinite loop in processing command block list
  CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
  CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch

- bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on
  incoming migration
  CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
- bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table
  size to avoid integer overflows
  CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
- Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch

- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer
  dereference in ehci_caps_write
  CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397

CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch

@@ -0,0 +1,49 @@
+References: bsc#964644 CVE-2013-4533
+
+Subject: pxa2xx: avoid buffer overrun on incoming migration
+From: Michael S. Tsirkin mst@redhat.com Thu Apr 3 19:51:57 2014 +0300
+Date: Mon May 5 22:15:02 2014 +0200:
+Git: caa881abe0e01f9931125a0977ec33c5343e4aa7
+
+CVE-2013-4533
+
+s->rx_level is read from the wire and used to determine how many bytes
+to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
+length of s->rx_fifo[] the buffer can be overrun with arbitrary data
+from the wire.
+
+Fix this by validating rx_level against the size of s->rx_fifo.
+
+Cc: Don Koch <dkoch@verizon.com>
+Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+
+Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
+===================================================================
+--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pxa2xx.c
+@@ -847,7 +847,7 @@ static void pxa2xx_ssp_save(QEMUFile *f,
+ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
+ {
+     struct pxa2xx_ssp_s *s = (struct pxa2xx_ssp_s *) opaque;
+-    int i;
++    int i, v;
+ 
+     s->enable = qemu_get_be32(f);
+ 
+@@ -861,7 +861,11 @@ static int pxa2xx_ssp_load(QEMUFile *f,
+     qemu_get_8s(f, &s->ssrsa);
+     qemu_get_8s(f, &s->ssacd);
+ 
+-    s->rx_level = qemu_get_byte(f);
++    v = qemu_get_byte(f);
++    if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
++        return -EINVAL;
++    }
++    s->rx_level = v;
+     s->rx_start = 0;
+     for (i = 0; i < s->rx_level; i ++)
+         s->rx_fifo[i] = qemu_get_byte(f);

CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch

@@ -1,4 +1,4 @@
-References: bsc#877642
+References: bsc#964925
 
 Subject: qcow1: Validate L2 table size (CVE-2014-0222)
 From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
@@ -21,22 +21,18 @@ Cc: qemu-stable@nongnu.org
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 Reviewed-by: Benoit Canet <benoit@irqsave.net>
 
-Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c
+Index: xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
 ===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/block/qcow.c
+--- xen-4.6.0-testing.orig/tools/blktap2/drivers/block-qcow.c
-+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/block/qcow.c
++++ xen-4.6.0-testing/tools/blktap2/drivers/block-qcow.c
-@@ -148,6 +148,14 @@ static int qcow_open(BlockDriverState *b
+@@ -909,6 +909,10 @@ int tdqcow_open (td_driver_t *driver, co
-         goto fail;
-     }
  
-+    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ 	if (header.size <= 1 || header.cluster_bits < 9)
-+     * so bytes = num_entries << 3. */
+ 		goto fail;
-+    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
++	/* l2_bits specifies number of entries; storing a uint64_t in each entry,
-+        error_setg(errp, "L2 table size must be between 512 and 64k");
++	 * so bytes = num_entries << 3. */
-+        ret = -EINVAL;
++	if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
-+        goto fail;
++		goto fail;
-+    }
+ 	if (header.crypt_method > QCOW_CRYPT_AES)
-+
+ 		goto fail;
-     if (header.crypt_method > QCOW_CRYPT_AES) {
+ 	s->crypt_method_header = header.crypt_method;
-         error_setg(errp, "invalid encryption method in qcow header");
-         ret = -EINVAL;

CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch

@@ -0,0 +1,30 @@
+References: bsc#964947 CVE-2015-5278
+
+Subject: net: avoid infinite loop when receiving packets(CVE-2015-5278)
+From: P J P pjp@fedoraproject.org Tue Sep 15 16:46:59 2015 +0530
+Date: Tue Sep 15 12:51:14 2015 +0100:
+Git: 737d2b3c41d59eb8f94ab7eb419b957938f24943
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, leading to an infinite
+loop situation.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+===================================================================
+--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
++++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+@@ -328,7 +328,7 @@ static void ne2000_receive(void *opaque,
+         if (index <= s->stop)
+             avail = s->stop - index;
+         else
+-            avail = 0;
++            break;
+         len = size;
+         if (len > avail)
+             len = avail;

CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch

@@ -1,34 +1,59 @@
 References: bsc#956832 CVE-2015-8345
 
-From: Prasad J Pandit <address@hidden>
+Subject: eepro100: Prevent two endless loops
-Date: Fri, 16 Oct 2015 11:33:27 +0530
+From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
-Subject: eepro100: prevent an infinite loop over same command block
+Date: Fri Nov 27 10:39:55 2015 +0800:
+Git: 00837731d254908a841d69298a4f9f077babaf24
 
-action_command() routine executes a chain of commands located
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
-in the Command Block List(CBL). Each Command Block(CB) has a
+shows an example how an endless loop in function action_command can
-link to the next CB in the list, given by 's->tx.link'.
+be achieved.
-This is used in conjunction with the base address 's->cu_base'.
 
-An infinite loop unfolds if the 'link' to the next CB is
+During my code review, I noticed a 2nd case which can result in an
-same as the previous one, the loop ends up executing the same
+endless loop.
-command over and over again.
 
-Reported-by: Qinghao Tang <address@hidden>
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <address@hidden>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
----
+Signed-off-by: Jason Wang <jasowang@redhat.com>
- hw/net/eepro100.c | 2 ++
- 1 file changed, 2 insertions(+)
 
 Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
 ===================================================================
 --- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
 +++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
-@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100
+@@ -657,6 +657,10 @@ static void eepro100_cu_command(EEPRO100
-       next_command:
+ {
-         cb_address = s->cu_base + s->cu_offset;
+     eepro100_tx_t tx;
-         cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
+     uint32_t cb_address;
-+        if (tx.link == s->cu_offset)
++    /* The loop below won't stop if it gets special handcrafted data.
++       Therefore we limit the number of iterations. */
++    unsigned max_loop_count = 16;
++
+     switch (val) {
+     case CU_NOP:
+         /* No operation. */
+@@ -685,6 +689,13 @@ static void eepro100_cu_command(EEPRO100
+         bool bit_nc = ((command & 0x0010) != 0);
+         //~ bool bit_sf = ((command & 0x0008) != 0);
+         uint16_t cmd = command & 0x0007;
++
++        if (max_loop_count-- == 0) {
++            /* Prevent an endless loop. (see goto next_command) */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
 +            break;
-         uint16_t status = le16_to_cpu(tx.status);
++        }
-         uint16_t command = le16_to_cpu(tx.command);
++
-         logout
+         s->cu_offset = le32_to_cpu(tx.link);
+         switch (cmd) {
+         case CmdNOp:
+@@ -726,6 +737,11 @@ static void eepro100_cu_command(EEPRO100
+                 uint32_t tx_buffer_address = ldl_phys(tbd_address);
+                 uint16_t tx_buffer_size = lduw_phys(tbd_address + 4);
+                 //~ uint16_t tx_buffer_el = lduw_phys(tbd_address + 6);
++                if (tx_buffer_size == 0) {
++                    /* Prevent an endless loop. */
++                    logout("loop in %s:%u\n", __FILE__, __LINE__);
++                    break;
++                }
+                 tbd_address += 8;
+                 logout
+                     ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",

CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch

@@ -1,34 +1,59 @@
 References: bsc#956832 CVE-2015-8345
 
-From: Prasad J Pandit <address@hidden>
+Subject: eepro100: Prevent two endless loops
-Date: Fri, 16 Oct 2015 11:33:27 +0530
+From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
-Subject: eepro100: prevent an infinite loop over same command block
+Date: Fri Nov 27 10:39:55 2015 +0800:
+Git: 00837731d254908a841d69298a4f9f077babaf24
 
-action_command() routine executes a chain of commands located
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
-in the Command Block List(CBL). Each Command Block(CB) has a
+shows an example how an endless loop in function action_command can
-link to the next CB in the list, given by 's->tx.link'.
+be achieved.
-This is used in conjunction with the base address 's->cu_base'.
 
-An infinite loop unfolds if the 'link' to the next CB is
+During my code review, I noticed a 2nd case which can result in an
-same as the previous one, the loop ends up executing the same
+endless loop.
-command over and over again.
 
-Reported-by: Qinghao Tang <address@hidden>
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
-Signed-off-by: Prasad J Pandit <address@hidden>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
----
+Signed-off-by: Jason Wang <jasowang@redhat.com>
- hw/net/eepro100.c | 2 ++
- 1 file changed, 2 insertions(+)
 
 Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
 ===================================================================
 --- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c
 +++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
-@@ -863,6 +863,8 @@ static void action_command(EEPRO100State
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
-         uint16_t ok_status = STATUS_OK;
+ #if 0
-         s->cb_address = s->cu_base + s->cu_offset;
+         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
-         read_cb(s);
+ #endif
-+        if (s->tx.link == s->cu_offset)
++        if (tx_buffer_size == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
 +            break;
-         bit_el = ((s->tx.command & COMMAND_EL) != 0);
++        }
-         bit_s = ((s->tx.command & COMMAND_S) != 0);
+         tbd_address += 8;
-         bit_i = ((s->tx.command & COMMAND_I) != 0);
+         TRACE(RXTX, logout
+             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S
+ 
+ static void action_command(EEPRO100State *s)
+ {
++    /* The loop below won't stop if it gets special handcrafted data.
++       Therefore we limit the number of iterations. */
++    unsigned max_loop_count = 16;
++
+     for (;;) {
+         bool bit_el;
+         bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State
+ #if 0
+         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
++
++        if (max_loop_count-- == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
++
+         s->cu_offset = s->tx.link;
+         TRACE(OTHER,
+               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",

CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch

@@ -0,0 +1,38 @@
+References: bsc#964415 CVE-2016-2198
+
+USB Ehci emulation supports host controller capability registers.
+But its mmio '.write' function was missing, which lead to a null
+pointer dereference issue. Add a do nothing 'ehci_caps_write'
+definition to avoid it; Do nothing because capability registers
+are Read Only(RO).
+
+Reported-by: Zuozhi Fzz <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/usb/hcd-ehci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+===================================================================
+--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+@@ -899,6 +899,11 @@ static uint64_t ehci_caps_read(void *ptr
+     return s->caps[addr];
+ }
+ 
++static void ehci_caps_write(void *ptr, hwaddr addr,
++                             uint64_t val, unsigned size)
++{
++}
++
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
+                                 unsigned size)
+ {
+@@ -2317,6 +2322,7 @@ static void ehci_frame_timer(void *opaqu
+ 
+ static const MemoryRegionOps ehci_mmio_caps_ops = {
+     .read = ehci_caps_read,
++    .write = ehci_caps_write,
+     .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .impl.min_access_size = 1,

xen.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Wed Feb  3 10:47:41 MST 2016 - carnold@suse.com
+
+- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in
+  ne2000_receive() function
+  CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
+- bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100:
+  infinite loop in processing command block list
+  CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
+  CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
+
+-------------------------------------------------------------------
+Tue Feb  2 08:45:07 MST 2016 - carnold@suse.com
+
+- bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on
+  incoming migration
+  CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
+- bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table
+  size to avoid integer overflows
+  CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
+- Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
+
+-------------------------------------------------------------------
+Mon Feb  1 13:29:55 MST 2016 - carnold@suse.com
+
+- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer
+  dereference in ehci_caps_write
+  CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
+
 -------------------------------------------------------------------
 Wed Jan 27 08:23:26 MST 2016 - carnold@suse.com
 

xen.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # needssslcertforbuild
 
 Name:           xen
@@ -252,7 +253,6 @@ Patch257:       0007-e1000-verify-we-have-buffers-upfront.patch
 Patch258:       0008-e1000-check-buffer-availability.patch
 Patch259:       CVE-2015-4037-qemuu-smb-config-dir-name.patch
 Patch260:       CVE-2015-4037-qemut-smb-config-dir-name.patch
-Patch261:       CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
 Patch262:       CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
 Patch263:       CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
 Patch264:       CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
@@ -278,6 +278,9 @@ Patch283:       CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-c
 Patch284:       CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
 Patch285:       CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
 Patch286:       CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
+Patch287:       CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
+Patch288:       CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
+Patch289:       CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
 # Our platform specific patches
 Patch321:       xen-destdir.patch
 Patch322:       vif-bridge-no-iptables.patch
@@ -332,6 +335,7 @@ Patch470:       qemu-xen-upstream-qdisk-cache-unsafe.patch
 Patch471:       qemu-xen-enable-spice-support.patch
 Patch472:       tigervnc-long-press.patch
 Patch473:       xendomains-libvirtd-conflict.patch
+Patch474:       CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
 # Hypervisor and PV driver Patches
 Patch501:       x86-ioapic-ack-default.patch
 Patch502:       x86-cpufreq-report.patch
@@ -597,7 +601,6 @@ Authors:
 %patch258 -p1
 %patch259 -p1
 %patch260 -p1
-%patch261 -p1
 %patch262 -p1
 %patch263 -p1
 %patch264 -p1
@@ -623,6 +626,9 @@ Authors:
 %patch284 -p1
 %patch285 -p1
 %patch286 -p1
+%patch287 -p1
+%patch288 -p1
+%patch289 -p1
 # Our platform specific patches
 %patch321 -p1
 %patch322 -p1
@@ -677,6 +683,7 @@ Authors:
 %patch471 -p1
 %patch472 -p1
 %patch473 -p1
+%patch474 -p1
 # Hypervisor and PV driver Patches
 %patch501 -p1
 %patch502 -p1