From b87fe0a367d1bf53d9ef24c80c9d996ac6b6cf2267e6e0d63711dd55307ac7d1 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Thu, 3 Mar 2016 22:36:20 +0000 Subject: [PATCH] - bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite loop in ne2000_receive CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch - Use system qemu instead of building/installing yet another qemu FATE#320638 - Dropped files qemu-xen-dir-remote.tar.bz2 CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch qemu-xen-enable-spice-support.patch qemu-xen-upstream-qdisk-cache-unsafe.patch tigervnc-long-press.patch - bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun on incoming migration OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=408 --- ...buffer-overrun-on-incoming-migration.patch | 56 +++++ ...itize-bits_per_pixel-from-the-client.patch | 44 ---- ...ncrementally-decode-websocket-frames.patch | 222 ------------------ ...HTTP-headers-from-websockets-clients.patch | 53 ----- CVE-2015-4037-qemuu-smb-config-dir-name.patch | 48 ---- ...-6855-qemuu-ide-divide-by-zero-issue.patch | 140 ----------- ...buffer-overflow-in-non-loopback-mode.patch | 30 --- ...u-pci-null-pointer-dereference-issue.patch | 53 ----- ...345-qemuu-eepro100-infinite-loop-fix.patch | 59 ----- ...u-vnc-avoid-floating-point-exception.patch | 25 -- ...in-ehci_advance_state-results-in-DoS.patch | 39 --- ...id-memory-leakage-in-activate_device.patch | 89 ------- ...se-info-object-with-appropriate-size.patch | 29 --- ...sed-OOB-write-in-hmp_sendkey-routine.patch | 115 --------- ...memory-access-in-ioport-rw-functions.patch | 43 ---- ...-l2-header-validation-leads-to-crash.patch | 69 ------ ...read-IMR-registers-instead-of-assert.patch | 31 --- ...space_rw-leads-to-segmentation-fault.patch | 53 ----- ...space_rw-leads-to-segmentation-fault.patch | 86 ------- ...-reset-ncq-object-to-unused-on-error.patch | 45 ---- ...heck-to-validate-current-entry-value.patch | 48 ---- ...l-pointer-dereference-in-vapic_write.patch | 61 ----- ...nite-loops-on-out-of-bounds-transfer.patch | 94 -------- ...inter-dereference-in-ehci_caps_write.patch | 38 --- ...l-pointer-dereference-in-ohci-module.patch | 90 ------- ...dereference-in-NDIS-message-handling.patch | 27 --- ...flow-in-remote-NDIS-message-handling.patch | 55 ----- ...2000-infinite-loop-in-ne2000_receive.patch | 34 +++ ioemu-vnc-resize.patch | 2 +- ...-disable-disk-cache-flushes-in-qdisk.patch | 32 +-- qemu-security-etch1.patch | 2 +- qemu-xen-dir-remote.tar.bz2 | 3 - qemu-xen-enable-spice-support.patch | 12 - qemu-xen-upstream-qdisk-cache-unsafe.patch | 52 ---- tigervnc-long-press.patch | 30 --- xen.changes | 43 +++- xen.libxl.dmmd.patch | 2 +- xen.spec | 217 +++++++---------- xsa154-fix.patch | 31 --- xsa154.patch | 20 +- xsa162-qemuu.patch | 37 --- 41 files changed, 239 insertions(+), 2020 deletions(-) create mode 100644 CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch delete mode 100644 CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch delete mode 100644 CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch delete mode 100644 CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch delete mode 100644 CVE-2015-4037-qemuu-smb-config-dir-name.patch delete mode 100644 CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch delete mode 100644 CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch delete mode 100644 CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch delete mode 100644 CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch delete mode 100644 CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch delete mode 100644 CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch delete mode 100644 CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch delete mode 100644 CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch delete mode 100644 CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch delete mode 100644 CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch delete mode 100644 CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch delete mode 100644 CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch delete mode 100644 CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch delete mode 100644 CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch delete mode 100644 CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch delete mode 100644 CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch delete mode 100644 CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch delete mode 100644 CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch delete mode 100644 CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch delete mode 100644 CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch delete mode 100644 CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch delete mode 100644 CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch create mode 100644 CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch delete mode 100644 qemu-xen-dir-remote.tar.bz2 delete mode 100644 qemu-xen-enable-spice-support.patch delete mode 100644 qemu-xen-upstream-qdisk-cache-unsafe.patch delete mode 100644 tigervnc-long-press.patch delete mode 100644 xsa154-fix.patch delete mode 100644 xsa162-qemuu.patch diff --git a/CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch b/CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch new file mode 100644 index 0000000..ec9761a --- /dev/null +++ b/CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch @@ -0,0 +1,56 @@ +References: bsc#964452 CVE-2013-4534 + +Subject: openpic: avoid buffer overrun on incoming migration +From: Michael Roth mdroth@linux.vnet.ibm.com Mon Apr 28 16:08:17 2014 +0300 +Date: Mon May 5 22:15:03 2014 +0200: +Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e + +CVE-2013-4534 + +opp->nb_cpus is read from the wire and used to determine how many +IRQDest elements to read into opp->dst[]. If the value exceeds the +length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary +data from the wire. + +Fix this by failing migration if the value read from the wire exceeds +MAX_CPU. + +Signed-off-by: Michael Roth +Reviewed-by: Alexander Graf +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c +@@ -36,6 +36,7 @@ + #include "ppc_mac.h" + #include "pci.h" + #include "openpic.h" ++#include "qemu/qerror.h" + + //#define DEBUG_OPENPIC + +@@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF + static int openpic_load(QEMUFile* f, void *opaque, int version_id) + { + openpic_t *opp = (openpic_t *)opaque; +- unsigned int i; ++ unsigned int i, nb_cpus; + + if (version_id != 1) + return -EINVAL; +@@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi + qemu_get_sbe32s(f, &opp->src[i].pending); + } + +- qemu_get_sbe32s(f, &opp->nb_cpus); ++ qemu_get_be32s(f, &nb_cpus); ++ if (opp->nb_cpus != nb_cpus) { ++ return -EINVAL; ++ } ++ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); + + for (i = 0; i < opp->nb_cpus; i++) { + qemu_get_be32s(f, &opp->dst[i].tfrr); diff --git a/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch b/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch deleted file mode 100644 index b2023ca..0000000 --- a/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch +++ /dev/null @@ -1,44 +0,0 @@ -References: bsc#962627 CVE-2014-7815 - -Subject: vnc: sanitize bits_per_pixel from the client -From: Petr Matousek pmatouse@redhat.com Mon Oct 27 12:41:44 2014 +0100 -Date: Tue Oct 28 11:51:04 2014 +0100: -Git: e6908bfe8e07f2b452e78e677da1b45b1c0f6829 - -bits_per_pixel that are less than 8 could result in accessing -non-initialized buffers later in the code due to the expectation -that bytes_per_pixel value that is used to initialize these buffers is -never zero. - -To fix this check that bits_per_pixel from the client is one of the -values that the rfb protocol specification allows. - -This is CVE-2014-7815. - -Signed-off-by: Petr Matousek - -[ kraxel: apply codestyle fix ] - -Signed-off-by: Gerd Hoffmann - -Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v - return; - } - -+ switch (bits_per_pixel) { -+ case 8: -+ case 16: -+ case 32: -+ break; -+ default: -+ vnc_client_error(vs); -+ return; -+ } -+ - vs->clientds = vs->serverds; - vs->clientds.pf.rmax = red_max ? red_max : 0xFF; - count_bits(vs->clientds.pf.rbits, red_max); diff --git a/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch b/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch deleted file mode 100644 index 153cbc3..0000000 --- a/CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch +++ /dev/null @@ -1,222 +0,0 @@ -References: bsc#962632 CVE-2015-1779 - -Subject: CVE-2015-1779: incrementally decode websocket frames -From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:21 2015 +0000 -Date: Wed Apr 1 17:11:34 2015 +0200: -Git: a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e - -The logic for decoding websocket frames wants to fully -decode the frame header and payload, before allowing the -VNC server to see any of the payload data. There is no -size limit on websocket payloads, so this allows a -malicious network client to consume 2^64 bytes in memory -in QEMU. It can trigger this denial of service before -the VNC server even performs any authentication. - -The fix is to decode the header, and then incrementally -decode the payload data as it is needed. With this fix -the websocket decoder will allow at most 4k of data to -be buffered before decoding and processing payload. - -Signed-off-by: Daniel P. Berrange -Signed-off-by: Gerd Hoffmann - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c -@@ -115,7 +115,7 @@ long vnc_client_read_ws(VncState *vs) - { - int ret, err; - uint8_t *payload; -- size_t payload_size, frame_size; -+ size_t payload_size, header_size; - VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer, - vs->ws_input.capacity, vs->ws_input.offset); - buffer_reserve(&vs->ws_input, 4096); -@@ -125,18 +125,39 @@ long vnc_client_read_ws(VncState *vs) - } - vs->ws_input.offset += ret; - -- /* make sure that nothing is left in the ws_input buffer */ -+ ret = 0; -+ /* consume as much of ws_input buffer as possible */ - do { -- err = vncws_decode_frame(&vs->ws_input, &payload, -- &payload_size, &frame_size); -- if (err <= 0) { -- return err; -+ if (vs->ws_payload_remain == 0) { -+ err = vncws_decode_frame_header(&vs->ws_input, -+ &header_size, -+ &vs->ws_payload_remain, -+ &vs->ws_payload_mask); -+ if (err <= 0) { -+ return err; -+ } -+ -+ buffer_advance(&vs->ws_input, header_size); - } -+ if (vs->ws_payload_remain != 0) { -+ err = vncws_decode_frame_payload(&vs->ws_input, -+ &vs->ws_payload_remain, -+ &vs->ws_payload_mask, -+ &payload, -+ &payload_size); -+ if (err < 0) { -+ return err; -+ } -+ if (err == 0) { -+ return ret; -+ } -+ ret += err; - -- buffer_reserve(&vs->input, payload_size); -- buffer_append(&vs->input, payload, payload_size); -+ buffer_reserve(&vs->input, payload_size); -+ buffer_append(&vs->input, payload, payload_size); - -- buffer_advance(&vs->ws_input, frame_size); -+ buffer_advance(&vs->ws_input, payload_size); -+ } - } while (vs->ws_input.offset > 0); - - return ret; -@@ -274,15 +295,14 @@ void vncws_encode_frame(Buffer *output, - buffer_append(output, payload, payload_size); - } - --int vncws_decode_frame(Buffer *input, uint8_t **payload, -- size_t *payload_size, size_t *frame_size) -+int vncws_decode_frame_header(Buffer *input, -+ size_t *header_size, -+ size_t *payload_remain, -+ WsMask *payload_mask) - { - unsigned char opcode = 0, fin = 0, has_mask = 0; -- size_t header_size = 0; -- uint32_t *payload32; -+ size_t payload_len; - WsHeader *header = (WsHeader *)input->buffer; -- WsMask mask; -- int i; - - if (input->offset < WS_HEAD_MIN_LEN + 4) { - /* header not complete */ -@@ -292,7 +312,7 @@ int vncws_decode_frame(Buffer *input, ui - fin = (header->b0 & 0x80) >> 7; - opcode = header->b0 & 0x0f; - has_mask = (header->b1 & 0x80) >> 7; -- *payload_size = header->b1 & 0x7f; -+ payload_len = header->b1 & 0x7f; - - if (opcode == WS_OPCODE_CLOSE) { - /* disconnect */ -@@ -309,40 +329,57 @@ int vncws_decode_frame(Buffer *input, ui - return -2; - } - -- if (*payload_size < 126) { -- header_size = 6; -- mask = header->u.m; -- } else if (*payload_size == 126 && input->offset >= 8) { -- *payload_size = be16_to_cpu(header->u.s16.l16); -- header_size = 8; -- mask = header->u.s16.m16; -- } else if (*payload_size == 127 && input->offset >= 14) { -- *payload_size = be64_to_cpu(header->u.s64.l64); -- header_size = 14; -- mask = header->u.s64.m64; -+ if (payload_len < 126) { -+ *payload_remain = payload_len; -+ *header_size = 6; -+ *payload_mask = header->u.m; -+ } else if (payload_len == 126 && input->offset >= 8) { -+ *payload_remain = be16_to_cpu(header->u.s16.l16); -+ *header_size = 8; -+ *payload_mask = header->u.s16.m16; -+ } else if (payload_len == 127 && input->offset >= 14) { -+ *payload_remain = be64_to_cpu(header->u.s64.l64); -+ *header_size = 14; -+ *payload_mask = header->u.s64.m64; - } else { - /* header not complete */ - return 0; - } - -- *frame_size = header_size + *payload_size; -+ return 1; -+} - -- if (input->offset < *frame_size) { -- /* frame not complete */ -+int vncws_decode_frame_payload(Buffer *input, -+ size_t *payload_remain, WsMask *payload_mask, -+ uint8_t **payload, size_t *payload_size) -+{ -+ size_t i; -+ uint32_t *payload32; -+ -+ *payload = input->buffer; -+ /* If we aren't at the end of the payload, then drop -+ * off the last bytes, so we're always multiple of 4 -+ * for purpose of unmasking, except at end of payload -+ */ -+ if (input->offset < *payload_remain) { -+ *payload_size = input->offset - (input->offset % 4); -+ } else { -+ *payload_size = *payload_remain; -+ } -+ if (*payload_size == 0) { - return 0; - } -- -- *payload = input->buffer + header_size; -+ *payload_remain -= *payload_size; - - /* unmask frame */ - /* process 1 frame (32 bit op) */ - payload32 = (uint32_t *)(*payload); - for (i = 0; i < *payload_size / 4; i++) { -- payload32[i] ^= mask.u; -+ payload32[i] ^= payload_mask->u; - } - /* process the remaining bytes (if any) */ - for (i *= 4; i < *payload_size; i++) { -- (*payload)[i] ^= mask.c[i % 4]; -+ (*payload)[i] ^= payload_mask->c[i % 4]; - } - - return 1; -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.h -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h -@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs); - void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size); - void vncws_encode_frame(Buffer *output, const void *payload, - const size_t payload_size); --int vncws_decode_frame(Buffer *input, uint8_t **payload, -- size_t *payload_size, size_t *frame_size); -+int vncws_decode_frame_header(Buffer *input, -+ size_t *header_size, -+ size_t *payload_remain, -+ WsMask *payload_mask); -+int vncws_decode_frame_payload(Buffer *input, -+ size_t *payload_remain, WsMask *payload_mask, -+ uint8_t **payload, size_t *payload_size); - - #endif /* __QEMU_UI_VNC_WS_H */ -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.h -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h -@@ -302,6 +302,8 @@ struct VncState - #ifdef CONFIG_VNC_WS - Buffer ws_input; - Buffer ws_output; -+ size_t ws_payload_remain; -+ WsMask ws_payload_mask; - #endif - /* current output mode information */ - VncWritePixels *write_pixels; diff --git a/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch b/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch deleted file mode 100644 index 9b67a1f..0000000 --- a/CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch +++ /dev/null @@ -1,53 +0,0 @@ -References: bsc#962632 CVE-2015-1779 - -Subject: CVE-2015-1779: limit size of HTTP headers from websockets clients -From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:22 2015 +0000 -Date: Wed Apr 1 17:12:55 2015 +0200: -Git: 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 - -The VNC server websockets decoder will read and buffer data from -websockets clients until it sees the end of the HTTP headers, -as indicated by \r\n\r\n. In theory this allows a malicious to -trick QEMU into consuming an arbitrary amount of RAM. In practice, -because QEMU runs g_strstr_len() across the buffered header data, -it will spend increasingly long burning CPU time searching for -the substring match and less & less time reading data. So while -this does cause arbitrary memory growth, the bigger problem is -that QEMU will be burning 100% of available CPU time. - -A novnc websockets client typically sends headers of around -512 bytes in length. As such it is reasonable to place a 4096 -byte limit on the amount of data buffered while searching for -the end of HTTP headers. - -Signed-off-by: Daniel P. Berrange -Signed-off-by: Gerd Hoffmann - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c -@@ -89,8 +89,11 @@ void vncws_handshake_read(void *opaque) - VncState *vs = opaque; - uint8_t *handshake_end; - long ret; -- buffer_reserve(&vs->ws_input, 4096); -- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); -+ /* Typical HTTP headers from novnc are 512 bytes, so limiting -+ * total header size to 4096 is easily enough. */ -+ size_t want = 4096 - vs->ws_input.offset; -+ buffer_reserve(&vs->ws_input, want); -+ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want); - - if (!ret) { - if (vs->csock == -1) { -@@ -107,6 +110,9 @@ void vncws_handshake_read(void *opaque) - vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset); - buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer + - strlen(WS_HANDSHAKE_END)); -+ } else if (vs->ws_input.offset >= 4096) { -+ VNC_DEBUG("End of headers not found in first 4096 bytes\n"); -+ vnc_client_error(vs); - } - } - diff --git a/CVE-2015-4037-qemuu-smb-config-dir-name.patch b/CVE-2015-4037-qemuu-smb-config-dir-name.patch deleted file mode 100644 index d1b9620..0000000 --- a/CVE-2015-4037-qemuu-smb-config-dir-name.patch +++ /dev/null @@ -1,48 +0,0 @@ -References: bsc#932267 - -Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037) -From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300 -Date: Wed Jun 3 14:21:45 2015 +0300: -Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3 - -In this version I used mkdtemp(3) which is: - - _BSD_SOURCE - || /* Since glibc 2.10: */ - (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700) - -(POSIX.1-2008), so should be available on systems we care about. - -While at it, reset the resulting directory name within smb structure -on error so cleanup function wont try to remove directory which we -failed to create. - -Signed-off-by: Michael Tokarev -Reviewed-by: Markus Armbruster - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c -@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState - static int slirp_smb(SlirpState* s, const char *exported_dir, - struct in_addr vserver_addr) - { -- static int instance; - char smb_conf[128]; - char smb_cmdline[128]; - struct passwd *passwd; -@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, cons - return -1; - } - -- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", -- (long)getpid(), instance++); -- if (mkdir(s->smb_dir, 0700) < 0) { -+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX"); -+ if (!mkdtemp(s->smb_dir)) { - error_report("could not create samba server dir '%s'", s->smb_dir); -+ s->smb_dir[0] = 0; - return -1; - } - snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf"); diff --git a/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch b/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch deleted file mode 100644 index ffa1906..0000000 --- a/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch +++ /dev/null @@ -1,140 +0,0 @@ -References: bsc#965156 CVE-2015-6855 - -Subject: ide: fix ATAPI command permissions -From: John Snow jsnow@redhat.com Thu Sep 17 14:17:05 2015 -0400 -Date: Fri Sep 18 10:58:56 2015 -0400: -Git: d9033e1d3aa666c5071580617a57bd853c5d794a - -We're a little too lenient with what we'll let an ATAPI drive handle. -Clamp down on the IDE command execution table to remove CD_OK permissions -from commands that are not and have never been ATAPI commands. - -For ATAPI command validity, please see: -- ATA4 Section 6.5 ("PACKET Command feature set") -- ATA8/ACS Section 4.3 ("The PACKET feature set") -- ACS3 Section 4.3 ("The PACKET feature set") - -ACS3 has a historical command validity table in Table B.4 -("Historical Command Assignments") that can be referenced to find when -a command was introduced, deprecated, obsoleted, etc. - -The only reference for ATAPI command validity is by checking that -version's PACKET feature set section. - -ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 -therefore are assumed to have never been ATAPI commands. - -Mandatory commands, as listed in ATA8-ACS3, are: - -- DEVICE RESET -- EXECUTE DEVICE DIAGNOSTIC -- IDENTIFY DEVICE -- IDENTIFY PACKET DEVICE -- NOP -- PACKET -- READ SECTOR(S) -- SET FEATURES - -Optional commands as listed in ATA8-ACS3, are: - -- FLUSH CACHE -- READ LOG DMA EXT -- READ LOG EXT -- WRITE LOG DMA EXT -- WRITE LOG EXT - -All other commands are illegal to send to an ATAPI device and should -be rejected by the device. - -CD_OK removal justifications: - -0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. -0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. -0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. -0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. -0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. -0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. -0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. -0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. -0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. -0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. -0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. - -This patch fixes a divide by zero fault that can be caused by sending -the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to -attempt to use zeroed CHS values to perform sector arithmetic. - -Reported-by: Qinghao Tang -Signed-off-by: John Snow -Reviewed-by: Markus Armbruster -Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com -CC: qemu-stable@nongnu.org - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -@@ -1739,11 +1739,11 @@ static const struct { - } ide_cmd_table[0x100] = { - /* NOP not implemented, mandatory for CD */ - [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, -- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, -+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, - [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, - [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, - [WIN_READ] = { cmd_read_pio, ALL_OK }, -- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, -+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, - [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, -@@ -1762,12 +1762,12 @@ static const struct { - [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, - [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, - [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, -- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, - [WIN_PACKETCMD] = { cmd_packet, CD_OK }, - [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, - [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, -@@ -1781,19 +1781,19 @@ static const struct { - [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, - [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, - [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, -- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, - [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, - [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, - [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, - [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, - [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, - [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, -- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, -+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, - }; - - static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch b/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch deleted file mode 100644 index 6ffd9ae..0000000 --- a/CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +++ /dev/null @@ -1,30 +0,0 @@ -References: bsc#962360 CVE-2015-7512 - -Backends could provide a packet whose length is greater than buffer -size. Check for this and truncate the packet to avoid rx buffer -overflow in this case. - -Cc: Prasad J Pandit -Cc: address@hidden -Signed-off-by: Jason Wang ---- - hw/net/pcnet.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c -@@ -1086,6 +1086,12 @@ ssize_t pcnet_receive(NetClientState *nc - int pktcount = 0; - - if (!s->looptest) { -+ if (size > 4092) { -+#ifdef PCNET_DEBUG_RMD -+ fprintf(stderr, "pcnet: truncates rx packet.\n"); -+#endif -+ size = 4092; -+ } - memcpy(src, buf, size); - /* no need to compute the CRC */ - src[size] = 0; diff --git a/CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch b/CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch deleted file mode 100644 index 307fa68..0000000 --- a/CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch +++ /dev/null @@ -1,53 +0,0 @@ -References: bsc#958918 CVE-2015-7549 - -Subject: msix: implement pba write (but read-only) -From: Marc-André Lureau marcandre.lureau@redhat.com Fri Jun 26 14:25:29 2015 +0200 -Date: Sat Oct 24 18:03:18 2015 +0200: -Git: 43b11a91dd861a946b231b89b7542856ade23d1b - -qpci_msix_pending() writes on pba region, causing qemu to SEGV: - - Program received signal SIGSEGV, Segmentation fault. - [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)] - 0x0000000000000000 in ?? () - (gdb) bt - #0 0x0000000000000000 in () - #1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434 - #2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e , mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506 - #3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176 - #4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 , addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439 - #5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534 - #6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80 - #7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378 - #8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569 - #9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581 - #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306 - #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876 - #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122 - -(without this patch, this can be reproduced with the ivshmem qtest) - -Implement an empty mmio write to avoid the crash. - -Signed-off-by: Marc-André Lureau -Reviewed-by: Paolo Bonzini - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/pci/msix.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/pci/msix.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/pci/msix.c -@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void - return pci_get_long(dev->msix_pba + addr); - } - -+static void msix_pba_mmio_write(void *opaque, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static const MemoryRegionOps msix_pba_mmio_ops = { - .read = msix_pba_mmio_read, -+ .write = msix_pba_mmio_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .valid = { - .min_access_size = 4, diff --git a/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch b/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch deleted file mode 100644 index 969899d..0000000 --- a/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch +++ /dev/null @@ -1,59 +0,0 @@ -References: bsc#956832 CVE-2015-8345 - -Subject: eepro100: Prevent two endless loops -From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100 -Date: Fri Nov 27 10:39:55 2015 +0800: -Git: 00837731d254908a841d69298a4f9f077babaf24 - -http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html -shows an example how an endless loop in function action_command can -be achieved. - -During my code review, I noticed a 2nd case which can result in an -endless loop. - -Reported-by: Qinghao Tang -Signed-off-by: Stefan Weil -Signed-off-by: Jason Wang - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c -@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) - #if 0 - uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); - #endif -+ if (tx_buffer_size == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } - tbd_address += 8; - TRACE(RXTX, logout - ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", -@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S - - static void action_command(EEPRO100State *s) - { -+ /* The loop below won't stop if it gets special handcrafted data. -+ Therefore we limit the number of iterations. */ -+ unsigned max_loop_count = 16; -+ - for (;;) { - bool bit_el; - bool bit_s; -@@ -870,6 +879,13 @@ static void action_command(EEPRO100State - #if 0 - bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); - #endif -+ -+ if (max_loop_count-- == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } -+ - s->cu_offset = s->tx.link; - TRACE(OTHER, - logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", diff --git a/CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch b/CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch deleted file mode 100644 index e587283..0000000 --- a/CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch +++ /dev/null @@ -1,25 +0,0 @@ -References: bsc#958493 CVE-2015-8504 - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c -@@ -2036,15 +2036,15 @@ static void set_pixel_format(VncState *v - return; - } - -- vs->client_pf.rmax = red_max; -+ vs->client_pf.rmax = red_max ? red_max : 0xFF; - vs->client_pf.rbits = hweight_long(red_max); - vs->client_pf.rshift = red_shift; - vs->client_pf.rmask = red_max << red_shift; -- vs->client_pf.gmax = green_max; -+ vs->client_pf.gmax = green_max ? green_max : 0xFF; - vs->client_pf.gbits = hweight_long(green_max); - vs->client_pf.gshift = green_shift; - vs->client_pf.gmask = green_max << green_shift; -- vs->client_pf.bmax = blue_max; -+ vs->client_pf.bmax = blue_max ? blue_max : 0xFF; - vs->client_pf.bbits = hweight_long(blue_max); - vs->client_pf.bshift = blue_shift; - vs->client_pf.bmask = blue_max << blue_shift; diff --git a/CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch b/CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch deleted file mode 100644 index 87bdd14..0000000 --- a/CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch +++ /dev/null @@ -1,39 +0,0 @@ -References: bsc#959006 CVE-2015-8558 - -Make ehci_process_itd return an error in case we didn't do any actual -iso transfer because we've found no active transaction. That'll avoid -ehci happily run in circles forever if the guest builds a loop out of -idts. - -Reported-by: Qinghao Tang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -@@ -1395,7 +1395,7 @@ static int ehci_process_itd(EHCIState *e - { - USBDevice *dev; - USBEndpoint *ep; -- uint32_t i, len, pid, dir, devaddr, endp; -+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; - uint32_t pg, off, ptr1, ptr2, max, mult; - - ehci->periodic_sched_active = PERIODIC_ACTIVE; -@@ -1485,9 +1485,10 @@ static int ehci_process_itd(EHCIState *e - ehci_raise_irq(ehci, USBSTS_INT); - } - itd->transact[i] &= ~ITD_XACT_ACTIVE; -+ xfers++; - } - } -- return 0; -+ return xfers ? 0 : -1; - } - - diff --git a/CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch b/CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch deleted file mode 100644 index 40fb469..0000000 --- a/CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch +++ /dev/null @@ -1,89 +0,0 @@ -References: bsc#959386 CVE-2015-8568 - -From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 15 Dec 2015 12:17:28 +0530 -Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device - -Vmxnet3 device emulator does not check if the device is active -before activating it, also it did not free the transmit & receive -buffers while deactivating the device, thus resulting in memory -leakage on the host. This patch fixes both these issues to avoid -host memory leakage. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- -hw/net/vmxnet3.c | 24 ++++++++++++++++-------- -1 file changed, 16 insertions(+), 8 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -@@ -1135,8 +1135,13 @@ static void vmxnet3_reset_mac(VMXNET3Sta - - static void vmxnet3_deactivate_device(VMXNET3State *s) - { -- VMW_CBPRN("Deactivating vmxnet3..."); -- s->device_active = false; -+ if (s->device_active) { -+ VMW_CBPRN("Deactivating vmxnet3..."); -+ vmxnet_tx_pkt_reset(s->tx_pkt); -+ vmxnet_tx_pkt_uninit(s->tx_pkt); -+ vmxnet_rx_pkt_uninit(s->rx_pkt); -+ s->device_active = false; -+ } - } - - static void vmxnet3_reset(VMXNET3State *s) -@@ -1145,7 +1150,6 @@ static void vmxnet3_reset(VMXNET3State * - - vmxnet3_deactivate_device(s); - vmxnet3_reset_interrupt_states(s); -- vmxnet_tx_pkt_reset(s->tx_pkt); - s->drv_shmem = 0; - s->tx_sop = true; - s->skip_current_tx_pkt = false; -@@ -1368,6 +1372,12 @@ static void vmxnet3_activate_device(VMXN - return; - } - -+ /* Verify if device is active */ -+ if (s->device_active) { -+ VMW_CFPRN("Vmxnet3 device is active"); -+ return; -+ } -+ - vmxnet3_adjust_by_guest_type(s); - vmxnet3_update_features(s); - vmxnet3_update_pm_state(s); -@@ -1564,7 +1574,7 @@ static void vmxnet3_handle_command(VMXNE - break; - - case VMXNET3_CMD_QUIESCE_DEV: -- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); -+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); - vmxnet3_deactivate_device(s); - break; - -@@ -1669,7 +1679,7 @@ vmxnet3_io_bar1_write(void *opaque, - * shared address only after we get the high part - */ - if (val == 0) { -- s->device_active = false; -+ vmxnet3_deactivate_device(s); - } - s->temp_shared_guest_driver_memory = val; - s->drv_shmem = 0; -@@ -1956,9 +1966,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VM - static void vmxnet3_net_uninit(VMXNET3State *s) - { - g_free(s->mcast_list); -- vmxnet_tx_pkt_reset(s->tx_pkt); -- vmxnet_tx_pkt_uninit(s->tx_pkt); -- vmxnet_rx_pkt_uninit(s->rx_pkt); -+ vmxnet3_deactivate_device(s); - qemu_del_nic(s->nic); - } - diff --git a/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch b/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch deleted file mode 100644 index ea03b0c..0000000 --- a/CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch +++ /dev/null @@ -1,29 +0,0 @@ -Reference: bsc#961358 CVE-2015-8613 - -From: Prasad J Pandit -Date: Mon, 21 Dec 2015 14:48:18 +0530 -Subject: [PATCH] scsi: initialise info object with appropriate size - -While processing controller 'CTRL_GET_INFO' command, the routine -'megasas_ctrl_get_info' overflows the '&info' object size. Use its -appropriate size to null initialise it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c -@@ -721,7 +721,7 @@ static int megasas_ctrl_get_info(Megasas - BusChild *kid; - int num_pd_disks = 0; - -- memset(&info, 0x0, cmd->iov_size); -+ memset(&info, 0x0, dcmd_size); - if (cmd->iov_size < dcmd_size) { - trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, - dcmd_size); diff --git a/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch b/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch deleted file mode 100644 index 07402d3..0000000 --- a/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch +++ /dev/null @@ -1,115 +0,0 @@ -References: bsc#965269 CVE-2015-8619 - -Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619) -From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100 -Date: Wed Feb 3 10:13:06 2016 +0100: -Git: 64ffbe04eaafebf4045a3ace52a360c14959d196 - -When processing 'sendkey' command, hmp_sendkey routine null -terminates the 'keyname_buf' array. This results in an OOB -write issue, if 'keyname_len' was to fall outside of -'keyname_buf' array. - -Since the keyname's length is known the keyname_buf can be -removed altogether by adding a length parameter to -index_from_key() and using it for the error output as well. - -Reported-by: Ling Liu -Signed-off-by: Wolfgang Bumiller -Message-Id: <20160113080958.GA18934@olga> -[Comparison with "<" dumbed down, test for junk after strtoul() -tweaked] -Signed-off-by: Markus Armbruster - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c -@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD - int has_hold_time = qdict_haskey(qdict, "hold-time"); - int hold_time = qdict_get_try_int(qdict, "hold-time", -1); - Error *err = NULL; -- char keyname_buf[16]; - char *separator; - int keyname_len; - - while (1) { - separator = strchr(keys, '-'); - keyname_len = separator ? separator - keys : strlen(keys); -- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); - - /* Be compatible with old interface, convert user inputted "<" */ -- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { -- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); -+ if (keys[0] == '<' && keyname_len == 1) { -+ keys = "less"; - keyname_len = 4; - } -- keyname_buf[keyname_len] = 0; - - keylist = g_malloc0(sizeof(*keylist)); - keylist->value = g_malloc0(sizeof(*keylist->value)); -@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD - } - tmp = keylist; - -- if (strstart(keyname_buf, "0x", NULL)) { -+ if (strstart(keys, "0x", NULL)) { - char *endp; -- int value = strtoul(keyname_buf, &endp, 0); -- if (*endp != '\0') { -+ int value = strtoul(keys, &endp, 0); -+ assert(endp <= keys + keyname_len); -+ if (endp != keys + keyname_len) { - goto err_out; - } - keylist->value->kind = KEY_VALUE_KIND_NUMBER; - keylist->value->number = value; - } else { -- int idx = index_from_key(keyname_buf); -+ int idx = index_from_key(keys, keyname_len); - if (idx == Q_KEY_CODE_MAX) { - goto err_out; - } -@@ -1536,7 +1534,7 @@ out: - return; - - err_out: -- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); -+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); - goto out; - } - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h -@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire( - void curses_display_init(DisplayState *ds, int full_screen); - - /* input.c */ --int index_from_key(const char *key); -+int index_from_key(const char *key, size_t key_length); - - /* gtk.c */ - void early_gtk_display_init(void); -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c -@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le - static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers = - QTAILQ_HEAD_INITIALIZER(mouse_handlers); - --int index_from_key(const char *key) -+int index_from_key(const char *key, size_t key_length) - { - int i; - - for (i = 0; QKeyCode_lookup[i] != NULL; i++) { -- if (!strcmp(key, QKeyCode_lookup[i])) { -+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && -+ !QKeyCode_lookup[i][key_length]) { - break; - } - } diff --git a/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch b/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch deleted file mode 100644 index 0f133b5..0000000 --- a/CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Prasad J Pandit - -While doing ioport r/w operations, ne2000 device emulation suffers -from OOB r/w errors. Update respective array bounds check to avoid -OOB access. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit ---- - hw/net/ne2000.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -Updated as per review in - -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04863.html - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/ne2000.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c -@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2 - uint32_t val) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - stl_le_p(s->mem + addr, val); - } - } -@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw( - static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - return ldl_le_p(s->mem + addr); - } else { - return 0xffffffff; diff --git a/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch b/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch deleted file mode 100644 index f91610d..0000000 --- a/CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch +++ /dev/null @@ -1,69 +0,0 @@ -Subject: net/vmxnet3: Refine l2 header validation -From: Dana Rubin dana.rubin@ravellosystems.com Tue Aug 18 12:45:55 2015 +0300 -Date: Mon Oct 12 13:19:29 2015 +0800: -Git: a7278b36fcab9af469563bd7b9dadebe2ae25e48 - -Validation of l2 header length assumed minimal packet size as -eth_header + 2 * vlan_header regardless of the actual protocol. - -This caused crash for valid non-IP packets shorter than 22 bytes, as -'tx_pkt->packet_type' hasn't been assigned for such packets, and -'vmxnet3_on_tx_done_update_stats()' expects it to be properly set. - -Refine header length validation in 'vmxnet_tx_pkt_parse_headers'. -Check its return value during packet processing flow. - -As a side effect, in case IPv4 and IPv6 header validation failure, -corrupt packets will be dropped. - -Signed-off-by: Dana Rubin -Signed-off-by: Shmulik Ladkani -Signed-off-by: Jason Wang - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx) - } - - if (txd.eop) { -- if (!s->skip_current_tx_pkt) { -- vmxnet_tx_pkt_parse(s->tx_pkt); -- -+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) { - if (s->needs_vlan) { - vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci); - } -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c -@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt) - - bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base, - ETH_MAX_L2_HDR_LEN); -- if (bytes_read < ETH_MAX_L2_HDR_LEN) { -+ if (bytes_read < sizeof(struct eth_header)) { -+ l2_hdr->iov_len = 0; -+ return false; -+ } -+ -+ l2_hdr->iov_len = sizeof(struct eth_header); -+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) { -+ case ETH_P_VLAN: -+ l2_hdr->iov_len += sizeof(struct vlan_header); -+ break; -+ case ETH_P_DVLAN: -+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header); -+ break; -+ } -+ -+ if (bytes_read < l2_hdr->iov_len) { - l2_hdr->iov_len = 0; - return false; -- } else { -- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base); - } - - l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len); diff --git a/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch b/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch deleted file mode 100644 index 5588454..0000000 --- a/CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: vmxnet3: Support reading IMR registers on bar0 -From: Shmulik Ladkani shmulik.ladkani@ravellosystems.com Mon Sep 21 17:09:02 2015 +0300 -Date: Mon Oct 12 13:19:29 2015 +0800: -Git: c6048f849c7e3f009786df76206e895a69de032c - -Instead of asserting, return the actual IMR register value. -This is aligned with what's returned on ESXi. - -Signed-off-by: Shmulik Ladkani -Tested-by: Dana Rubin -Signed-off-by: Jason Wang - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c -@@ -1108,9 +1108,13 @@ vmxnet3_io_bar0_write(void *opaque, hwad - static uint64_t - vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size) - { -+ VMXNET3State *s = opaque; -+ - if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR, - VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) { -- g_assert_not_reached(); -+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR, -+ VMXNET3_REG_ALIGN); -+ return s->interrupt_states[l].is_masked; - } - - VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size); diff --git a/CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch b/CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch deleted file mode 100644 index 8399338..0000000 --- a/CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch +++ /dev/null @@ -1,53 +0,0 @@ -References: bsc#969125 CVE-2015-8817 - -Subject: exec: Respect as_translate_internal length clamp -From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700 -Date: Mon Apr 27 18:24:19 2015 +0200: -Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3 - -address_space_translate_internal will clamp the *plen length argument -based on the size of the memory region being queried. The iommu walker -logic in addresss_space_translate was ignoring this by discarding the -post fn call value of *plen. Fix by just always using *plen as the -length argument throughout the fn, removing the len local variable. - -This fixes a bootloader bug when a single elf section spans multiple -QEMU memory regions. - -Signed-off-by: Peter Crosthwaite -Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com> -Signed-off-by: Paolo Bonzini - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c -@@ -363,7 +363,6 @@ MemoryRegion *address_space_translate(Ad - IOMMUTLBEntry iotlb; - MemoryRegionSection *section; - MemoryRegion *mr; -- hwaddr len = *plen; - - for (;;) { - section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true); -@@ -376,7 +375,7 @@ MemoryRegion *address_space_translate(Ad - iotlb = mr->iommu_ops->translate(mr, addr, is_write); - addr = ((iotlb.translated_addr & ~iotlb.addr_mask) - | (addr & iotlb.addr_mask)); -- len = MIN(len, (addr | iotlb.addr_mask) - addr + 1); -+ *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1); - if (!(iotlb.perm & (1 << is_write))) { - mr = &io_mem_unassigned; - break; -@@ -387,10 +386,9 @@ MemoryRegion *address_space_translate(Ad - - if (xen_enabled() && memory_access_is_direct(mr, is_write)) { - hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr; -- len = MIN(page, len); -+ *plen = MIN(page, *plen); - } - -- *plen = len; - *xlat = addr; - return mr; - } diff --git a/CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch b/CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch deleted file mode 100644 index e746bc9..0000000 --- a/CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch +++ /dev/null @@ -1,86 +0,0 @@ -References: bsc#969126 CVE-2015-8818 - -Subject: exec: skip MMIO regions correctly in cpu_physical_memory_write_rom_internal -From: Paolo Bonzini pbonzini@redhat.com Sat Jul 4 00:24:51 2015 +0200 -Date: Mon Jul 6 14:59:11 2015 +0200: -Git: b242e0e0e2969c044a318e56f7988bbd84de1f63 - -Loading the BIOS in the mac99 machine is interesting, because there is a -PROM in the middle of the BIOS region (from 16K to 32K). Before memory -region accesses were clamped, when QEMU was asked to load a BIOS from -0xfff00000 to 0xffffffff it would put even those 16K from the BIOS file -into the region. This is weird because those 16K were not actually -visible between 0xfff04000 and 0xfff07fff. However, it worked. - -After clamping was added, this also worked. In this case, the -cpu_physical_memory_write_rom_internal function split the write in -three parts: the first 16K were copied, the PROM area (second 16K) were -ignored, then the rest was copied. - -Problems then started with commit 965eb2f (exec: do not clamp accesses -to MMIO regions, 2015-06-17). Clamping accesses is not done for MMIO -regions because they can overlap wildly, and MMIO registers can be -expected to perform full-width accesses based only on their address -(with no respect for adjacent registers that could decode to completely -different MemoryRegions). However, this lack of clamping also applied -to the PROM area! cpu_physical_memory_write_rom_internal thus failed -to copy the third range above, i.e. only copied the first 16K of the BIOS. - -In effect, address_space_translate is expecting _something else_ to do -the clamping for MMIO regions if the incoming length is large. This -"something else" is memory_access_size in the case of address_space_rw, -so use the same logic in cpu_physical_memory_write_rom_internal. - -Reported-by: Alexander Graf -Reviewed-by: Laurent Vivier -Tested-by: Laurent Vivier -Fixes: 965eb2f -Signed-off-by: Paolo Bonzini - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c -@@ -330,6 +330,7 @@ address_space_translate_internal(Address - hwaddr *plen, bool resolve_subpage) - { - MemoryRegionSection *section; -+ MemoryRegion *mr; - Int128 diff; - - section = address_space_lookup_region(d, addr, resolve_subpage); -@@ -339,8 +340,23 @@ address_space_translate_internal(Address - /* Compute offset within MemoryRegion */ - *xlat = addr + section->offset_within_region; - -- diff = int128_sub(section->mr->size, int128_make64(addr)); -- *plen = int128_get64(int128_min(diff, int128_make64(*plen))); -+ mr = section->mr; -+ -+ /* MMIO registers can be expected to perform full-width accesses based only -+ * on their address, without considering adjacent registers that could -+ * decode to completely different MemoryRegions. When such registers -+ * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO -+ * regions overlap wildly. For this reason we cannot clamp the accesses -+ * here. -+ * -+ * If the length is small (as is the case for address_space_ldl/stl), -+ * everything works fine. If the incoming length is large, however, -+ * the caller really has to do the clamping through memory_access_size. -+ */ -+ if (memory_region_is_ram(mr)) { -+ diff = int128_sub(section->size, int128_make64(addr)); -+ *plen = int128_get64(int128_min(diff, int128_make64(*plen))); -+ } - return section; - } - -@@ -2232,7 +2248,7 @@ static inline void cpu_physical_memory_w - - if (!(memory_region_is_ram(mr) || - memory_region_is_romd(mr))) { -- /* do nothing */ -+ l = memory_access_size(mr, l, addr1); - } else { - addr1 += memory_region_get_ram_addr(mr); - /* ROM/RAM case */ diff --git a/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch b/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch deleted file mode 100644 index aaa789f..0000000 --- a/CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch +++ /dev/null @@ -1,45 +0,0 @@ -Reference: bsc#961332 CVE-2016-1568 - -From: Prasad J Pandit - -When processing NCQ commands, ACHI device emulation prepares a -NCQ transfer object; To which an aio control block(aiocb) object -is assigned in 'execute_ncq_command'. In case, when the NCQ -command is invalid, the 'aiocb' object is not assigned, and NCQ -transfer object is left as 'used'. This leads to a use after -free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. -Reset NCQ transfer object to 'unused' to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/ide/ahci.c | 1 + - 1 file changed, 1 insertion(+) - -Update as per review in - -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01175.html - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/ahci.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c -@@ -902,7 +902,10 @@ static void process_ncq_command(AHCIStat - ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2, - s->dev[port].port.ifs[0].nb_sectors - 1); - -- ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0); -+ if (ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0) == -1) { -+ ncq_tfs->used = 0; -+ return; -+ } - ncq_tfs->tag = tag; - - switch(ncq_fis->command) { -@@ -943,6 +946,7 @@ static void process_ncq_command(AHCIStat - "error: tried to process non-NCQ command as NCQ\n"); - } - qemu_sglist_destroy(&ncq_tfs->sglist); -+ ncq_tfs->used = 0; - } - } - diff --git a/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch b/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch deleted file mode 100644 index d6817b2..0000000 --- a/CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch +++ /dev/null @@ -1,48 +0,0 @@ -Reference: bsc#961692 CVE-2016-1714 - -When processing firmware configurations, an OOB r/w access occurs -if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff). -Add a check to validate 's->cur_entry' to avoid such access. - -Reported-by: Donghai Zdh -Signed-off-by: Prasad J Pandit ---- - hw/nvram/fw_cfg.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -Updated as per review in - -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00398.html - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c -@@ -211,12 +211,15 @@ static void fw_cfg_reboot(FWCfgState *s) - static void fw_cfg_write(FWCfgState *s, uint8_t value) - { - int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - - trace_fw_cfg_write(s, value); - -- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback && -- s->cur_offset < e->len) { -+ if (s->cur_entry & FW_CFG_WRITE_CHANNEL -+ && e != NULL -+ && e->callback -+ && s->cur_offset < e->len) { - e->data[s->cur_offset++] = value; - if (s->cur_offset == e->len) { - e->callback(e->callback_opaque, e->data); -@@ -245,7 +248,8 @@ static int fw_cfg_select(FWCfgState *s, - static uint8_t fw_cfg_read(FWCfgState *s) - { - int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - uint8_t ret; - - if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) diff --git a/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch b/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch deleted file mode 100644 index dde327a..0000000 --- a/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch +++ /dev/null @@ -1,61 +0,0 @@ -References: bsc#962321 CVE-2016-1922 - -Subject: i386: avoid null pointer dereference -From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530 -Date: Fri Jan 15 18:58:01 2016 +0100: -Git: 4c1396cb576c9b14425558b73de1584c7a9735d7 - - Hello, - -A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It -occurs while doing I/O port write operations via hmp interface. In that, -'current_cpu' remains null as it is not called from cpu_exec loop, which -results in the said issue. - -Below is a proposed (tested)patch to fix this issue; Does it look okay? - -=== -From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 18 Dec 2015 11:16:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - -When I/O port write operation is called from hmp interface, -'current_cpu' remains null, as it is not called from cpu_exec() -loop. This leads to a null pointer dereference in vapic_write -routine. Add check to avoid it. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini -Signed-off-by: P J P - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState * - static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - unsigned int size) - { -- CPUState *cs = current_cpu; -- X86CPU *cpu = X86_CPU(cs); -- CPUX86State *env = &cpu->env; -- hwaddr rom_paddr; - VAPICROMState *s = opaque; -+ X86CPU *cpu; -+ CPUX86State *env; -+ hwaddr rom_paddr; -+ -+ if (!current_cpu) { -+ return; -+ } - -- cpu_synchronize_state(cs); -+ cpu_synchronize_state(current_cpu); -+ cpu = X86_CPU(current_cpu); -+ env = &cpu->env; - - /* - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. diff --git a/CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch b/CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch deleted file mode 100644 index bb2d829..0000000 --- a/CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +++ /dev/null @@ -1,94 +0,0 @@ -The start_xmit() and e1000_receive_iov() functions implement DMA transfers -iterating over a set of descriptors that the guest's e1000 driver -prepares: - -- the TDLEN and RDLEN registers store the total size of the descriptor - area, - -- while the TDH and RDH registers store the offset (in whole tx / rx - descriptors) into the area where the transfer is supposed to start. - -Each time a descriptor is processed, the TDH and RDH register is bumped -(as appropriate for the transfer direction). - -QEMU already contains logic to deal with bogus transfers submitted by the -guest: - -- Normally, the transmit case wants to increase TDH from its initial value - to TDT. (TDT is allowed to be numerically smaller than the initial TDH - value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe - that QEMU currently has here is a check against reaching the original - TDH value again -- a complete wraparound, which should never happen. - -- In the receive case RDH is increased from its initial value until - "total_size" bytes have been received; preferably in a single step, or - in "s->rxbuf_size" byte steps, if the latter is smaller. However, null - RX descriptors are skipped without receiving data, while RDH is - incremented just the same. QEMU tries to prevent an infinite loop - (processing only null RX descriptors) by detecting whether RDH assumes - its original value during the loop. (Again, wrapping from RDLEN to 0 is - normal.) - -What both directions miss is that the guest could program TDLEN and RDLEN -so low, and the initial TDH and RDH so high, that these registers will -immediately be truncated to zero, and then never reassume their initial -values in the loop -- a full wraparound will never occur. - -The condition that expresses this is: - - xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) - -i.e., TDH or RDH start out after the last whole rx or tx descriptor that -fits into the TDLEN or RDLEN sized area. - -This condition could be checked before we enter the loops, but -pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for -bogus DMA addresses, so we just extend the existing failsafes with the -above condition. - -Cc: "Michael S. Tsirkin" -Cc: Petr Matousek -Cc: Stefano Stabellini -Cc: Prasad Pandit -Cc: Michael Roth -Cc: Jason Wang -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jason Wang ---- - -Notes: - Regarding the public posting: we made an honest effort to vet this - vulnerability, and the impact seems low -- no host side reads/writes, - "just" a DoS (infinite loop). We decided the patch could be posted - publicly, for the usual review process. Jason and Prasad checked the - patch in the internal discussion already, but comments, improvements - etc. are clearly welcome. The CVE request is underway. Thanks. - - hw/net/e1000.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c -@@ -815,7 +815,8 @@ start_xmit(E1000State *s) - * bogus values to TDT/TDLEN. - * there's nothing too intelligent we could do about this. - */ -- if (s->mac_reg[TDH] == tdh_start) { -+ if (s->mac_reg[TDH] == tdh_start || -+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { - DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", - tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); - break; -@@ -1059,7 +1060,8 @@ e1000_receive_iov(NetClientState *nc, co - if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) - s->mac_reg[RDH] = 0; - /* see comment in start_xmit; same here */ -- if (s->mac_reg[RDH] == rdh_start) { -+ if (s->mac_reg[RDH] == rdh_start || -+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { - DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", - rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); - set_ics(s, 0, E1000_ICS_RXO); diff --git a/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch b/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch deleted file mode 100644 index 0150c8c..0000000 --- a/CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch +++ /dev/null @@ -1,38 +0,0 @@ -References: bsc#964415 CVE-2016-2198 - -USB Ehci emulation supports host controller capability registers. -But its mmio '.write' function was missing, which lead to a null -pointer dereference issue. Add a do nothing 'ehci_caps_write' -definition to avoid it; Do nothing because capability registers -are Read Only(RO). - -Reported-by: Zuozhi Fzz -Signed-off-by: Prasad J Pandit ---- - hw/usb/hcd-ehci.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c -@@ -899,6 +899,11 @@ static uint64_t ehci_caps_read(void *ptr - return s->caps[addr]; - } - -+static void ehci_caps_write(void *ptr, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, - unsigned size) - { -@@ -2317,6 +2322,7 @@ static void ehci_frame_timer(void *opaqu - - static const MemoryRegionOps ehci_mmio_caps_ops = { - .read = ehci_caps_read, -+ .write = ehci_caps_write, - .valid.min_access_size = 1, - .valid.max_access_size = 4, - .impl.min_access_size = 1, diff --git a/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch b/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch deleted file mode 100644 index d47b659..0000000 --- a/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch +++ /dev/null @@ -1,90 +0,0 @@ -References: bsc#967101 CVE-2016-2391 - -From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Feb 2016 15:15:04 +0100 -Subject: [PATCH] ohci timer fix - -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ohci.c | 31 +++++-------------------------- - 1 file changed, 5 insertions(+), 26 deletions(-) - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c -@@ -1331,16 +1331,6 @@ static void ohci_frame_boundary(void *op - */ - static int ohci_bus_start(OHCIState *ohci) - { -- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, -- ohci_frame_boundary, -- ohci); -- -- if (ohci->eof_timer == NULL) { -- trace_usb_ohci_bus_eof_timer_failed(ohci->name); -- ohci_die(ohci); -- return 0; -- } -- - trace_usb_ohci_start(ohci->name); - - ohci_sof(ohci); -@@ -1352,11 +1342,7 @@ static int ohci_bus_start(OHCIState *ohc - static void ohci_bus_stop(OHCIState *ohci) - { - trace_usb_ohci_stop(ohci->name); -- if (ohci->eof_timer) { -- timer_del(ohci->eof_timer); -- timer_free(ohci->eof_timer); -- } -- ohci->eof_timer = NULL; -+ timer_del(ohci->eof_timer); - } - - /* Sets a flag in a port status register but only set it if the port is -@@ -1881,6 +1867,8 @@ static int usb_ohci_init(OHCIState *ohci - ohci->async_td = 0; - qemu_register_reset(ohci_reset, ohci); - -+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, -+ ohci_frame_boundary, ohci); - return 0; - } - -@@ -1949,6 +1937,9 @@ static void usb_ohci_exit(PCIDevice *dev - if (!ohci->masterbus) { - usb_bus_release(&s->bus); - } -+ -+ timer_del(s->eof_timer); -+ timer_free(s->eof_timer); - } - - #define TYPE_SYSBUS_OHCI "sysbus-ohci" -@@ -1997,23 +1988,13 @@ static bool ohci_eof_timer_needed(void * - { - OHCIState *ohci = opaque; - -- return ohci->eof_timer != NULL; --} -- --static int ohci_eof_timer_pre_load(void *opaque) --{ -- OHCIState *ohci = opaque; -- -- ohci_bus_start(ohci); -- -- return 0; -+ return timer_pending(ohci->eof_timer); - } - - static const VMStateDescription vmstate_ohci_eof_timer = { - .name = "ohci-core/eof-timer", - .version_id = 1, - .minimum_version_id = 1, -- .pre_load = ohci_eof_timer_pre_load, - .fields = (VMStateField[]) { - VMSTATE_TIMER(eof_timer, OHCIState), - VMSTATE_END_OF_LIST() diff --git a/CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch b/CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch deleted file mode 100644 index 04c8ed2..0000000 --- a/CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch +++ /dev/null @@ -1,27 +0,0 @@ -References: bsc#967090 CVE-2016-2392 - -When processing remote NDIS control message packets, the USB Net -device emulator checks to see if the USB configuration descriptor -object is of RNDIS type(2). But it does not check if it is null, -which leads to a null dereference error. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/usb/dev-network.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -@@ -650,7 +650,8 @@ typedef struct USBNetState { - - static int is_rndis(USBNetState *s) - { -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; -+ return s->dev.config ? -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; - } - - static int ndis_query(USBNetState *s, uint32_t oid, diff --git a/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch b/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch deleted file mode 100644 index 2e512fb..0000000 --- a/CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch +++ /dev/null @@ -1,55 +0,0 @@ -References: bsc#968004 CVE-2016-2538 - -Subject: usb: check RNDIS buffer offsets & length -From: Prasad J Pandit pjp@fedoraproject.org Wed Feb 17 00:23:41 2016 +0530 -Date: Tue Feb 23 10:38:01 2016 +0100: -Git: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e - -When processing remote NDIS control message packets, -the USB Net device emulator uses a fixed length(4096) data buffer. -The incoming informationBufferOffset & Length combination could -overflow and cross that range. Check control message buffer -offsets and length to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann - -Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -=================================================================== ---- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c -@@ -912,8 +912,9 @@ static int rndis_query_response(USBNetSt - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf, -@@ -958,8 +959,9 @@ static int rndis_set_response(USBNetStat - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - ret = ndis_set(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen); -@@ -1209,8 +1211,9 @@ static void usb_net_handle_dataout(USBNe - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); - uint32_t size = le32_to_cpu(msg->DataLength); -- if (offs + size <= len) -+ if (offs < len && size < len && offs + size <= len) { - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); -+ } - } - s->out_ptr -= len; - memmove(s->out_buf, &s->out_buf[len], s->out_ptr); diff --git a/CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch b/CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch new file mode 100644 index 0000000..a81b6d3 --- /dev/null +++ b/CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch @@ -0,0 +1,34 @@ +References: bsc#969351 CVE-2016-2841 + +From: Prasad J Pandit + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. Registers PSTART & PSTOP +define ring buffer size & location. Setting these registers +to invalid values could lead to infinite loop or OOB r/w +access issues. Add check to avoid it. + +Reported-by: Yang Hongke +Signed-off-by: Prasad J Pandit +--- + hw/net/ne2000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Update per review: + -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +@@ -202,6 +202,10 @@ static int ne2000_buffer_full(NE2000Stat + { + int avail, index, boundary; + ++ if (s->stop <= s->start) { ++ return 1; ++ } ++ + index = s->curpag << 8; + boundary = s->boundary << 8; + if (index < boundary) diff --git a/ioemu-vnc-resize.patch b/ioemu-vnc-resize.patch index 43b5fb9..db12ea6 100644 --- a/ioemu-vnc-resize.patch +++ b/ioemu-vnc-resize.patch @@ -2,7 +2,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState +@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState } set_encodings(vs, (int32_t *)(data + 4), limit); diff --git a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch index 9003054..e21c450 100644 --- a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +++ b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch @@ -7,11 +7,11 @@ https://bugzilla.novell.com/show_bug.cgi?id=879425 tools/libxl/libxlu_disk_l.l | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) -Index: xen-4.6.0-testing/tools/libxl/libxl.c +Index: xen-4.6.1-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl.c -+++ xen-4.6.0-testing/tools/libxl/libxl.c -@@ -2829,6 +2829,8 @@ static void device_disk_add(libxl__egc * +--- xen-4.6.1-testing.orig/tools/libxl/libxl.c ++++ xen-4.6.1-testing/tools/libxl/libxl.c +@@ -2833,6 +2833,8 @@ static void device_disk_add(libxl__egc * flexarray_append_pair(back, "discard-enable", libxl_defbool_val(disk->discard_enable) ? "1" : "0"); @@ -20,10 +20,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxl.c flexarray_append(front, "backend-id"); flexarray_append(front, libxl__sprintf(gc, "%d", disk->backend_domid)); -Index: xen-4.6.0-testing/tools/libxl/libxl.h +Index: xen-4.6.1-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl.h -+++ xen-4.6.0-testing/tools/libxl/libxl.h +--- xen-4.6.1-testing.orig/tools/libxl/libxl.h ++++ xen-4.6.1-testing/tools/libxl/libxl.h @@ -205,6 +205,18 @@ #define LIBXL_HAVE_BUILDINFO_ARM_GIC_VERSION 1 @@ -43,10 +43,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxl.h * libxl ABI compatibility * * The only guarantee which libxl makes regarding ABI compatibility -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk.c +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk.c =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk.c -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk.c +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk.c ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk.c @@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg, if (!disk->pdev_path || !strcmp(disk->pdev_path, "")) disk->format = LIBXL_DISK_FORMAT_EMPTY; @@ -56,10 +56,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxlu_disk.c if (!disk->vdev) { xlu__disk_err(&dpc,0, "no vdev specified"); -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_i.h -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_i.h ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h @@ -10,7 +10,7 @@ typedef struct { void *scanner; YY_BUFFER_STATE buf; @@ -69,10 +69,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h const char *spec; } DiskParseContext; -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_l.l -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l @@ -176,6 +176,7 @@ script=[^,]*,? { STRIP(','); SAVESTRING( direct-io-safe,? { DPC->disk->direct_io_safe = 1; } discard,? { libxl_defbool_set(&DPC->disk->discard_enable, true); } diff --git a/qemu-security-etch1.patch b/qemu-security-etch1.patch index bcfb352..ec2cfd1 100644 --- a/qemu-security-etch1.patch +++ b/qemu-security-etch1.patch @@ -2,7 +2,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c -@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq +@@ -222,7 +222,7 @@ static int ne2000_can_receive(void *opaq NE2000State *s = opaque; if (s->cmd & E8390_STOP) diff --git a/qemu-xen-dir-remote.tar.bz2 b/qemu-xen-dir-remote.tar.bz2 deleted file mode 100644 index 8121ee6..0000000 --- a/qemu-xen-dir-remote.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:00730e1f13bb4780e2f9e6e6dae3438558405e47e19d3843f22476be676fb86c -size 8995705 diff --git a/qemu-xen-enable-spice-support.patch b/qemu-xen-enable-spice-support.patch deleted file mode 100644 index eda7170..0000000 --- a/qemu-xen-enable-spice-support.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: xen-4.6.0-testing/tools/Makefile -=================================================================== ---- xen-4.6.0-testing.orig/tools/Makefile -+++ xen-4.6.0-testing/tools/Makefile -@@ -259,6 +259,7 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi - --datadir=$(SHAREDIR)/qemu-xen \ - --localstatedir=$(localstatedir) \ - --disable-kvm \ -+ $(QEMU_XEN_ENABLE_SPICE) \ - --disable-docs \ - --disable-guest-agent \ - --python=$(PYTHON) \ diff --git a/qemu-xen-upstream-qdisk-cache-unsafe.patch b/qemu-xen-upstream-qdisk-cache-unsafe.patch deleted file mode 100644 index 414455b..0000000 --- a/qemu-xen-upstream-qdisk-cache-unsafe.patch +++ /dev/null @@ -1,52 +0,0 @@ -https://bugzilla.novell.com/show_bug.cgi?id=879425 ---- - tools/qemu-xen-dir-remote/hw/block/xen_disk.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_disk.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/block/xen_disk.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_disk.c -@@ -121,6 +121,7 @@ struct XenBlkDev { - int requests_inflight; - int requests_finished; - -+ gboolean cache_unsafe; - /* Persistent grants extension */ - gboolean feature_discard; - gboolean feature_persistent; -@@ -784,6 +785,16 @@ static void blk_parse_discard(struct Xen - } - } - -+static void blk_parse_cache_unsafe(struct XenBlkDev *blkdev) -+{ -+ int enable; -+ -+ blkdev->cache_unsafe = false; -+ -+ if (xenstore_read_be_int(&blkdev->xendev, "suse-diskcache-disable-flush", &enable) == 0) -+ blkdev->cache_unsafe = !!enable; -+} -+ - static int blk_init(struct XenDevice *xendev) - { - struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev); -@@ -852,6 +863,7 @@ static int blk_init(struct XenDevice *xe - xenstore_write_be_int(&blkdev->xendev, "info", info); - - blk_parse_discard(blkdev); -+ blk_parse_cache_unsafe(blkdev); - - g_free(directiosafe); - return 0; -@@ -892,6 +904,9 @@ static int blk_connect(struct XenDevice - qflags |= BDRV_O_UNMAP; - } - -+ if (blkdev->cache_unsafe) -+ qflags |= BDRV_O_NO_FLUSH; -+ - /* init qemu block driver */ - index = (blkdev->xendev.dev - 202 * 256) / 16; - blkdev->dinfo = drive_get(IF_XEN, 0, index); diff --git a/tigervnc-long-press.patch b/tigervnc-long-press.patch deleted file mode 100644 index 71503c4..0000000 --- a/tigervnc-long-press.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c -@@ -1659,6 +1659,25 @@ static void do_key_event(VncState *vs, i - if (down) - vs->modifiers_state[keycode] ^= 1; - break; -+ default: -+ if (qemu_console_is_graphic(NULL)) { -+ /* record key 'down' info. Some client like tigervnc -+ * will send key down repeatedly if user pressing a -+ * a key for long time. In this case, we should add -+ * additional key up event before repeated key down, -+ * so that it can display the key multiple times. -+ */ -+ if (down) { -+ if (vs->modifiers_state[keycode]) { -+ /* add a key up event */ -+ do_key_event(vs, 0, keycode, sym); -+ } -+ vs->modifiers_state[keycode] = 1; -+ } else { -+ vs->modifiers_state[keycode] = 0; -+ } -+ } -+ break; - } - - /* Turn off the lock state sync logic if the client support the led diff --git a/xen.changes b/xen.changes index 8d7bee8..ea341ab 100644 --- a/xen.changes +++ b/xen.changes @@ -1,12 +1,37 @@ ------------------------------------------------------------------- -Wed Mar 2 09:47:57 MST 2016 - carnold@suse.com +Thu Mar 3 10:27:55 MST 2016 - carnold@suse.com -- bsc#969125 - VUL-0: CVE-2015-8817: xen: OOB access in - address_space_rw leads to segmentation fault (I) - CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch -- bsc#969126 - VUL-0: CVE-2015-8818: xen: OOB access in - address_space_rw leads to segmentation fault (II) - CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch +- bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite + loop in ne2000_receive + CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch + +------------------------------------------------------------------- +Wed Mar 2 16:53:51 UTC 2016 - jfehlig@suse.com + +- Use system qemu instead of building/installing yet another qemu + FATE#320638 +- Dropped files + qemu-xen-dir-remote.tar.bz2 + CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch + CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch + CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch + CVE-2015-4037-qemuu-smb-config-dir-name.patch + CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch + CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch + CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch + CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch + CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch + CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch + CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch + CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch + CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch + CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch + CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch + CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch + CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch + qemu-xen-enable-spice-support.patch + qemu-xen-upstream-qdisk-cache-unsafe.patch + tigervnc-long-press.patch ------------------------------------------------------------------- Mon Feb 29 09:40:43 MST 2016 - carnold@suse.com @@ -85,7 +110,6 @@ Fri Feb 5 13:07:53 MST 2016 - carnold@suse.com - bsc#965315 - VUL-0: CVE-2016-2270: xen: x86: inconsistent cachability flags on guest mappings (XSA-154) xsa154.patch - xsa154-fix.patch - bsc#965317 - VUL-0: CVE-2016-2271: xen: VMX: guest user mode may crash guest with non-canonical RIP (XSA-170) xsa170.patch @@ -134,6 +158,9 @@ Mon Feb 1 13:29:55 MST 2016 - carnold@suse.com - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch +- bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun + on incoming migration + CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch ------------------------------------------------------------------- Wed Jan 27 08:23:26 MST 2016 - carnold@suse.com diff --git a/xen.libxl.dmmd.patch b/xen.libxl.dmmd.patch index 3d06601..68fc988 100644 --- a/xen.libxl.dmmd.patch +++ b/xen.libxl.dmmd.patch @@ -107,7 +107,7 @@ Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l =================================================================== --- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l +++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l -@@ -210,6 +210,8 @@ target=.* { STRIP(','); SAVESTRING("targ +@@ -209,6 +209,8 @@ target=.* { STRIP(','); SAVESTRING("targ free(newscript); } diff --git a/xen.spec b/xen.spec index 197eb81..638f027 100644 --- a/xen.spec +++ b/xen.spec @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - # needssslcertforbuild Name: xen @@ -171,7 +170,6 @@ Group: System/Kernel Source0: xen-4.6.1-testing-src.tar.bz2 Source1: stubdom.tar.bz2 Source2: qemu-xen-traditional-dir-remote.tar.bz2 -Source3: qemu-xen-dir-remote.tar.bz2 Source4: seabios-dir-remote.tar.bz2 Source5: ipxe.tar.bz2 Source6: mini-os.tar.bz2 @@ -207,15 +205,13 @@ Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handlin Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch -Patch15401: xsa154.patch -Patch15402: xsa154-fix.patch +Patch154: xsa154.patch Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -Patch162: xsa162-qemuu.patch Patch164: xsa164.patch Patch170: xsa170.patch -# Upstream qemu +# Upstream qemu-traditional patches Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch Patch252: 0002-net-increase-tap-buffer-size.patch @@ -225,60 +221,25 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch -Patch259: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch -Patch260: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch -Patch261: CVE-2015-4037-qemuu-smb-config-dir-name.patch -Patch262: CVE-2015-4037-qemut-smb-config-dir-name.patch -Patch263: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch -Patch264: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch -Patch265: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch -Patch266: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch -Patch267: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch -Patch268: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch -Patch269: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch -Patch270: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch -Patch271: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch -Patch272: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch -Patch273: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch -Patch274: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch -Patch275: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch -Patch276: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch277: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch278: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch -Patch279: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch280: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch281: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch -Patch282: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch -Patch283: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch -Patch284: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch -Patch285: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch -Patch286: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch287: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch288: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch -Patch289: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch -Patch290: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch -Patch291: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch -Patch292: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch -Patch293: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch -Patch294: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch -Patch295: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch -Patch296: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch -Patch297: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch -Patch298: CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch -Patch299: CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch -Patch300: CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch -# Our platform specific patches -Patch321: xen-destdir.patch -Patch322: vif-bridge-no-iptables.patch -Patch323: vif-bridge-tap-fix.patch -Patch324: xl-conf-default-bridge.patch -# Needs to go upstream -Patch330: suspend_evtchn_lock.patch -Patch331: xenpaging.doc.patch -Patch332: xen-c99-fix.patch -Patch333: stubdom-have-iovec.patch -Patch334: hotplug-Linux-block-performance-fix.patch -# Qemu traditional +Patch259: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch +Patch260: CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch +Patch261: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +Patch262: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch +Patch263: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch +Patch264: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch +Patch265: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch +Patch266: CVE-2015-4037-qemut-smb-config-dir-name.patch +Patch267: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch +Patch268: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch +Patch269: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch +Patch270: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch271: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch +Patch272: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch +Patch273: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch274: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch +Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch +# qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch Patch353: xen-qemu-iscsi-fix.patch @@ -304,9 +265,17 @@ Patch380: pvdrv_emulation_control.patch Patch381: ioemu-disable-scsi.patch Patch382: ioemu-disable-emulated-ide-if-pv.patch Patch383: xenpaging.qemu.flush-cache.patch -Patch385: xen_pvonhvm.xen_emul_unplug.patch -Patch387: libxl.pvscsi.patch -Patch388: blktap2-no-uninit.patch +# Our platform specific patches +Patch400: xen-destdir.patch +Patch401: vif-bridge-no-iptables.patch +Patch402: vif-bridge-tap-fix.patch +Patch403: xl-conf-default-bridge.patch +# Needs to go upstream +Patch420: suspend_evtchn_lock.patch +Patch421: xenpaging.doc.patch +Patch422: xen-c99-fix.patch +Patch423: stubdom-have-iovec.patch +Patch424: hotplug-Linux-block-performance-fix.patch # Other bug fixes or features Patch451: xenconsole-no-multiple-connections.patch Patch452: hibernate.patch @@ -314,20 +283,20 @@ Patch453: stdvga-cache.patch Patch454: ipxe-enable-nics.patch Patch455: pygrub-netware-xnloader.patch Patch456: pygrub-boot-legacy-sles.patch -Patch460: set-mtu-from-bridge-for-tap-interface.patch -Patch466: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch -Patch467: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch -Patch470: qemu-xen-upstream-qdisk-cache-unsafe.patch -Patch471: qemu-xen-enable-spice-support.patch -Patch472: tigervnc-long-press.patch -Patch473: xendomains-libvirtd-conflict.patch -Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch -Patch475: xen.libxl.dmmd.patch +Patch457: set-mtu-from-bridge-for-tap-interface.patch +Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch +Patch459: xendomains-libvirtd-conflict.patch +Patch460: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch +Patch461: libxl.pvscsi.patch +Patch462: xen.libxl.dmmd.patch +Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +Patch464: blktap2-no-uninit.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch -Patch520: supported_module.patch -Patch521: magic_ioport_compat.patch +Patch520: xen_pvonhvm.xen_emul_unplug.patch +Patch521: supported_module.patch +Patch522: magic_ioport_compat.patch Patch601: xen.build-compare.doc_html.patch Patch602: xen.build-compare.seabios.patch Patch603: xen.build-compare.man.patch @@ -418,10 +387,14 @@ Authors: Summary: Xen Virtualization: Control tools for domain 0 Group: System/Kernel Requires: bridge-utils -%if %suse_version >= 1315 %ifarch x86_64 +%if %suse_version >= 1315 Requires: grub2-x86_64-xen %endif +Requires: qemu-x86 +%endif +%ifarch %arm aarch64 +Requires: qemu-arm %endif Requires: multipath-tools Requires: python @@ -536,18 +509,16 @@ Authors: %endif %prep -%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 57 +%setup -q -n %xen_build_dir -a 1 -a 2 -a 4 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch15401 -p1 -%patch15402 -p1 +%patch154 -p1 %patch15501 -p1 %patch15502 -p1 %patch15503 -p1 -%patch162 -p1 %patch164 -p1 %patch170 -p1 # Upstream qemu patches @@ -578,41 +549,6 @@ Authors: %patch274 -p1 %patch275 -p1 %patch276 -p1 -%patch277 -p1 -%patch278 -p1 -%patch279 -p1 -%patch280 -p1 -%patch281 -p1 -%patch282 -p1 -%patch283 -p1 -%patch284 -p1 -%patch285 -p1 -%patch286 -p1 -%patch287 -p1 -%patch288 -p1 -%patch289 -p1 -%patch290 -p1 -%patch291 -p1 -%patch292 -p1 -%patch293 -p1 -%patch294 -p1 -%patch295 -p1 -%patch296 -p1 -%patch297 -p1 -%patch298 -p1 -%patch299 -p1 -%patch300 -p1 -# Our platform specific patches -%patch321 -p1 -%patch322 -p1 -%patch323 -p1 -%patch324 -p1 -# Needs to go upstream -%patch330 -p1 -%patch331 -p1 -%patch332 -p1 -%patch333 -p1 -%patch334 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1 @@ -639,9 +575,17 @@ Authors: %patch381 -p1 %patch382 -p1 %patch383 -p1 -%patch385 -p1 -%patch387 -p1 -%patch388 -p1 +# Our platform specific patches +%patch400 -p1 +%patch401 -p1 +%patch402 -p1 +%patch403 -p1 +# Needs to go upstream +%patch420 -p1 +%patch421 -p1 +%patch422 -p1 +%patch423 -p1 +%patch424 -p1 # Other bug fixes or features %patch451 -p1 %patch452 -p1 @@ -649,20 +593,20 @@ Authors: %patch454 -p1 %patch455 -p1 %patch456 -p1 +%patch457 -p1 +%patch458 -p1 +%patch459 -p1 %patch460 -p1 -%patch466 -p1 -%patch467 -p1 -%patch470 -p1 -%patch471 -p1 -%patch472 -p1 -%patch473 -p1 -%patch474 -p1 -%patch475 -p1 +%patch461 -p1 +%patch462 -p1 +%patch463 -p1 +%patch464 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1 %patch520 -p1 %patch521 -p1 +%patch522 -p1 %patch601 -p1 %patch602 -p1 %patch603 -p1 @@ -704,7 +648,6 @@ export FTP=$(type -P false) export GIT=$(type -P false) export EXTRA_CFLAGS_XEN_TOOLS="$RPM_OPT_FLAGS" export EXTRA_CFLAGS_QEMU_TRADITIONAL="$RPM_OPT_FLAGS" -export EXTRA_CFLAGS_QEMU_XEN="$RPM_OPT_FLAGS" export SMBIOS_DATE="$SMBIOS_DATE" export RELDATE="$RELDATE" export SEABIOS_DATE="$SEABIOS_DATE" @@ -729,11 +672,6 @@ if diff -u xen/Makefile~ xen/Makefile then : no changes? fi -%ifarch x86_64 -%if 0%{?suse_version} > 1230 -export QEMU_XEN_ENABLE_SPICE="--enable-spice --enable-usb-redir" -%endif -%endif configure_flags= %if %{?with_stubdom}0 configure_flags=--enable-stubdom @@ -771,6 +709,7 @@ configure_flags="${configure_flags} --disable-qemu-traditional" %else --disable-systemd \ %endif + --with-system-qemu=%{_bindir}/qemu-system-%{_arch} \ ${configure_flags} make -C tools/include/xen-foreign %{?_smp_mflags} make %{?_smp_mflags} @@ -865,6 +804,20 @@ for flavor in %flavors_to_build; do done %endif +# On x86_64, qemu-xen was installed as /usr/lib/xen/bin/qemu-system-i386 +# and advertised as the in libvirt capabilities. Tool such as +# virt-install include in domXML they produce, so we need to +# preserve the path. For x86_64, create a simple wrapper that invokes +# /usr/bin/qemu-system-x86_64 +%ifarch x86_64 +cat > $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386 << 'EOF' +#!/bin/sh + +exec %{_bindir}/qemu-system-x86_64 "$@" +EOF +chmod 0755 $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386 +%endif + # Stubdom %if %{?with_dom0_support}0 # Docs @@ -993,7 +946,6 @@ rm -rf $RPM_BUILD_ROOT%{_unitdir} rm -rf $RPM_BUILD_ROOT%{with_systemd_modules_load} rm -rf $RPM_BUILD_ROOT/usr/sbin rm -rf $RPM_BUILD_ROOT/etc/xen -rm -rf $RPM_BUILD_ROOT/%{_datadir}/qemu-xen rm -rf $RPM_BUILD_ROOT/var rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d/xl.sh rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/xen* @@ -1129,7 +1081,6 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper %endif %dir /etc/modprobe.d /etc/bash_completion.d/xl.sh -%{_datadir}/qemu-xen %if %{?with_qemu_traditional}0 %dir %{_datadir}/xen %dir %{_datadir}/xen/qemu diff --git a/xsa154-fix.patch b/xsa154-fix.patch deleted file mode 100644 index 5cf2294..0000000 --- a/xsa154-fix.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: x86: fix unintended fallthrough case from XSA-154 -From: Andrew Cooper andrew.cooper3@citrix.com Thu Feb 18 15:10:07 2016 +0100 -Date: Thu Feb 18 15:10:07 2016 +0100: -Git: 8dd6d1c099865ee5f5916616a0ca79cd943c46f9 - -... and annotate the other deliberate one: Coverity objects otherwise. - -Signed-off-by: Andrew Cooper - -One of the two instances was actually a bug. - -Signed-off-by: Jan Beulich - -Index: xen-4.6.1-testing/xen/arch/x86/mm.c -=================================================================== ---- xen-4.6.1-testing.orig/xen/arch/x86/mm.c -+++ xen-4.6.1-testing/xen/arch/x86/mm.c -@@ -853,9 +853,11 @@ get_page_from_l1e( - case 0: - break; - case 1: -- if ( is_hardware_domain(l1e_owner) ) -+ if ( !is_hardware_domain(l1e_owner) ) -+ break; -+ /* fallthrough */ - case -1: -- return 0; -+ return 0; - default: - ASSERT_UNREACHABLE(); - } diff --git a/xsa154.patch b/xsa154.patch index 8fb4c8e..dab2292 100644 --- a/xsa154.patch +++ b/xsa154.patch @@ -236,7 +236,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c /* Only needed the reference to confirm dom_io ownership. */ if ( mfn_valid(mfn) ) -@@ -836,24 +845,55 @@ get_page_from_l1e( +@@ -836,24 +845,57 @@ get_page_from_l1e( return -EINVAL; } @@ -251,9 +251,11 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c + case 0: + break; + case 1: -+ if ( is_hardware_domain(l1e_owner) ) ++ if ( !is_hardware_domain(l1e_owner) ) ++ break; ++ /* fallthrough */ + case -1: -+ return 0; ++ return 0; + default: + ASSERT_UNREACHABLE(); + } @@ -308,7 +310,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c } if ( unlikely( (real_pg_owner != pg_owner) && -@@ -1243,8 +1283,9 @@ static int alloc_l1_table(struct page_in +@@ -1243,8 +1285,9 @@ static int alloc_l1_table(struct page_in goto fail; case 0: break; @@ -320,7 +322,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c break; } -@@ -1759,8 +1800,9 @@ static int mod_l1_entry(l1_pgentry_t *pl +@@ -1759,8 +1802,9 @@ static int mod_l1_entry(l1_pgentry_t *pl return -EINVAL; } @@ -332,7 +334,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c { adjust_guest_l1e(nl1e, pt_dom); if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1783,8 +1825,9 @@ static int mod_l1_entry(l1_pgentry_t *pl +@@ -1783,8 +1827,9 @@ static int mod_l1_entry(l1_pgentry_t *pl return rc; case 0: break; @@ -344,7 +346,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c rc = 0; break; } -@@ -5000,6 +5043,7 @@ static int ptwr_emulated_update( +@@ -5000,6 +5045,7 @@ static int ptwr_emulated_update( l1_pgentry_t pte, ol1e, nl1e, *pl1e; struct vcpu *v = current; struct domain *d = v->domain; @@ -352,7 +354,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c /* Only allow naturally-aligned stores within the original %cr2 page. */ if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) ) -@@ -5047,7 +5091,7 @@ static int ptwr_emulated_update( +@@ -5047,7 +5093,7 @@ static int ptwr_emulated_update( /* Check the new PTE. */ nl1e = l1e_from_intpte(val); @@ -361,7 +363,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c { default: if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) && -@@ -5071,8 +5115,9 @@ static int ptwr_emulated_update( +@@ -5071,8 +5117,9 @@ static int ptwr_emulated_update( break; case 0: break; diff --git a/xsa162-qemuu.patch b/xsa162-qemuu.patch deleted file mode 100644 index b98b2b1..0000000 --- a/xsa162-qemuu.patch +++ /dev/null @@ -1,37 +0,0 @@ -net: pcnet: add check to validate receive data size(CVE-2015-7504) - -In loopback mode, pcnet_receive routine appends CRC code to the -receive buffer. If the data size given is same as the buffer size, -the appended CRC code overwrites 4 bytes after s->buffer. Added a -check to avoid that. - ---- - hw/net/pcnet.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c -@@ -1106,7 +1106,7 @@ ssize_t pcnet_receive(NetClientState *nc - uint32_t fcs = ~0; - uint8_t *p = src; - -- while (p != &src[size-4]) -+ while (p != &src[size]) - CRC(fcs, *p++); - crc_err = (*(uint32_t *)p != htonl(fcs)); - } -@@ -1255,8 +1255,10 @@ static void pcnet_transmit(PCNetState *s - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); - - /* if multi-tmd packet outsizes s->buffer then skip it silently. -- Note: this is not what real hw does */ -- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ * Note: this is not what real hw does. -+ * Last four bytes of s->buffer are used to store CRC FCS code. -+ */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { - s->xmit_pos = -1; - goto txdone; - }