pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite

Browse Source 
loop in ne2000_receive
  CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch

- Use system qemu instead of building/installing yet another qemu
  FATE#320638
- Dropped files
  qemu-xen-dir-remote.tar.bz2
  CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
  CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
  CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
  CVE-2015-4037-qemuu-smb-config-dir-name.patch
  CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
  CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
  CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
  CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
  CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
  CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
  CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
  CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
  CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
  CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
  CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
  CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
  CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
  qemu-xen-enable-spice-support.patch
  qemu-xen-upstream-qdisk-cache-unsafe.patch
  tigervnc-long-press.patch
- bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun
  on incoming migration

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=408
This commit is contained in:
Charles Arnold 2016-03-03 22:36:20 +00:00 committed by Git OBS Bridge
parent 6636a216d1
commit b87fe0a367
41 changed files with 239 additions and 2020 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch Normal file
View File

@ -0,0 +1,56 @@
References: bsc#964452 CVE-2013-4534
Subject: openpic: avoid buffer overrun on incoming migration
From: Michael Roth mdroth@linux.vnet.ibm.com Mon Apr 28 16:08:17 2014 +0300
Date: Mon May 5 22:15:03 2014 +0200:
Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c
@@ -36,6 +36,7 @@
#include "ppc_mac.h"
#include "pci.h"
#include "openpic.h"
+#include "qemu/qerror.h"
//#define DEBUG_OPENPIC
@@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF
static int openpic_load(QEMUFile* f, void *opaque, int version_id)
{
openpic_t *opp = (openpic_t *)opaque;
- unsigned int i;
+ unsigned int i, nb_cpus;
if (version_id != 1)
return -EINVAL;
@@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi
qemu_get_sbe32s(f, &opp->src[i].pending);
}
- qemu_get_sbe32s(f, &opp->nb_cpus);
+ qemu_get_be32s(f, &nb_cpus);
+ if (opp->nb_cpus != nb_cpus) {
+ return -EINVAL;
+ }
+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
for (i = 0; i < opp->nb_cpus; i++) {
qemu_get_be32s(f, &opp->dst[i].tfrr);

44
CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
View File

@ -1,44 +0,0 @@
References: bsc#962627 CVE-2014-7815
Subject: vnc: sanitize bits_per_pixel from the client
From: Petr Matousek pmatouse@redhat.com Mon Oct 27 12:41:44 2014 +0100
Date: Tue Oct 28 11:51:04 2014 +0100:
Git: e6908bfe8e07f2b452e78e677da1b45b1c0f6829
bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.
To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.
This is CVE-2014-7815.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
[ kraxel: apply codestyle fix ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v
return;
}
+ switch (bits_per_pixel) {
+ case 8:
+ case 16:
+ case 32:
+ break;
+ default:
+ vnc_client_error(vs);
+ return;
+ }
+
vs->clientds = vs->serverds;
vs->clientds.pf.rmax = red_max ? red_max : 0xFF;
count_bits(vs->clientds.pf.rbits, red_max);

222
CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
View File

@ -1,222 +0,0 @@
References: bsc#962632 CVE-2015-1779
Subject: CVE-2015-1779: incrementally decode websocket frames
From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:21 2015 +0000
Date: Wed Apr 1 17:11:34 2015 +0200:
Git: a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.
The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c
@@ -115,7 +115,7 @@ long vnc_client_read_ws(VncState *vs)
{
int ret, err;
uint8_t *payload;
- size_t payload_size, frame_size;
+ size_t payload_size, header_size;
VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
vs->ws_input.capacity, vs->ws_input.offset);
buffer_reserve(&vs->ws_input, 4096);
@@ -125,18 +125,39 @@ long vnc_client_read_ws(VncState *vs)
}
vs->ws_input.offset += ret;
- /* make sure that nothing is left in the ws_input buffer */
+ ret = 0;
+ /* consume as much of ws_input buffer as possible */
do {
- err = vncws_decode_frame(&vs->ws_input, &payload,
- &payload_size, &frame_size);
- if (err <= 0) {
- return err;
+ if (vs->ws_payload_remain == 0) {
+ err = vncws_decode_frame_header(&vs->ws_input,
+ &header_size,
+ &vs->ws_payload_remain,
+ &vs->ws_payload_mask);
+ if (err <= 0) {
+ return err;
+ }
+
+ buffer_advance(&vs->ws_input, header_size);
}
+ if (vs->ws_payload_remain != 0) {
+ err = vncws_decode_frame_payload(&vs->ws_input,
+ &vs->ws_payload_remain,
+ &vs->ws_payload_mask,
+ &payload,
+ &payload_size);
+ if (err < 0) {
+ return err;
+ }
+ if (err == 0) {
+ return ret;
+ }
+ ret += err;
- buffer_reserve(&vs->input, payload_size);
- buffer_append(&vs->input, payload, payload_size);
+ buffer_reserve(&vs->input, payload_size);
+ buffer_append(&vs->input, payload, payload_size);
- buffer_advance(&vs->ws_input, frame_size);
+ buffer_advance(&vs->ws_input, payload_size);
+ }
} while (vs->ws_input.offset > 0);
return ret;
@@ -274,15 +295,14 @@ void vncws_encode_frame(Buffer *output,
buffer_append(output, payload, payload_size);
}
-int vncws_decode_frame(Buffer *input, uint8_t **payload,
- size_t *payload_size, size_t *frame_size)
+int vncws_decode_frame_header(Buffer *input,
+ size_t *header_size,
+ size_t *payload_remain,
+ WsMask *payload_mask)
{
unsigned char opcode = 0, fin = 0, has_mask = 0;
- size_t header_size = 0;
- uint32_t *payload32;
+ size_t payload_len;
WsHeader *header = (WsHeader *)input->buffer;
- WsMask mask;
- int i;
if (input->offset < WS_HEAD_MIN_LEN + 4) {
/* header not complete */
@@ -292,7 +312,7 @@ int vncws_decode_frame(Buffer *input, ui
fin = (header->b0 & 0x80) >> 7;
opcode = header->b0 & 0x0f;
has_mask = (header->b1 & 0x80) >> 7;
- *payload_size = header->b1 & 0x7f;
+ payload_len = header->b1 & 0x7f;
if (opcode == WS_OPCODE_CLOSE) {
/* disconnect */
@@ -309,40 +329,57 @@ int vncws_decode_frame(Buffer *input, ui
return -2;
}
- if (*payload_size < 126) {
- header_size = 6;
- mask = header->u.m;
- } else if (*payload_size == 126 && input->offset >= 8) {
- *payload_size = be16_to_cpu(header->u.s16.l16);
- header_size = 8;
- mask = header->u.s16.m16;
- } else if (*payload_size == 127 && input->offset >= 14) {
- *payload_size = be64_to_cpu(header->u.s64.l64);
- header_size = 14;
- mask = header->u.s64.m64;
+ if (payload_len < 126) {
+ *payload_remain = payload_len;
+ *header_size = 6;
+ *payload_mask = header->u.m;
+ } else if (payload_len == 126 && input->offset >= 8) {
+ *payload_remain = be16_to_cpu(header->u.s16.l16);
+ *header_size = 8;
+ *payload_mask = header->u.s16.m16;
+ } else if (payload_len == 127 && input->offset >= 14) {
+ *payload_remain = be64_to_cpu(header->u.s64.l64);
+ *header_size = 14;
+ *payload_mask = header->u.s64.m64;
} else {
/* header not complete */
return 0;
}
- *frame_size = header_size + *payload_size;
+ return 1;
+}
- if (input->offset < *frame_size) {
- /* frame not complete */
+int vncws_decode_frame_payload(Buffer *input,
+ size_t *payload_remain, WsMask *payload_mask,
+ uint8_t **payload, size_t *payload_size)
+{
+ size_t i;
+ uint32_t *payload32;
+
+ *payload = input->buffer;
+ /* If we aren't at the end of the payload, then drop
+ * off the last bytes, so we're always multiple of 4
+ * for purpose of unmasking, except at end of payload
+ */
+ if (input->offset < *payload_remain) {
+ *payload_size = input->offset - (input->offset % 4);
+ } else {
+ *payload_size = *payload_remain;
+ }
+ if (*payload_size == 0) {
return 0;
}
-
- *payload = input->buffer + header_size;
+ *payload_remain -= *payload_size;
/* unmask frame */
/* process 1 frame (32 bit op) */
payload32 = (uint32_t *)(*payload);
for (i = 0; i < *payload_size / 4; i++) {
- payload32[i] ^= mask.u;
+ payload32[i] ^= payload_mask->u;
}
/* process the remaining bytes (if any) */
for (i *= 4; i < *payload_size; i++) {
- (*payload)[i] ^= mask.c[i % 4];
+ (*payload)[i] ^= payload_mask->c[i % 4];
}
return 1;
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.h
@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs);
void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
void vncws_encode_frame(Buffer *output, const void *payload,
const size_t payload_size);
-int vncws_decode_frame(Buffer *input, uint8_t **payload,
- size_t *payload_size, size_t *frame_size);
+int vncws_decode_frame_header(Buffer *input,
+ size_t *header_size,
+ size_t *payload_remain,
+ WsMask *payload_mask);
+int vncws_decode_frame_payload(Buffer *input,
+ size_t *payload_remain, WsMask *payload_mask,
+ uint8_t **payload, size_t *payload_size);
#endif /* __QEMU_UI_VNC_WS_H */
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.h
@@ -302,6 +302,8 @@ struct VncState
#ifdef CONFIG_VNC_WS
Buffer ws_input;
Buffer ws_output;
+ size_t ws_payload_remain;
+ WsMask ws_payload_mask;
#endif
/* current output mode information */
VncWritePixels *write_pixels;

53
CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
View File

@ -1,53 +0,0 @@
References: bsc#962632 CVE-2015-1779
Subject: CVE-2015-1779: limit size of HTTP headers from websockets clients
From: Daniel P. Berrange berrange@redhat.com Mon Mar 23 22:58:22 2015 +0000
Date: Wed Apr 1 17:12:55 2015 +0200:
Git: 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41
The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.
A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc-ws.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc-ws.c
@@ -89,8 +89,11 @@ void vncws_handshake_read(void *opaque)
VncState *vs = opaque;
uint8_t *handshake_end;
long ret;
- buffer_reserve(&vs->ws_input, 4096);
- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
+ /* Typical HTTP headers from novnc are 512 bytes, so limiting
+ * total header size to 4096 is easily enough. */
+ size_t want = 4096 - vs->ws_input.offset;
+ buffer_reserve(&vs->ws_input, want);
+ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
if (!ret) {
if (vs->csock == -1) {
@@ -107,6 +110,9 @@ void vncws_handshake_read(void *opaque)
vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
strlen(WS_HANDSHAKE_END));
+ } else if (vs->ws_input.offset >= 4096) {
+ VNC_DEBUG("End of headers not found in first 4096 bytes\n");
+ vnc_client_error(vs);
}
}

48
CVE-2015-4037-qemuu-smb-config-dir-name.patch
View File

@ -1,48 +0,0 @@
References: bsc#932267
Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300
Date: Wed Jun 3 14:21:45 2015 +0300:
Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
In this version I used mkdtemp(3) which is:
_BSD_SOURCE
|| /* Since glibc 2.10: */
(_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
(POSIX.1-2008), so should be available on systems we care about.
While at it, reset the resulting directory name within smb structure
on error so cleanup function wont try to remove directory which we
failed to create.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState
static int slirp_smb(SlirpState* s, const char *exported_dir,
struct in_addr vserver_addr)
{
- static int instance;
char smb_conf[128];
char smb_cmdline[128];
struct passwd *passwd;
@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, cons
return -1;
}
- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
- (long)getpid(), instance++);
- if (mkdir(s->smb_dir, 0700) < 0) {
+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
+ if (!mkdtemp(s->smb_dir)) {
error_report("could not create samba server dir '%s'", s->smb_dir);
+ s->smb_dir[0] = 0;
return -1;
}
snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");

140
CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
View File

@ -1,140 +0,0 @@
References: bsc#965156 CVE-2015-6855
Subject: ide: fix ATAPI command permissions
From: John Snow jsnow@redhat.com Thu Sep 17 14:17:05 2015 -0400
Date: Fri Sep 18 10:58:56 2015 -0400:
Git: d9033e1d3aa666c5071580617a57bd853c5d794a
We're a little too lenient with what we'll let an ATAPI drive handle.
Clamp down on the IDE command execution table to remove CD_OK permissions
from commands that are not and have never been ATAPI commands.
For ATAPI command validity, please see:
- ATA4 Section 6.5 ("PACKET Command feature set")
- ATA8/ACS Section 4.3 ("The PACKET feature set")
- ACS3 Section 4.3 ("The PACKET feature set")
ACS3 has a historical command validity table in Table B.4
("Historical Command Assignments") that can be referenced to find when
a command was introduced, deprecated, obsoleted, etc.
The only reference for ATAPI command validity is by checking that
version's PACKET feature set section.
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
therefore are assumed to have never been ATAPI commands.
Mandatory commands, as listed in ATA8-ACS3, are:
- DEVICE RESET
- EXECUTE DEVICE DIAGNOSTIC
- IDENTIFY DEVICE
- IDENTIFY PACKET DEVICE
- NOP
- PACKET
- READ SECTOR(S)
- SET FEATURES
Optional commands as listed in ATA8-ACS3, are:
- FLUSH CACHE
- READ LOG DMA EXT
- READ LOG EXT
- WRITE LOG DMA EXT
- WRITE LOG EXT
All other commands are illegal to send to an ATAPI device and should
be rejected by the device.
CD_OK removal justifications:
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
This patch fixes a divide by zero fault that can be caused by sending
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
attempt to use zeroed CHS values to perform sector arithmetic.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
CC: qemu-stable@nongnu.org
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1739,11 +1739,11 @@ static const struct {
} ide_cmd_table[0x100] = {
/* NOP not implemented, mandatory for CD */
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
[WIN_READ] = { cmd_read_pio, ALL_OK },
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
@@ -1762,12 +1762,12 @@ static const struct {
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
@@ -1781,19 +1781,19 @@ static const struct {
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
};
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)

30
CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
View File

@ -1,30 +0,0 @@
References: bsc#962360 CVE-2015-7512
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.
Cc: Prasad J Pandit <address@hidden>
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
---
hw/net/pcnet.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
@@ -1086,6 +1086,12 @@ ssize_t pcnet_receive(NetClientState *nc
int pktcount = 0;
if (!s->looptest) {
+ if (size > 4092) {
+#ifdef PCNET_DEBUG_RMD
+ fprintf(stderr, "pcnet: truncates rx packet.\n");
+#endif
+ size = 4092;
+ }
memcpy(src, buf, size);
/* no need to compute the CRC */
src[size] = 0;

53
CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
View File

@ -1,53 +0,0 @@
References: bsc#958918 CVE-2015-7549
Subject: msix: implement pba write (but read-only)
From: Marc-André Lureau marcandre.lureau@redhat.com Fri Jun 26 14:25:29 2015 +0200
Date: Sat Oct 24 18:03:18 2015 +0200:
Git: 43b11a91dd861a946b231b89b7542856ade23d1b
qpci_msix_pending() writes on pba region, causing qemu to SEGV:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ()
#1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
#2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
#3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
#4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
#5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
#6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
#7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
#8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
#9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
#10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
#11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
#12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
(without this patch, this can be reproduced with the ivshmem qtest)
Implement an empty mmio write to avoid the crash.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/pci/msix.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/pci/msix.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/pci/msix.c
@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void
return pci_get_long(dev->msix_pba + addr);
}
+static void msix_pba_mmio_write(void *opaque, hwaddr addr,
+ uint64_t val, unsigned size)
+{
+}
+
static const MemoryRegionOps msix_pba_mmio_ops = {
.read = msix_pba_mmio_read,
+ .write = msix_pba_mmio_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 4,

59
CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
View File

@ -1,59 +0,0 @@
References: bsc#956832 CVE-2015-8345
Subject: eepro100: Prevent two endless loops
From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
Date: Fri Nov 27 10:39:55 2015 +0800:
Git: 00837731d254908a841d69298a4f9f077babaf24
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
shows an example how an endless loop in function action_command can
be achieved.
During my code review, I noticed a 2nd case which can result in an
endless loop.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
#if 0
uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
#endif
+ if (tx_buffer_size == 0) {
+ /* Prevent an endless loop. */
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
+ }
tbd_address += 8;
TRACE(RXTX, logout
("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S
static void action_command(EEPRO100State *s)
{
+ /* The loop below won't stop if it gets special handcrafted data.
+ Therefore we limit the number of iterations. */
+ unsigned max_loop_count = 16;
+
for (;;) {
bool bit_el;
bool bit_s;
@@ -870,6 +879,13 @@ static void action_command(EEPRO100State
#if 0
bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
#endif
+
+ if (max_loop_count-- == 0) {
+ /* Prevent an endless loop. */
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
+ }
+
s->cu_offset = s->tx.link;
TRACE(OTHER,
logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",

25
CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
View File

@ -1,25 +0,0 @@
References: bsc#958493 CVE-2015-8504
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c
@@ -2036,15 +2036,15 @@ static void set_pixel_format(VncState *v
return;
}
- vs->client_pf.rmax = red_max;
+ vs->client_pf.rmax = red_max ? red_max : 0xFF;
vs->client_pf.rbits = hweight_long(red_max);
vs->client_pf.rshift = red_shift;
vs->client_pf.rmask = red_max << red_shift;
- vs->client_pf.gmax = green_max;
+ vs->client_pf.gmax = green_max ? green_max : 0xFF;
vs->client_pf.gbits = hweight_long(green_max);
vs->client_pf.gshift = green_shift;
vs->client_pf.gmask = green_max << green_shift;
- vs->client_pf.bmax = blue_max;
+ vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
vs->client_pf.bbits = hweight_long(blue_max);
vs->client_pf.bshift = blue_shift;
vs->client_pf.bmask = blue_max << blue_shift;

39
CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
View File

@ -1,39 +0,0 @@
References: bsc#959006 CVE-2015-8558
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
Reported-by: Qinghao Tang <address@hidden>
Tested-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -1395,7 +1395,7 @@ static int ehci_process_itd(EHCIState *e
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp;
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1485,9 +1485,10 @@ static int ehci_process_itd(EHCIState *e
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
+ xfers++;
}
}
- return 0;
+ return xfers ? 0 : -1;
}

89
CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
View File

@ -1,89 +0,0 @@
References: bsc#959386 CVE-2015-8568
From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Tue, 15 Dec 2015 12:17:28 +0530
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
Vmxnet3 device emulator does not check if the device is active
before activating it, also it did not free the transmit & receive
buffers while deactivating the device, thus resulting in memory
leakage on the host. This patch fixes both these issues to avoid
host memory leakage.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
@@ -1135,8 +1135,13 @@ static void vmxnet3_reset_mac(VMXNET3Sta
static void vmxnet3_deactivate_device(VMXNET3State *s)
{
- VMW_CBPRN("Deactivating vmxnet3...");
- s->device_active = false;
+ if (s->device_active) {
+ VMW_CBPRN("Deactivating vmxnet3...");
+ vmxnet_tx_pkt_reset(s->tx_pkt);
+ vmxnet_tx_pkt_uninit(s->tx_pkt);
+ vmxnet_rx_pkt_uninit(s->rx_pkt);
+ s->device_active = false;
+ }
}
static void vmxnet3_reset(VMXNET3State *s)
@@ -1145,7 +1150,6 @@ static void vmxnet3_reset(VMXNET3State *
vmxnet3_deactivate_device(s);
vmxnet3_reset_interrupt_states(s);
- vmxnet_tx_pkt_reset(s->tx_pkt);
s->drv_shmem = 0;
s->tx_sop = true;
s->skip_current_tx_pkt = false;
@@ -1368,6 +1372,12 @@ static void vmxnet3_activate_device(VMXN
return;
}
+ /* Verify if device is active */
+ if (s->device_active) {
+ VMW_CFPRN("Vmxnet3 device is active");
+ return;
+ }
+
vmxnet3_adjust_by_guest_type(s);
vmxnet3_update_features(s);
vmxnet3_update_pm_state(s);
@@ -1564,7 +1574,7 @@ static void vmxnet3_handle_command(VMXNE
break;
case VMXNET3_CMD_QUIESCE_DEV:
- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
vmxnet3_deactivate_device(s);
break;
@@ -1669,7 +1679,7 @@ vmxnet3_io_bar1_write(void *opaque,
* shared address only after we get the high part
*/
if (val == 0) {
- s->device_active = false;
+ vmxnet3_deactivate_device(s);
}
s->temp_shared_guest_driver_memory = val;
s->drv_shmem = 0;
@@ -1956,9 +1966,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VM
static void vmxnet3_net_uninit(VMXNET3State *s)
{
g_free(s->mcast_list);
- vmxnet_tx_pkt_reset(s->tx_pkt);
- vmxnet_tx_pkt_uninit(s->tx_pkt);
- vmxnet_rx_pkt_uninit(s->rx_pkt);
+ vmxnet3_deactivate_device(s);
qemu_del_nic(s->nic);
}

29
CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
View File

@ -1,29 +0,0 @@
Reference: bsc#961358 CVE-2015-8613
From: Prasad J Pandit <address@hidden>
Date: Mon, 21 Dec 2015 14:48:18 +0530
Subject: [PATCH] scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
@@ -721,7 +721,7 @@ static int megasas_ctrl_get_info(Megasas
BusChild *kid;
int num_pd_disks = 0;
- memset(&info, 0x0, cmd->iov_size);
+ memset(&info, 0x0, dcmd_size);
if (cmd->iov_size < dcmd_size) {
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
dcmd_size);

115
CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
View File

@ -1,115 +0,0 @@
References: bsc#965269 CVE-2015-8619
Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619)
From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100
Date: Wed Feb 3 10:13:06 2016 +0100:
Git: 64ffbe04eaafebf4045a3ace52a360c14959d196
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD
int has_hold_time = qdict_haskey(qdict, "hold-time");
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
Error *err = NULL;
- char keyname_buf[16];
char *separator;
int keyname_len;
while (1) {
separator = strchr(keys, '-');
keyname_len = separator ? separator - keys : strlen(keys);
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
/* Be compatible with old interface, convert user inputted "<" */
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+ if (keys[0] == '<' && keyname_len == 1) {
+ keys = "less";
keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD
}
tmp = keylist;
- if (strstart(keyname_buf, "0x", NULL)) {
+ if (strstart(keys, "0x", NULL)) {
char *endp;
- int value = strtoul(keyname_buf, &endp, 0);
- if (*endp != '\0') {
+ int value = strtoul(keys, &endp, 0);
+ assert(endp <= keys + keyname_len);
+ if (endp != keys + keyname_len) {
goto err_out;
}
keylist->value->kind = KEY_VALUE_KIND_NUMBER;
keylist->value->number = value;
} else {
- int idx = index_from_key(keyname_buf);
+ int idx = index_from_key(keys, keyname_len);
if (idx == Q_KEY_CODE_MAX) {
goto err_out;
}
@@ -1536,7 +1534,7 @@ out:
return;
err_out:
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
goto out;
}
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire(
void curses_display_init(DisplayState *ds, int full_screen);
/* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);
/* gtk.c */
void early_gtk_display_init(void);
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le
static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers =
QTAILQ_HEAD_INITIALIZER(mouse_handlers);
-int index_from_key(const char *key)
+int index_from_key(const char *key, size_t key_length)
{
int i;
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
- if (!strcmp(key, QKeyCode_lookup[i])) {
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
+ !QKeyCode_lookup[i][key_length]) {
break;
}
}

43
CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
View File

@ -1,43 +0,0 @@
From: Prasad J Pandit <address@hidden>
While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.
Reported-by: Ling Liu <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/ne2000.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Updated as per review in
-> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04863.html
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/ne2000.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/ne2000.c
@@ -476,8 +476,9 @@ static inline void ne2000_mem_writel(NE2
uint32_t val)
{
addr &= ~1; /* XXX: check exact behaviour if not even */
- if (addr < 32 ||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+ if (addr < 32
+ || (addr >= NE2000_PMEM_START
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
stl_le_p(s->mem + addr, val);
}
}
@@ -506,8 +507,9 @@ static inline uint32_t ne2000_mem_readw(
static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
{
addr &= ~1; /* XXX: check exact behaviour if not even */
- if (addr < 32 ||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+ if (addr < 32
+ || (addr >= NE2000_PMEM_START
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
return ldl_le_p(s->mem + addr);
} else {
return 0xffffffff;

69
CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
View File

@ -1,69 +0,0 @@
Subject: net/vmxnet3: Refine l2 header validation
From: Dana Rubin dana.rubin@ravellosystems.com Tue Aug 18 12:45:55 2015 +0300
Date: Mon Oct 12 13:19:29 2015 +0800:
Git: a7278b36fcab9af469563bd7b9dadebe2ae25e48
Validation of l2 header length assumed minimal packet size as
eth_header + 2 * vlan_header regardless of the actual protocol.
This caused crash for valid non-IP packets shorter than 22 bytes, as
'tx_pkt->packet_type' hasn't been assigned for such packets, and
'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.
Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
Check its return value during packet processing flow.
As a side effect, in case IPv4 and IPv6 header validation failure,
corrupt packets will be dropped.
Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
}
if (txd.eop) {
- if (!s->skip_current_tx_pkt) {
- vmxnet_tx_pkt_parse(s->tx_pkt);
-
+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) {
if (s->needs_vlan) {
vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci);
}
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet_tx_pkt.c
@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt)
bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base,
ETH_MAX_L2_HDR_LEN);
- if (bytes_read < ETH_MAX_L2_HDR_LEN) {
+ if (bytes_read < sizeof(struct eth_header)) {
+ l2_hdr->iov_len = 0;
+ return false;
+ }
+
+ l2_hdr->iov_len = sizeof(struct eth_header);
+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) {
+ case ETH_P_VLAN:
+ l2_hdr->iov_len += sizeof(struct vlan_header);
+ break;
+ case ETH_P_DVLAN:
+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header);
+ break;
+ }
+
+ if (bytes_read < l2_hdr->iov_len) {
l2_hdr->iov_len = 0;
return false;
- } else {
- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base);
}
l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len);

31
CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
View File

@ -1,31 +0,0 @@
Subject: vmxnet3: Support reading IMR registers on bar0
From: Shmulik Ladkani shmulik.ladkani@ravellosystems.com Mon Sep 21 17:09:02 2015 +0300
Date: Mon Oct 12 13:19:29 2015 +0800:
Git: c6048f849c7e3f009786df76206e895a69de032c
Instead of asserting, return the actual IMR register value.
This is aligned with what's returned on ESXi.
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Tested-by: Dana Rubin <dana.rubin@ravellosystems.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/vmxnet3.c
@@ -1108,9 +1108,13 @@ vmxnet3_io_bar0_write(void *opaque, hwad
static uint64_t
vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size)
{
+ VMXNET3State *s = opaque;
+
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR,
VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) {
- g_assert_not_reached();
+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR,
+ VMXNET3_REG_ALIGN);
+ return s->interrupt_states[l].is_masked;
}
VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size);

53
CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
View File

@ -1,53 +0,0 @@
References: bsc#969125 CVE-2015-8817
Subject: exec: Respect as_translate_internal length clamp
From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700
Date: Mon Apr 27 18:24:19 2015 +0200:
Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3
address_space_translate_internal will clamp the *plen length argument
based on the size of the memory region being queried. The iommu walker
logic in addresss_space_translate was ignoring this by discarding the
post fn call value of *plen. Fix by just always using *plen as the
length argument throughout the fn, removing the len local variable.
This fixes a bootloader bug when a single elf section spans multiple
QEMU memory regions.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
@@ -363,7 +363,6 @@ MemoryRegion *address_space_translate(Ad
IOMMUTLBEntry iotlb;
MemoryRegionSection *section;
MemoryRegion *mr;
- hwaddr len = *plen;
for (;;) {
section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true);
@@ -376,7 +375,7 @@ MemoryRegion *address_space_translate(Ad
iotlb = mr->iommu_ops->translate(mr, addr, is_write);
addr = ((iotlb.translated_addr & ~iotlb.addr_mask)
| (addr & iotlb.addr_mask));
- len = MIN(len, (addr | iotlb.addr_mask) - addr + 1);
+ *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1);
if (!(iotlb.perm & (1 << is_write))) {
mr = &io_mem_unassigned;
break;
@@ -387,10 +386,9 @@ MemoryRegion *address_space_translate(Ad
if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr;
- len = MIN(page, len);
+ *plen = MIN(page, *plen);
}
- *plen = len;
*xlat = addr;
return mr;
}

86
CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
View File

@ -1,86 +0,0 @@
References: bsc#969126 CVE-2015-8818
Subject: exec: skip MMIO regions correctly in cpu_physical_memory_write_rom_internal
From: Paolo Bonzini pbonzini@redhat.com Sat Jul 4 00:24:51 2015 +0200
Date: Mon Jul 6 14:59:11 2015 +0200:
Git: b242e0e0e2969c044a318e56f7988bbd84de1f63
Loading the BIOS in the mac99 machine is interesting, because there is a
PROM in the middle of the BIOS region (from 16K to 32K). Before memory
region accesses were clamped, when QEMU was asked to load a BIOS from
0xfff00000 to 0xffffffff it would put even those 16K from the BIOS file
into the region. This is weird because those 16K were not actually
visible between 0xfff04000 and 0xfff07fff. However, it worked.
After clamping was added, this also worked. In this case, the
cpu_physical_memory_write_rom_internal function split the write in
three parts: the first 16K were copied, the PROM area (second 16K) were
ignored, then the rest was copied.
Problems then started with commit 965eb2f (exec: do not clamp accesses
to MMIO regions, 2015-06-17). Clamping accesses is not done for MMIO
regions because they can overlap wildly, and MMIO registers can be
expected to perform full-width accesses based only on their address
(with no respect for adjacent registers that could decode to completely
different MemoryRegions). However, this lack of clamping also applied
to the PROM area! cpu_physical_memory_write_rom_internal thus failed
to copy the third range above, i.e. only copied the first 16K of the BIOS.
In effect, address_space_translate is expecting _something else_ to do
the clamping for MMIO regions if the incoming length is large. This
"something else" is memory_access_size in the case of address_space_rw,
so use the same logic in cpu_physical_memory_write_rom_internal.
Reported-by: Alexander Graf <agraf@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Fixes: 965eb2f
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c
@@ -330,6 +330,7 @@ address_space_translate_internal(Address
hwaddr *plen, bool resolve_subpage)
{
MemoryRegionSection *section;
+ MemoryRegion *mr;
Int128 diff;
section = address_space_lookup_region(d, addr, resolve_subpage);
@@ -339,8 +340,23 @@ address_space_translate_internal(Address
/* Compute offset within MemoryRegion */
*xlat = addr + section->offset_within_region;
- diff = int128_sub(section->mr->size, int128_make64(addr));
- *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
+ mr = section->mr;
+
+ /* MMIO registers can be expected to perform full-width accesses based only
+ * on their address, without considering adjacent registers that could
+ * decode to completely different MemoryRegions. When such registers
+ * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
+ * regions overlap wildly. For this reason we cannot clamp the accesses
+ * here.
+ *
+ * If the length is small (as is the case for address_space_ldl/stl),
+ * everything works fine. If the incoming length is large, however,
+ * the caller really has to do the clamping through memory_access_size.
+ */
+ if (memory_region_is_ram(mr)) {
+ diff = int128_sub(section->size, int128_make64(addr));
+ *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
+ }
return section;
}
@@ -2232,7 +2248,7 @@ static inline void cpu_physical_memory_w
if (!(memory_region_is_ram(mr) ||
memory_region_is_romd(mr))) {
- /* do nothing */
+ l = memory_access_size(mr, l, addr1);
} else {
addr1 += memory_region_get_ram_addr(mr);
/* ROM/RAM case */

45
CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
View File

@ -1,45 +0,0 @@
Reference: bsc#961332 CVE-2016-1568
From: Prasad J Pandit <address@hidden>
When processing NCQ commands, ACHI device emulation prepares a
NCQ transfer object; To which an aio control block(aiocb) object
is assigned in 'execute_ncq_command'. In case, when the NCQ
command is invalid, the 'aiocb' object is not assigned, and NCQ
transfer object is left as 'used'. This leads to a use after
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
Reset NCQ transfer object to 'unused' to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/ide/ahci.c | 1 +
1 file changed, 1 insertion(+)
Update as per review in
-> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01175.html
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/ahci.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/ahci.c
@@ -902,7 +902,10 @@ static void process_ncq_command(AHCIStat
ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2,
s->dev[port].port.ifs[0].nb_sectors - 1);
- ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0);
+ if (ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist, 0) == -1) {
+ ncq_tfs->used = 0;
+ return;
+ }
ncq_tfs->tag = tag;
switch(ncq_fis->command) {
@@ -943,6 +946,7 @@ static void process_ncq_command(AHCIStat
"error: tried to process non-NCQ command as NCQ\n");
}
qemu_sglist_destroy(&ncq_tfs->sglist);
+ ncq_tfs->used = 0;
}
}

48
CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
View File

@ -1,48 +0,0 @@
Reference: bsc#961692 CVE-2016-1714
When processing firmware configurations, an OOB r/w access occurs
if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
Add a check to validate 's->cur_entry' to avoid such access.
Reported-by: Donghai Zdh <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/nvram/fw_cfg.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
Updated as per review in
-> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00398.html
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/nvram/fw_cfg.c
@@ -211,12 +211,15 @@ static void fw_cfg_reboot(FWCfgState *s)
static void fw_cfg_write(FWCfgState *s, uint8_t value)
{
int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
trace_fw_cfg_write(s, value);
- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback &&
- s->cur_offset < e->len) {
+ if (s->cur_entry & FW_CFG_WRITE_CHANNEL
+ && e != NULL
+ && e->callback
+ && s->cur_offset < e->len) {
e->data[s->cur_offset++] = value;
if (s->cur_offset == e->len) {
e->callback(e->callback_opaque, e->data);
@@ -245,7 +248,8 @@ static int fw_cfg_select(FWCfgState *s,
static uint8_t fw_cfg_read(FWCfgState *s)
{
int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
uint8_t ret;
if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)

61
CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
View File

@ -1,61 +0,0 @@
References: bsc#962321 CVE-2016-1922
Subject: i386: avoid null pointer dereference
From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530
Date: Fri Jan 15 18:58:01 2016 +0100:
Git: 4c1396cb576c9b14425558b73de1584c7a9735d7
Hello,
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
occurs while doing I/O port write operations via hmp interface. In that,
'current_cpu' remains null as it is not called from cpu_exec loop, which
results in the said issue.
Below is a proposed (tested)patch to fix this issue; Does it look okay?
===
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 18 Dec 2015 11:16:07 +0530
Subject: [PATCH] i386: avoid null pointer dereference
When I/O port write operation is called from hmp interface,
'current_cpu' remains null, as it is not called from cpu_exec()
loop. This leads to a null pointer dereference in vapic_write
routine. Add check to avoid it.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: P J P <ppandit@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
unsigned int size)
{
- CPUState *cs = current_cpu;
- X86CPU *cpu = X86_CPU(cs);
- CPUX86State *env = &cpu->env;
- hwaddr rom_paddr;
VAPICROMState *s = opaque;
+ X86CPU *cpu;
+ CPUX86State *env;
+ hwaddr rom_paddr;
+
+ if (!current_cpu) {
+ return;
+ }
- cpu_synchronize_state(cs);
+ cpu_synchronize_state(current_cpu);
+ cpu = X86_CPU(current_cpu);
+ env = &cpu->env;
/*
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.

94
CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
View File

@ -1,94 +0,0 @@
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
area,
- while the TDH and RDH registers store the offset (in whole tx / rx
descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
that QEMU currently has here is a check against reaching the original
TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
"total_size" bytes have been received; preferably in a single step, or
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
RX descriptors are skipped without receiving data, while RDH is
incremented just the same. QEMU tries to prevent an infinite loop
(processing only null RX descriptors) by detecting whether RDH assumes
its original value during the loop. (Again, wrapping from RDLEN to 0 is
normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
Cc: "Michael S. Tsirkin" <address@hidden>
Cc: Petr Matousek <address@hidden>
Cc: Stefano Stabellini <address@hidden>
Cc: Prasad Pandit <address@hidden>
Cc: Michael Roth <address@hidden>
Cc: Jason Wang <address@hidden>
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
Signed-off-by: Laszlo Ersek <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
---
Notes:
Regarding the public posting: we made an honest effort to vet this
vulnerability, and the impact seems low -- no host side reads/writes,
"just" a DoS (infinite loop). We decided the patch could be posted
publicly, for the usual review process. Jason and Prasad checked the
patch in the internal discussion already, but comments, improvements
etc. are clearly welcome. The CVE request is underway. Thanks.
hw/net/e1000.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
@@ -815,7 +815,8 @@ start_xmit(E1000State *s)
* bogus values to TDT/TDLEN.
* there's nothing too intelligent we could do about this.
*/
- if (s->mac_reg[TDH] == tdh_start) {
+ if (s->mac_reg[TDH] == tdh_start ||
+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
break;
@@ -1059,7 +1060,8 @@ e1000_receive_iov(NetClientState *nc, co
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
s->mac_reg[RDH] = 0;
/* see comment in start_xmit; same here */
- if (s->mac_reg[RDH] == rdh_start) {
+ if (s->mac_reg[RDH] == rdh_start ||
+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
set_ics(s, 0, E1000_ICS_RXO);

38
CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
View File

@ -1,38 +0,0 @@
References: bsc#964415 CVE-2016-2198
USB Ehci emulation supports host controller capability registers.
But its mmio '.write' function was missing, which lead to a null
pointer dereference issue. Add a do nothing 'ehci_caps_write'
definition to avoid it; Do nothing because capability registers
are Read Only(RO).
Reported-by: Zuozhi Fzz <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/usb/hcd-ehci.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -899,6 +899,11 @@ static uint64_t ehci_caps_read(void *ptr
return s->caps[addr];
}
+static void ehci_caps_write(void *ptr, hwaddr addr,
+ uint64_t val, unsigned size)
+{
+}
+
static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
unsigned size)
{
@@ -2317,6 +2322,7 @@ static void ehci_frame_timer(void *opaqu
static const MemoryRegionOps ehci_mmio_caps_ops = {
.read = ehci_caps_read,
+ .write = ehci_caps_write,
.valid.min_access_size = 1,
.valid.max_access_size = 4,
.impl.min_access_size = 1,

90
CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
View File

@ -1,90 +0,0 @@
References: bsc#967101 CVE-2016-2391
From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Tue, 16 Feb 2016 15:15:04 +0100
Subject: [PATCH] ohci timer fix
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ohci.c | 31 +++++--------------------------
1 file changed, 5 insertions(+), 26 deletions(-)
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
@@ -1331,16 +1331,6 @@ static void ohci_frame_boundary(void *op
*/
static int ohci_bus_start(OHCIState *ohci)
{
- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
- ohci_frame_boundary,
- ohci);
-
- if (ohci->eof_timer == NULL) {
- trace_usb_ohci_bus_eof_timer_failed(ohci->name);
- ohci_die(ohci);
- return 0;
- }
-
trace_usb_ohci_start(ohci->name);
ohci_sof(ohci);
@@ -1352,11 +1342,7 @@ static int ohci_bus_start(OHCIState *ohc
static void ohci_bus_stop(OHCIState *ohci)
{
trace_usb_ohci_stop(ohci->name);
- if (ohci->eof_timer) {
- timer_del(ohci->eof_timer);
- timer_free(ohci->eof_timer);
- }
- ohci->eof_timer = NULL;
+ timer_del(ohci->eof_timer);
}
/* Sets a flag in a port status register but only set it if the port is
@@ -1881,6 +1867,8 @@ static int usb_ohci_init(OHCIState *ohci
ohci->async_td = 0;
qemu_register_reset(ohci_reset, ohci);
+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+ ohci_frame_boundary, ohci);
return 0;
}
@@ -1949,6 +1937,9 @@ static void usb_ohci_exit(PCIDevice *dev
if (!ohci->masterbus) {
usb_bus_release(&s->bus);
}
+
+ timer_del(s->eof_timer);
+ timer_free(s->eof_timer);
}
#define TYPE_SYSBUS_OHCI "sysbus-ohci"
@@ -1997,23 +1988,13 @@ static bool ohci_eof_timer_needed(void *
{
OHCIState *ohci = opaque;
- return ohci->eof_timer != NULL;
-}
-
-static int ohci_eof_timer_pre_load(void *opaque)
-{
- OHCIState *ohci = opaque;
-
- ohci_bus_start(ohci);
-
- return 0;
+ return timer_pending(ohci->eof_timer);
}
static const VMStateDescription vmstate_ohci_eof_timer = {
.name = "ohci-core/eof-timer",
.version_id = 1,
.minimum_version_id = 1,
- .pre_load = ohci_eof_timer_pre_load,
.fields = (VMStateField[]) {
VMSTATE_TIMER(eof_timer, OHCIState),
VMSTATE_END_OF_LIST()

27
CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
View File

@ -1,27 +0,0 @@
References: bsc#967090 CVE-2016-2392
When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/usb/dev-network.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -650,7 +650,8 @@ typedef struct USBNetState {
static int is_rndis(USBNetState *s)
{
- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
+ return s->dev.config ?
+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
}
static int ndis_query(USBNetState *s, uint32_t oid,

55
CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
View File

@ -1,55 +0,0 @@
References: bsc#968004 CVE-2016-2538
Subject: usb: check RNDIS buffer offsets & length
From: Prasad J Pandit pjp@fedoraproject.org Wed Feb 17 00:23:41 2016 +0530
Date: Tue Feb 23 10:38:01 2016 +0100:
Git: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e
When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -912,8 +912,9 @@ static int rndis_query_response(USBNetSt
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
buflen = le32_to_cpu(buf->InformationBufferLength);
- if (bufoffs + buflen > length)
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
return USB_RET_STALL;
+ }
infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
bufoffs + (uint8_t *) buf, buflen, infobuf,
@@ -958,8 +959,9 @@ static int rndis_set_response(USBNetStat
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
buflen = le32_to_cpu(buf->InformationBufferLength);
- if (bufoffs + buflen > length)
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
return USB_RET_STALL;
+ }
ret = ndis_set(s, le32_to_cpu(buf->OID),
bufoffs + (uint8_t *) buf, buflen);
@@ -1209,8 +1211,9 @@ static void usb_net_handle_dataout(USBNe
if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
uint32_t size = le32_to_cpu(msg->DataLength);
- if (offs + size <= len)
+ if (offs < len && size < len && offs + size <= len) {
qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
+ }
}
s->out_ptr -= len;
memmove(s->out_buf, &s->out_buf[len], s->out_ptr);

34
CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch Normal file
View File

@ -0,0 +1,34 @@
References: bsc#969351 CVE-2016-2841
From: Prasad J Pandit <address@hidden>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. Registers PSTART & PSTOP
define ring buffer size & location. Setting these registers
to invalid values could lead to infinite loop or OOB r/w
access issues. Add check to avoid it.
Reported-by: Yang Hongke <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/ne2000.c | 4 ++++
1 file changed, 4 insertions(+)
Update per review:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -202,6 +202,10 @@ static int ne2000_buffer_full(NE2000Stat
{
int avail, index, boundary;
+ if (s->stop <= s->start) {
+ return 1;
+ }
+
index = s->curpag << 8;
boundary = s->boundary << 8;
if (index < boundary)

2
ioemu-vnc-resize.patch
View File

@ -2,7 +2,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState
@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState
}
set_encodings(vs, (int32_t *)(data + 4), limit);

32
libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
View File

@ -7,11 +7,11 @@ https://bugzilla.novell.com/show_bug.cgi?id=879425
tools/libxl/libxlu_disk_l.l | 1 +
5 files changed, 18 insertions(+), 1 deletion(-)
Index: xen-4.6.0-testing/tools/libxl/libxl.c
Index: xen-4.6.1-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl.c
+++ xen-4.6.0-testing/tools/libxl/libxl.c
@@ -2829,6 +2829,8 @@ static void device_disk_add(libxl__egc *
--- xen-4.6.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.6.1-testing/tools/libxl/libxl.c
@@ -2833,6 +2833,8 @@ static void device_disk_add(libxl__egc *
flexarray_append_pair(back, "discard-enable",
libxl_defbool_val(disk->discard_enable) ?
"1" : "0");
@ -20,10 +20,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxl.c
flexarray_append(front, "backend-id");
flexarray_append(front, libxl__sprintf(gc, "%d", disk->backend_domid));
Index: xen-4.6.0-testing/tools/libxl/libxl.h
Index: xen-4.6.1-testing/tools/libxl/libxl.h
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl.h
+++ xen-4.6.0-testing/tools/libxl/libxl.h
--- xen-4.6.1-testing.orig/tools/libxl/libxl.h
+++ xen-4.6.1-testing/tools/libxl/libxl.h
@@ -205,6 +205,18 @@
#define LIBXL_HAVE_BUILDINFO_ARM_GIC_VERSION 1
@ -43,10 +43,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxl.h
* libxl ABI compatibility
*
* The only guarantee which libxl makes regarding ABI compatibility
Index: xen-4.6.0-testing/tools/libxl/libxlu_disk.c
Index: xen-4.6.1-testing/tools/libxl/libxlu_disk.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk.c
+++ xen-4.6.0-testing/tools/libxl/libxlu_disk.c
--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk.c
+++ xen-4.6.1-testing/tools/libxl/libxlu_disk.c
@@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg,
if (!disk->pdev_path || !strcmp(disk->pdev_path, ""))
disk->format = LIBXL_DISK_FORMAT_EMPTY;
@ -56,10 +56,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxlu_disk.c
if (!disk->vdev) {
xlu__disk_err(&dpc,0, "no vdev specified");
Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h
Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_i.h
+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h
--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_i.h
+++ xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h
@@ -10,7 +10,7 @@ typedef struct {
void *scanner;
YY_BUFFER_STATE buf;
@ -69,10 +69,10 @@ Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h
const char *spec;
} DiskParseContext;
Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l
Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l
--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
@@ -176,6 +176,7 @@ script=[^,]*,? { STRIP(','); SAVESTRING(
direct-io-safe,? { DPC->disk->direct_io_safe = 1; }
discard,? { libxl_defbool_set(&DPC->disk->discard_enable, true); }

2
qemu-security-etch1.patch
View File

@ -2,7 +2,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq
@@ -222,7 +222,7 @@ static int ne2000_can_receive(void *opaq
NE2000State *s = opaque;
if (s->cmd & E8390_STOP)

3
qemu-xen-dir-remote.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:00730e1f13bb4780e2f9e6e6dae3438558405e47e19d3843f22476be676fb86c
size 8995705

12
qemu-xen-enable-spice-support.patch
View File

@ -1,12 +0,0 @@
Index: xen-4.6.0-testing/tools/Makefile
===================================================================
--- xen-4.6.0-testing.orig/tools/Makefile
+++ xen-4.6.0-testing/tools/Makefile
@@ -259,6 +259,7 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-fi
--datadir=$(SHAREDIR)/qemu-xen \
--localstatedir=$(localstatedir) \
--disable-kvm \
+ $(QEMU_XEN_ENABLE_SPICE) \
--disable-docs \
--disable-guest-agent \
--python=$(PYTHON) \

52
qemu-xen-upstream-qdisk-cache-unsafe.patch
View File

@ -1,52 +0,0 @@
https://bugzilla.novell.com/show_bug.cgi?id=879425
---
tools/qemu-xen-dir-remote/hw/block/xen_disk.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_disk.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/block/xen_disk.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_disk.c
@@ -121,6 +121,7 @@ struct XenBlkDev {
int requests_inflight;
int requests_finished;
+ gboolean cache_unsafe;
/* Persistent grants extension */
gboolean feature_discard;
gboolean feature_persistent;
@@ -784,6 +785,16 @@ static void blk_parse_discard(struct Xen
}
}
+static void blk_parse_cache_unsafe(struct XenBlkDev *blkdev)
+{
+ int enable;
+
+ blkdev->cache_unsafe = false;
+
+ if (xenstore_read_be_int(&blkdev->xendev, "suse-diskcache-disable-flush", &enable) == 0)
+ blkdev->cache_unsafe = !!enable;
+}
+
static int blk_init(struct XenDevice *xendev)
{
struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev);
@@ -852,6 +863,7 @@ static int blk_init(struct XenDevice *xe
xenstore_write_be_int(&blkdev->xendev, "info", info);
blk_parse_discard(blkdev);
+ blk_parse_cache_unsafe(blkdev);
g_free(directiosafe);
return 0;
@@ -892,6 +904,9 @@ static int blk_connect(struct XenDevice
qflags |= BDRV_O_UNMAP;
}
+ if (blkdev->cache_unsafe)
+ qflags |= BDRV_O_NO_FLUSH;
+
/* init qemu block driver */
index = (blkdev->xendev.dev - 202 * 256) / 16;
blkdev->dinfo = drive_get(IF_XEN, 0, index);

30
tigervnc-long-press.patch
View File

@ -1,30 +0,0 @@
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/vnc.c
@@ -1659,6 +1659,25 @@ static void do_key_event(VncState *vs, i
if (down)
vs->modifiers_state[keycode] ^= 1;
break;
+ default:
+ if (qemu_console_is_graphic(NULL)) {
+ /* record key 'down' info. Some client like tigervnc
+ * will send key down repeatedly if user pressing a
+ * a key for long time. In this case, we should add
+ * additional key up event before repeated key down,
+ * so that it can display the key multiple times.
+ */
+ if (down) {
+ if (vs->modifiers_state[keycode]) {
+ /* add a key up event */
+ do_key_event(vs, 0, keycode, sym);
+ }
+ vs->modifiers_state[keycode] = 1;
+ } else {
+ vs->modifiers_state[keycode] = 0;
+ }
+ }
+ break;
}
/* Turn off the lock state sync logic if the client support the led

43
xen.changes
View File

@ -1,12 +1,37 @@
-------------------------------------------------------------------
Wed Mar 2 09:47:57 MST 2016 - carnold@suse.com
Thu Mar 3 10:27:55 MST 2016 - carnold@suse.com
- bsc#969125 - VUL-0: CVE-2015-8817: xen: OOB access in
address_space_rw leads to segmentation fault (I)
CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
- bsc#969126 - VUL-0: CVE-2015-8818: xen: OOB access in
address_space_rw leads to segmentation fault (II)
CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
- bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite
loop in ne2000_receive
CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
-------------------------------------------------------------------
Wed Mar 2 16:53:51 UTC 2016 - jfehlig@suse.com
- Use system qemu instead of building/installing yet another qemu
FATE#320638
- Dropped files
qemu-xen-dir-remote.tar.bz2
CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
CVE-2015-4037-qemuu-smb-config-dir-name.patch
CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
qemu-xen-enable-spice-support.patch
qemu-xen-upstream-qdisk-cache-unsafe.patch
tigervnc-long-press.patch
-------------------------------------------------------------------
Mon Feb 29 09:40:43 MST 2016 - carnold@suse.com
@ -85,7 +110,6 @@ Fri Feb 5 13:07:53 MST 2016 - carnold@suse.com
- bsc#965315 - VUL-0: CVE-2016-2270: xen: x86: inconsistent
cachability flags on guest mappings (XSA-154)
xsa154.patch
xsa154-fix.patch
- bsc#965317 - VUL-0: CVE-2016-2271: xen: VMX: guest user mode may
crash guest with non-canonical RIP (XSA-170)
xsa170.patch
@ -134,6 +158,9 @@ Mon Feb 1 13:29:55 MST 2016 - carnold@suse.com
- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer
dereference in ehci_caps_write
CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
- bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun
on incoming migration
CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch
-------------------------------------------------------------------
Wed Jan 27 08:23:26 MST 2016 - carnold@suse.com

2
xen.libxl.dmmd.patch
View File

@ -107,7 +107,7 @@ Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
===================================================================
--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l
@@ -210,6 +210,8 @@ target=.* { STRIP(','); SAVESTRING("targ
@@ -209,6 +209,8 @@ target=.* { STRIP(','); SAVESTRING("targ
free(newscript);
}

217
xen.spec
View File

@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needssslcertforbuild
Name: xen
@ -171,7 +170,6 @@ Group: System/Kernel
Source0: xen-4.6.1-testing-src.tar.bz2
Source1: stubdom.tar.bz2
Source2: qemu-xen-traditional-dir-remote.tar.bz2
Source3: qemu-xen-dir-remote.tar.bz2
Source4: seabios-dir-remote.tar.bz2
Source5: ipxe.tar.bz2
Source6: mini-os.tar.bz2
@ -207,15 +205,13 @@ Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handlin
Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch
Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch
Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch
Patch15401: xsa154.patch
Patch15402: xsa154-fix.patch
Patch154: xsa154.patch
Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
Patch162: xsa162-qemuu.patch
Patch164: xsa164.patch
Patch170: xsa170.patch
# Upstream qemu
# Upstream qemu-traditional patches
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
Patch252: 0002-net-increase-tap-buffer-size.patch
@ -225,60 +221,25 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch
Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch
Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch
Patch258: 0008-e1000-check-buffer-availability.patch
Patch259: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
Patch260: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
Patch261: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch262: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch263: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch264: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
Patch265: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
Patch266: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
Patch267: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
Patch268: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
Patch269: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
Patch270: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
Patch271: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
Patch272: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
Patch273: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
Patch274: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
Patch275: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
Patch276: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch277: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch278: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
Patch279: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch280: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch281: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
Patch282: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
Patch283: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
Patch284: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
Patch285: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch286: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch287: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch288: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
Patch289: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
Patch290: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
Patch291: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
Patch292: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
Patch293: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
Patch294: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
Patch295: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
Patch296: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
Patch297: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
Patch298: CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
Patch299: CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
Patch300: CVE-2015-8818-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch
# Our platform specific patches
Patch321: xen-destdir.patch
Patch322: vif-bridge-no-iptables.patch
Patch323: vif-bridge-tap-fix.patch
Patch324: xl-conf-default-bridge.patch
# Needs to go upstream
Patch330: suspend_evtchn_lock.patch
Patch331: xenpaging.doc.patch
Patch332: xen-c99-fix.patch
Patch333: stubdom-have-iovec.patch
Patch334: hotplug-Linux-block-performance-fix.patch
# Qemu traditional
Patch259: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
Patch260: CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch
Patch261: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
Patch262: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
Patch263: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch264: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch265: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
Patch266: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch267: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
Patch268: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
Patch269: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
Patch270: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch271: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
Patch272: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
Patch273: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch274: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch
# qemu-traditional patches that are not upstream
Patch350: blktap.patch
Patch351: cdrom-removable.patch
Patch353: xen-qemu-iscsi-fix.patch
@ -304,9 +265,17 @@ Patch380: pvdrv_emulation_control.patch
Patch381: ioemu-disable-scsi.patch
Patch382: ioemu-disable-emulated-ide-if-pv.patch
Patch383: xenpaging.qemu.flush-cache.patch
Patch385: xen_pvonhvm.xen_emul_unplug.patch
Patch387: libxl.pvscsi.patch
Patch388: blktap2-no-uninit.patch
# Our platform specific patches
Patch400: xen-destdir.patch
Patch401: vif-bridge-no-iptables.patch
Patch402: vif-bridge-tap-fix.patch
Patch403: xl-conf-default-bridge.patch
# Needs to go upstream
Patch420: suspend_evtchn_lock.patch
Patch421: xenpaging.doc.patch
Patch422: xen-c99-fix.patch
Patch423: stubdom-have-iovec.patch
Patch424: hotplug-Linux-block-performance-fix.patch
# Other bug fixes or features
Patch451: xenconsole-no-multiple-connections.patch
Patch452: hibernate.patch
@ -314,20 +283,20 @@ Patch453: stdvga-cache.patch
Patch454: ipxe-enable-nics.patch
Patch455: pygrub-netware-xnloader.patch
Patch456: pygrub-boot-legacy-sles.patch
Patch460: set-mtu-from-bridge-for-tap-interface.patch
Patch466: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch
Patch467: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
Patch470: qemu-xen-upstream-qdisk-cache-unsafe.patch
Patch471: qemu-xen-enable-spice-support.patch
Patch472: tigervnc-long-press.patch
Patch473: xendomains-libvirtd-conflict.patch
Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
Patch475: xen.libxl.dmmd.patch
Patch457: set-mtu-from-bridge-for-tap-interface.patch
Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch
Patch459: xendomains-libvirtd-conflict.patch
Patch460: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
Patch461: libxl.pvscsi.patch
Patch462: xen.libxl.dmmd.patch
Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
Patch464: blktap2-no-uninit.patch
# Hypervisor and PV driver Patches
Patch501: x86-ioapic-ack-default.patch
Patch502: x86-cpufreq-report.patch
Patch520: supported_module.patch
Patch521: magic_ioport_compat.patch
Patch520: xen_pvonhvm.xen_emul_unplug.patch
Patch521: supported_module.patch
Patch522: magic_ioport_compat.patch
Patch601: xen.build-compare.doc_html.patch
Patch602: xen.build-compare.seabios.patch
Patch603: xen.build-compare.man.patch
@ -418,10 +387,14 @@ Authors:
Summary: Xen Virtualization: Control tools for domain 0
Group: System/Kernel
Requires: bridge-utils
%if %suse_version >= 1315
%ifarch x86_64
%if %suse_version >= 1315
Requires: grub2-x86_64-xen
%endif
Requires: qemu-x86
%endif
%ifarch %arm aarch64
Requires: qemu-arm
%endif
Requires: multipath-tools
Requires: python
@ -536,18 +509,16 @@ Authors:
%endif
%prep
%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 57
%setup -q -n %xen_build_dir -a 1 -a 2 -a 4 -a 5 -a 6 -a 57
# Upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch15401 -p1
%patch15402 -p1
%patch154 -p1
%patch15501 -p1
%patch15502 -p1
%patch15503 -p1
%patch162 -p1
%patch164 -p1
%patch170 -p1
# Upstream qemu patches
@ -578,41 +549,6 @@ Authors:
%patch274 -p1
%patch275 -p1
%patch276 -p1
%patch277 -p1
%patch278 -p1
%patch279 -p1
%patch280 -p1
%patch281 -p1
%patch282 -p1
%patch283 -p1
%patch284 -p1
%patch285 -p1
%patch286 -p1
%patch287 -p1
%patch288 -p1
%patch289 -p1
%patch290 -p1
%patch291 -p1
%patch292 -p1
%patch293 -p1
%patch294 -p1
%patch295 -p1
%patch296 -p1
%patch297 -p1
%patch298 -p1
%patch299 -p1
%patch300 -p1
# Our platform specific patches
%patch321 -p1
%patch322 -p1
%patch323 -p1
%patch324 -p1
# Needs to go upstream
%patch330 -p1
%patch331 -p1
%patch332 -p1
%patch333 -p1
%patch334 -p1
# Qemu traditional
%patch350 -p1
%patch351 -p1
@ -639,9 +575,17 @@ Authors:
%patch381 -p1
%patch382 -p1
%patch383 -p1
%patch385 -p1
%patch387 -p1
%patch388 -p1
# Our platform specific patches
%patch400 -p1
%patch401 -p1
%patch402 -p1
%patch403 -p1
# Needs to go upstream
%patch420 -p1
%patch421 -p1
%patch422 -p1
%patch423 -p1
%patch424 -p1
# Other bug fixes or features
%patch451 -p1
%patch452 -p1
@ -649,20 +593,20 @@ Authors:
%patch454 -p1
%patch455 -p1
%patch456 -p1
%patch457 -p1
%patch458 -p1
%patch459 -p1
%patch460 -p1
%patch466 -p1
%patch467 -p1
%patch470 -p1
%patch471 -p1
%patch472 -p1
%patch473 -p1
%patch474 -p1
%patch475 -p1
%patch461 -p1
%patch462 -p1
%patch463 -p1
%patch464 -p1
# Hypervisor and PV driver Patches
%patch501 -p1
%patch502 -p1
%patch520 -p1
%patch521 -p1
%patch522 -p1
%patch601 -p1
%patch602 -p1
%patch603 -p1
@ -704,7 +648,6 @@ export FTP=$(type -P false)
export GIT=$(type -P false)
export EXTRA_CFLAGS_XEN_TOOLS="$RPM_OPT_FLAGS"
export EXTRA_CFLAGS_QEMU_TRADITIONAL="$RPM_OPT_FLAGS"
export EXTRA_CFLAGS_QEMU_XEN="$RPM_OPT_FLAGS"
export SMBIOS_DATE="$SMBIOS_DATE"
export RELDATE="$RELDATE"
export SEABIOS_DATE="$SEABIOS_DATE"
@ -729,11 +672,6 @@ if diff -u xen/Makefile~ xen/Makefile
then
: no changes?
fi
%ifarch x86_64
%if 0%{?suse_version} > 1230
export QEMU_XEN_ENABLE_SPICE="--enable-spice --enable-usb-redir"
%endif
%endif
configure_flags=
%if %{?with_stubdom}0
configure_flags=--enable-stubdom
@ -771,6 +709,7 @@ configure_flags="${configure_flags} --disable-qemu-traditional"
%else
--disable-systemd \
%endif
--with-system-qemu=%{_bindir}/qemu-system-%{_arch} \
${configure_flags}
make -C tools/include/xen-foreign %{?_smp_mflags}
make %{?_smp_mflags}
@ -865,6 +804,20 @@ for flavor in %flavors_to_build; do
done
%endif
# On x86_64, qemu-xen was installed as /usr/lib/xen/bin/qemu-system-i386
# and advertised as the <emulator> in libvirt capabilities. Tool such as
# virt-install include <emulator> in domXML they produce, so we need to
# preserve the path. For x86_64, create a simple wrapper that invokes
# /usr/bin/qemu-system-x86_64
%ifarch x86_64
cat > $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386 << 'EOF'
#!/bin/sh
exec %{_bindir}/qemu-system-x86_64 "$@"
EOF
chmod 0755 $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386
%endif
# Stubdom
%if %{?with_dom0_support}0
# Docs
@ -993,7 +946,6 @@ rm -rf $RPM_BUILD_ROOT%{_unitdir}
rm -rf $RPM_BUILD_ROOT%{with_systemd_modules_load}
rm -rf $RPM_BUILD_ROOT/usr/sbin
rm -rf $RPM_BUILD_ROOT/etc/xen
rm -rf $RPM_BUILD_ROOT/%{_datadir}/qemu-xen
rm -rf $RPM_BUILD_ROOT/var
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d/xl.sh
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/xen*
@ -1129,7 +1081,6 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
%endif
%dir /etc/modprobe.d
/etc/bash_completion.d/xl.sh
%{_datadir}/qemu-xen
%if %{?with_qemu_traditional}0
%dir %{_datadir}/xen
%dir %{_datadir}/xen/qemu

31
xsa154-fix.patch
View File

@ -1,31 +0,0 @@
Subject: x86: fix unintended fallthrough case from XSA-154
From: Andrew Cooper andrew.cooper3@citrix.com Thu Feb 18 15:10:07 2016 +0100
Date: Thu Feb 18 15:10:07 2016 +0100:
Git: 8dd6d1c099865ee5f5916616a0ca79cd943c46f9
... and annotate the other deliberate one: Coverity objects otherwise.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
One of the two instances was actually a bug.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Index: xen-4.6.1-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.6.1-testing.orig/xen/arch/x86/mm.c
+++ xen-4.6.1-testing/xen/arch/x86/mm.c
@@ -853,9 +853,11 @@ get_page_from_l1e(
case 0:
break;
case 1:
- if ( is_hardware_domain(l1e_owner) )
+ if ( !is_hardware_domain(l1e_owner) )
+ break;
+ /* fallthrough */
case -1:
- return 0;
+ return 0;
default:
ASSERT_UNREACHABLE();
}

20
xsa154.patch
View File

@ -236,7 +236,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
/* Only needed the reference to confirm dom_io ownership. */
if ( mfn_valid(mfn) )
@@ -836,24 +845,55 @@ get_page_from_l1e(
@@ -836,24 +845,57 @@ get_page_from_l1e(
return -EINVAL;
}
@ -251,9 +251,11 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
+ case 0:
+ break;
+ case 1:
+ if ( is_hardware_domain(l1e_owner) )
+ if ( !is_hardware_domain(l1e_owner) )
+ break;
+ /* fallthrough */
+ case -1:
+ return 0;
+ return 0;
+ default:
+ ASSERT_UNREACHABLE();
+ }
@ -308,7 +310,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
}
if ( unlikely( (real_pg_owner != pg_owner) &&
@@ -1243,8 +1283,9 @@ static int alloc_l1_table(struct page_in
@@ -1243,8 +1285,9 @@ static int alloc_l1_table(struct page_in
goto fail;
case 0:
break;
@ -320,7 +322,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
break;
}
@@ -1759,8 +1800,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
@@ -1759,8 +1802,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
return -EINVAL;
}
@ -332,7 +334,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
{
adjust_guest_l1e(nl1e, pt_dom);
if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
@@ -1783,8 +1825,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
@@ -1783,8 +1827,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
return rc;
case 0:
break;
@ -344,7 +346,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
rc = 0;
break;
}
@@ -5000,6 +5043,7 @@ static int ptwr_emulated_update(
@@ -5000,6 +5045,7 @@ static int ptwr_emulated_update(
l1_pgentry_t pte, ol1e, nl1e, *pl1e;
struct vcpu *v = current;
struct domain *d = v->domain;
@ -352,7 +354,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
/* Only allow naturally-aligned stores within the original %cr2 page. */
if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) )
@@ -5047,7 +5091,7 @@ static int ptwr_emulated_update(
@@ -5047,7 +5093,7 @@ static int ptwr_emulated_update(
/* Check the new PTE. */
nl1e = l1e_from_intpte(val);
@ -361,7 +363,7 @@ Index: xen-4.6.1-testing/xen/arch/x86/mm.c
{
default:
if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) &&
@@ -5071,8 +5115,9 @@ static int ptwr_emulated_update(
@@ -5071,8 +5117,9 @@ static int ptwr_emulated_update(
break;
case 0:
break;

37
xsa162-qemuu.patch
View File

@ -1,37 +0,0 @@
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
---
hw/net/pcnet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/pcnet.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/pcnet.c
@@ -1106,7 +1106,7 @@ ssize_t pcnet_receive(NetClientState *nc
uint32_t fcs = ~0;
uint8_t *p = src;
- while (p != &src[size-4])
+ while (p != &src[size])
CRC(fcs, *p++);
crc_err = (*(uint32_t *)p != htonl(fcs));
}
@@ -1255,8 +1255,10 @@ static void pcnet_transmit(PCNetState *s
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/* if multi-tmd packet outsizes s->buffer then skip it silently.
- Note: this is not what real hw does */
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ * Note: this is not what real hw does.
+ * Last four bytes of s->buffer are used to store CRC FCS code.
+ */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
s->xmit_pos = -1;
goto txdone;
}