pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- bsc#978413 - PV guest upgrade from sles11sp4 to sles12sp2 alpha3

Browse Source 
failed on sles11sp4 xen host.
  pygrub-handle-one-line-menu-entries.patch

- bsc#990843 - VUL-1: CVE-2016-6351: xen: qemu: scsi: esp: OOB
  write access in esp_do_dma
  CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=444
This commit is contained in:
Charles Arnold 2016-07-29 21:59:43 +00:00 committed by Git OBS Bridge
parent 5859155d6b
commit c8a1704907
4 changed files with 158 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch Normal file
View File

@ -0,0 +1,73 @@
References: bsc#990843 CVE-2016-6351
Subject: scsi: esp: make cmdbuf big enough for maximum CDB size
From: Prasad J Pandit pjp@fedoraproject.org Thu Jun 16 00:22:35 2016 +0200
Date: Thu Jun 16 18:39:05 2016 +0200:
Git: 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11
While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes. Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -26,6 +26,8 @@
#include "scsi-disk.h"
#include "scsi.h"
+#include <assert.h>
+
/* debug ESP card */
//#define DEBUG_ESP
@@ -49,6 +51,7 @@ do { printf("ESP ERROR: %s: " fmt, __fun
#define ESP_REGS 16
#define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
typedef struct ESPState ESPState;
@@ -64,7 +67,7 @@ struct ESPState {
uint32_t dma;
SCSIDevice *scsi_dev[ESP_MAX_DEVS];
SCSIDevice *current_dev;
- uint8_t cmdbuf[TI_BUFSZ];
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
uint32_t cmdlen;
uint32_t do_cmd;
@@ -294,6 +297,8 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
DPRINTF("command len %d + %d\n", s->cmdlen, len);
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
@@ -382,7 +387,7 @@ static void handle_ti(ESPState *s)
s->dma_counter = dmalen;
if (s->do_cmd)
- minlen = (dmalen < 32) ? dmalen : 32;
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
else if (s->ti_size < 0)
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
else
@@ -476,7 +481,7 @@ static void esp_mem_writeb(void *opaque,
break;
case ESP_FIFO:
if (s->do_cmd) {
- if (s->cmdlen < TI_BUFSZ) {
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
s->cmdbuf[s->cmdlen++] = val & 0xff;
} else {
ESP_ERROR("fifo overrun\n");

59
pygrub-handle-one-line-menu-entries.patch Normal file
View File

@ -0,0 +1,59 @@
References: bsc#978413
The parsing code can't handle a single line menu entry.
For example: menuentry 'halt' { halt }
Force it to fall through where it will handle the closing brace.
Also change warning to debug to cut down on verbose output.
Index: xen-4.7.0-testing/tools/pygrub/src/GrubConf.py
===================================================================
--- xen-4.7.0-testing.orig/tools/pygrub/src/GrubConf.py
+++ xen-4.7.0-testing/tools/pygrub/src/GrubConf.py
@@ -147,7 +147,7 @@ class GrubImage(_GrubImage):
else:
logging.info("Ignored image directive %s" %(com,))
else:
- logging.warning("Unknown image directive %s" %(com,))
+ logging.debug("Unknown image directive %s" %(com,))
# now put the line in the list of lines
if replace is None:
@@ -302,7 +302,7 @@ class GrubConfigFile(_GrubConfigFile):
else:
logging.info("Ignored directive %s" %(com,))
else:
- logging.warning("Unknown directive %s" %(com,))
+ logging.debug("Unknown directive %s" %(com,))
if img:
self.add_image(GrubImage(title, img))
@@ -336,7 +336,7 @@ class Grub2Image(_GrubImage):
elif com.startswith('set:'):
pass
else:
- logging.warning("Unknown image directive %s" %(com,))
+ logging.debug("Unknown image directive %s" %(com,))
# now put the line in the list of lines
if replace is None:
@@ -401,7 +401,10 @@ class Grub2ConfigFile(_GrubConfigFile):
raise RuntimeError, "syntax error: cannot nest menuentry (%d %s)" % (len(img),img)
img = []
title = title_match.group(1)
- continue
+ if not l.endswith('}'):
+ continue
+ # One line menuentry, Ex. menuentry 'halt' { halt }
+ l = '}'
if l.startswith("submenu"):
menu_level += 1
@@ -440,7 +443,7 @@ class Grub2ConfigFile(_GrubConfigFile):
elif com.startswith('set:'):
pass
else:
- logging.warning("Unknown directive %s" %(com,))
+ logging.debug("Unknown directive %s" %(com,))
if img is not None:
raise RuntimeError, "syntax error: end of file with open menuentry(%d %s)" % (len(img),img)

14
xen.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Jul 28 05:23:12 MDT 2016 - carnold@suse.com
- bsc#978413 - PV guest upgrade from sles11sp4 to sles12sp2 alpha3
failed on sles11sp4 xen host.
pygrub-handle-one-line-menu-entries.patch
-------------------------------------------------------------------
Wed Jul 27 14:09:06 MDT 2016 - carnold@suse.com
- bsc#990843 - VUL-1: CVE-2016-6351: xen: qemu: scsi: esp: OOB
write access in esp_do_dma
CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
-------------------------------------------------------------------
Thu Jun 23 09:45:38 MDT 2016 - carnold@suse.com

20
xen.spec
View File

@ -165,7 +165,7 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.7.0_08
Version: 4.7.0_09
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
@ -238,6 +238,7 @@ Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-i
Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch
Patch279: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch
Patch280: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch
Patch281: CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
# qemu-traditional patches that are not upstream
Patch350: blktap.patch
Patch351: cdrom-removable.patch
@ -280,13 +281,14 @@ Patch453: stdvga-cache.patch
Patch454: ipxe-enable-nics.patch
Patch455: pygrub-netware-xnloader.patch
Patch456: pygrub-boot-legacy-sles.patch
Patch457: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch
Patch458: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
Patch459: libxl.pvscsi.patch
Patch460: xen.libxl.dmmd.patch
Patch461: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
Patch462: blktap2-no-uninit.patch
Patch463: libxl.set-migration-constraints-from-cmdline.patch
Patch457: pygrub-handle-one-line-menu-entries.patch
Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch
Patch459: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
Patch460: libxl.pvscsi.patch
Patch461: xen.libxl.dmmd.patch
Patch462: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
Patch463: blktap2-no-uninit.patch
Patch464: libxl.set-migration-constraints-from-cmdline.patch
# Hypervisor and PV driver Patches
Patch501: x86-ioapic-ack-default.patch
Patch502: x86-cpufreq-report.patch
@ -559,6 +561,7 @@ Authors:
%patch278 -p1
%patch279 -p1
%patch280 -p1
%patch281 -p1
# Qemu traditional
%patch350 -p1
%patch351 -p1
@ -608,6 +611,7 @@ Authors:
%patch461 -p1
%patch462 -p1
%patch463 -p1
%patch464 -p1
# Hypervisor and PV driver Patches
%patch501 -p1
%patch502 -p1