pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4f6abaa92b
xen/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
Charles Arnold 31905d81fa - Update to Xen Version 4.6.1 
xen-4.6.1-testing-src.tar.bz2
- Dropped patches now contained in tarball or unnecessary
  xen-4.6.0-testing-src.tar.bz2
  5604f239-x86-PV-properly-populate-descriptor-tables.patch
  561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
  561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
  561d20a0-x86-hide-MWAITX-from-PV-domains.patch
  561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
  5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
  56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
  56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
  5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
  5632129c-free-domain-s-vcpu-array.patch
  563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
  563212e4-xenoprof-free-domain-s-vcpu-array.patch
  563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
  56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
  56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
  5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
  56549f24-x86-vPMU-document-as-unsupported.patch
  5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
  xen-4.6.0-testing-src.tar.bz2
  xsa155-qemut-qdisk-double-access.patch
  xsa155-qemut-xenfb.patch
  xsa155-qemuu-qdisk-double-access.patch
  xsa155-qemuu-xenfb.patch
  xsa159.patch
  xsa160.patch
  xsa162-qemut.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=399
2016-02-12 16:58:27 +00:00

116 lines
4.4 KiB
Diff
Raw Blame History

References: bsc#965269 CVE-2015-8619
Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619)
From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100
Date: Wed Feb 3 10:13:06 2016 +0100:
Git: 64ffbe04eaafebf4045a3ace52a360c14959d196
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD
int has_hold_time = qdict_haskey(qdict, "hold-time");
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
Error *err = NULL;
- char keyname_buf[16];
char *separator;
int keyname_len;
while (1) {
separator = strchr(keys, '-');
keyname_len = separator ? separator - keys : strlen(keys);
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
/* Be compatible with old interface, convert user inputted "<" */
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+ if (keys[0] == '<' && keyname_len == 1) {
+ keys = "less";
keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD
}
tmp = keylist;
- if (strstart(keyname_buf, "0x", NULL)) {
+ if (strstart(keys, "0x", NULL)) {
char *endp;
- int value = strtoul(keyname_buf, &endp, 0);
- if (*endp != '\0') {
+ int value = strtoul(keys, &endp, 0);
+ assert(endp <= keys + keyname_len);
+ if (endp != keys + keyname_len) {
goto err_out;
}
keylist->value->kind = KEY_VALUE_KIND_NUMBER;
keylist->value->number = value;
} else {
- int idx = index_from_key(keyname_buf);
+ int idx = index_from_key(keys, keyname_len);
if (idx == Q_KEY_CODE_MAX) {
goto err_out;
}
@@ -1536,7 +1534,7 @@ out:
return;
err_out:
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
goto out;
}
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire(
void curses_display_init(DisplayState *ds, int full_screen);
/* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);
/* gtk.c */
void early_gtk_display_init(void);
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le
static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers =
QTAILQ_HEAD_INITIALIZER(mouse_handlers);
-int index_from_key(const char *key)
+int index_from_key(const char *key, size_t key_length)
{
int i;
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
- if (!strcmp(key, QKeyCode_lookup[i])) {
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
+ !QKeyCode_lookup[i][key_length]) {
break;
}
}
Reference in New Issue View Git Blame Copy Permalink