From e2a042f0668e37b10bc8e1cfc20a159cfd446c48dfd5930b56dc016d13bbf011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Sat, 24 May 2014 12:11:00 +0000 Subject: [PATCH] Accepting request 235280 from home:a_faerber:branches:Virtualization Fix CVE-2013-4148 (bnc#864812), CVE-2013-4149 (bnc#864649), CVE-2013-4150 (bnc#864650), CVE-2013-4151 (bnc#864653), CVE-2013-4526 (bnc#864671), CVE-2013-4527 (bnc#864673), CVE-2013-4529 (bnc#864678), CVE-2013-4530 (bnc#864682), CVE-2013-4531 (bnc#864796), CVE-2013-4533 (bnc#864655), CVE-2013-4534 (bnc#864811), CVE-2013-4535 / CVE-2013-4536 (bnc#864665), CVE-2013-4537 (bnc#864391), CVE-2013-4538 (bnc#864769), CVE-2013-4539 (bnc#864805), CVE-2013-4540 (bnc#864801), CVE-2013-4541 (bnc#864802), CVE-2013-4542 (bnc#864804), CVE-2013-6399 (bnc#864814), CVE-2014-0182 (bnc#874788) OBS-URL: https://build.opensuse.org/request/show/235280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=211 --- 0046-vmstate-add-VMS_MUST_EXIST.patch | 61 +++++++++++ 0047-vmstate-add-VMSTATE_VALIDATE.patch | 37 +++++++ ...-virtio-net-fix-buffer-overflow-on-i.patch | 64 +++++++++++ ...-virtio-net-out-of-bounds-buffer-wri.patch | 60 +++++++++++ ...-virtio-out-of-bounds-buffer-write-o.patch | 57 ++++++++++ ...-ahci-fix-buffer-overrun-on-invalid-.patch | 41 +++++++ ...-hpet-fix-buffer-overrun-on-invalid-.patch | 56 ++++++++++ ...-hw-pci-pcie_aer.c-fix-buffer-overru.patch | 60 +++++++++++ ...-pl022-fix-buffer-overun-on-invalid-.patch | 55 ++++++++++ ...-vmstate-fix-buffer-overflow-in-targ.patch | 57 ++++++++++ ...-virtio-avoid-buffer-overrun-on-inco.patch | 45 ++++++++ ...-virtio-validate-num_sg-when-mapping.patch | 46 ++++++++ ...-pxa2xx-avoid-buffer-overrun-on-inco.patch | 56 ++++++++++ ...-ssd0323-fix-buffer-overun-on-invali.patch | 82 ++++++++++++++ ...-tsc210x-fix-buffer-overrun-on-inval.patch | 52 +++++++++ ...-zaurus-fix-buffer-overrun-on-invali.patch | 59 ++++++++++ ...-virtio-scsi-fix-buffer-overrun-on-i.patch | 69 ++++++++++++ ...-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch | 69 ++++++++++++ ...-usb-sanity-check-setup_index-setup_.patch | 43 ++++++++ ...-savevm-Ignore-minimum_version_id_ol.patch | 102 ++++++++++++++++++ ...-ssi-sd-fix-buffer-overrun-on-invali.patch | 46 ++++++++ ...-openpic-avoid-buffer-overrun-on-inc.patch | 77 +++++++++++++ ...-virtio-net-out-of-bounds-buffer-wri.patch | 60 +++++++++++ 0069-virtio-validate-config_len-on-load.patch | 57 ++++++++++ ...-virtio-allow-mapping-up-to-max-queu.patch | 36 +++++++ qemu-linux-user.spec | 50 +++++++++ qemu.changes | 46 ++++++++ qemu.spec | 50 +++++++++ 28 files changed, 1593 insertions(+) create mode 100644 0046-vmstate-add-VMS_MUST_EXIST.patch create mode 100644 0047-vmstate-add-VMSTATE_VALIDATE.patch create mode 100644 0048-virtio-net-fix-buffer-overflow-on-i.patch create mode 100644 0049-virtio-net-out-of-bounds-buffer-wri.patch create mode 100644 0050-virtio-out-of-bounds-buffer-write-o.patch create mode 100644 0051-ahci-fix-buffer-overrun-on-invalid-.patch create mode 100644 0052-hpet-fix-buffer-overrun-on-invalid-.patch create mode 100644 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch create mode 100644 0054-pl022-fix-buffer-overun-on-invalid-.patch create mode 100644 0055-vmstate-fix-buffer-overflow-in-targ.patch create mode 100644 0056-virtio-avoid-buffer-overrun-on-inco.patch create mode 100644 0057-virtio-validate-num_sg-when-mapping.patch create mode 100644 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch create mode 100644 0059-ssd0323-fix-buffer-overun-on-invali.patch create mode 100644 0060-tsc210x-fix-buffer-overrun-on-inval.patch create mode 100644 0061-zaurus-fix-buffer-overrun-on-invali.patch create mode 100644 0062-virtio-scsi-fix-buffer-overrun-on-i.patch create mode 100644 0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch create mode 100644 0064-usb-sanity-check-setup_index-setup_.patch create mode 100644 0065-savevm-Ignore-minimum_version_id_ol.patch create mode 100644 0066-ssi-sd-fix-buffer-overrun-on-invali.patch create mode 100644 0067-openpic-avoid-buffer-overrun-on-inc.patch create mode 100644 0068-virtio-net-out-of-bounds-buffer-wri.patch create mode 100644 0069-virtio-validate-config_len-on-load.patch create mode 100644 0070-virtio-allow-mapping-up-to-max-queu.patch diff --git a/0046-vmstate-add-VMS_MUST_EXIST.patch b/0046-vmstate-add-VMS_MUST_EXIST.patch new file mode 100644 index 00000000..c45ed4be --- /dev/null +++ b/0046-vmstate-add-VMS_MUST_EXIST.patch @@ -0,0 +1,61 @@ +From 52c324d64cd57ad37b25ebc5f4df31b33901d03b Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:50:31 +0300 +Subject: [PATCH] vmstate: add VMS_MUST_EXIST +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Can be used to verify a required field exists or validate +state in some other way. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Juan Quintela +(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1) +Signed-off-by: Andreas Färber +--- + include/migration/vmstate.h | 1 + + vmstate.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h +index e7e1705..de970ab 100644 +--- a/include/migration/vmstate.h ++++ b/include/migration/vmstate.h +@@ -100,6 +100,7 @@ enum VMStateFlags { + VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */ + VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/ + VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/ ++ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */ + }; + + typedef struct { +diff --git a/vmstate.c b/vmstate.c +index b689f2f..d856319 100644 +--- a/vmstate.c ++++ b/vmstate.c +@@ -78,6 +78,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd, + return ret; + } + } ++ } else if (field->flags & VMS_MUST_EXIST) { ++ fprintf(stderr, "Input validation failed: %s/%s\n", ++ vmsd->name, field->name); ++ return -1; + } + field++; + } +@@ -138,6 +142,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd, + field->info->put(f, addr, size); + } + } ++ } else { ++ if (field->flags & VMS_MUST_EXIST) { ++ fprintf(stderr, "Output state validation failed: %s/%s\n", ++ vmsd->name, field->name); ++ assert(!(field->flags & VMS_MUST_EXIST)); ++ } + } + field++; + } diff --git a/0047-vmstate-add-VMSTATE_VALIDATE.patch b/0047-vmstate-add-VMSTATE_VALIDATE.patch new file mode 100644 index 00000000..ce3a83ac --- /dev/null +++ b/0047-vmstate-add-VMSTATE_VALIDATE.patch @@ -0,0 +1,37 @@ +From e258560116c8413cd5c52af69ab73dc82142dae9 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:50:35 +0300 +Subject: [PATCH] vmstate: add VMSTATE_VALIDATE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e) +Signed-off-by: Andreas Färber +--- + include/migration/vmstate.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h +index de970ab..5b71370 100644 +--- a/include/migration/vmstate.h ++++ b/include/migration/vmstate.h +@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap; + .offset = vmstate_offset_value(_state, _field, _type), \ + } + ++/* Validate state using a boolean predicate. */ ++#define VMSTATE_VALIDATE(_name, _test) { \ ++ .name = (_name), \ ++ .field_exists = (_test), \ ++ .flags = VMS_ARRAY | VMS_MUST_EXIST, \ ++ .num = 0, /* 0 elements: no data, only run _test */ \ ++} ++ + #define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \ + .name = (stringify(_field)), \ + .version_id = (_version), \ diff --git a/0048-virtio-net-fix-buffer-overflow-on-i.patch b/0048-virtio-net-fix-buffer-overflow-on-i.patch new file mode 100644 index 00000000..a4a288a4 --- /dev/null +++ b/0048-virtio-net-fix-buffer-overflow-on-i.patch @@ -0,0 +1,64 @@ +From e3f320a759052a77b4da97618a94f8adcb0a6490 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:50:39 +0300 +Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4148 QEMU 1.0 integer conversion in +virtio_net_load()@hw/net/virtio-net.c + +Deals with loading a corrupted savevm image. + +> n->mac_table.in_use = qemu_get_be32(f); + +in_use is int so it can get negative when assigned 32bit unsigned value. + +> /* MAC_TABLE_ENTRIES may be different from the saved image */ +> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { + +passing this check ^^^ + +> qemu_get_buffer(f, n->mac_table.macs, +> n->mac_table.in_use * ETH_ALEN); + +with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get +positive and bigger than mac_table.macs. For example 0x81000000 +satisfies this condition when ETH_ALEN is 6. + +Fix it by making the value unsigned. +For consistency, change first_multi as well. + +Note: all call sites were audited to confirm that +making them unsigned didn't cause any issues: +it turns out we actually never do math on them, +so it's easy to validate because both values are +always <= MAC_TABLE_ENTRIES. + +Reviewed-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Laszlo Ersek +Signed-off-by: Juan Quintela +(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980) +[AF: BNC#864812] +Signed-off-by: Andreas Färber +--- + include/hw/virtio/virtio-net.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h +index df60f16..4b32440 100644 +--- a/include/hw/virtio/virtio-net.h ++++ b/include/hw/virtio/virtio-net.h +@@ -176,8 +176,8 @@ typedef struct VirtIONet { + uint8_t nobcast; + uint8_t vhost_started; + struct { +- int in_use; +- int first_multi; ++ uint32_t in_use; ++ uint32_t first_multi; + uint8_t multi_overflow; + uint8_t uni_overflow; + uint8_t *macs; diff --git a/0049-virtio-net-out-of-bounds-buffer-wri.patch b/0049-virtio-net-out-of-bounds-buffer-wri.patch new file mode 100644 index 00000000..22c49a6f --- /dev/null +++ b/0049-virtio-net-out-of-bounds-buffer-wri.patch @@ -0,0 +1,60 @@ +From 0c0a6b53c543e4095da9243eb5299e03d2c88c06 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:50:56 +0300 +Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in +virtio_net_load()@hw/net/virtio-net.c + +This code is in hw/net/virtio-net.c: + + if (n->max_queues > 1) { + if (n->max_queues != qemu_get_be16(f)) { + error_report("virtio-net: different max_queues "); + return -1; + } + + n->curr_queues = qemu_get_be16(f); + for (i = 1; i < n->curr_queues; i++) { + n->vqs[i].tx_waiting = qemu_get_be32(f); + } + } + +Number of vqs is max_queues, so if we get invalid input here, +for example if max_queues = 2, curr_queues = 3, we get +write beyond end of the buffer, with data that comes from +wire. + +This might be used to corrupt qemu memory in hard to predict ways. +Since we have lots of function pointers around, RCE might be possible. + +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Michael Roth +Signed-off-by: Juan Quintela +(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578) +[AF: BNC#864650] +Signed-off-by: Andreas Färber +--- + hw/net/virtio-net.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 33bd233..0a8cb40 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) + } + + n->curr_queues = qemu_get_be16(f); ++ if (n->curr_queues > n->max_queues) { ++ error_report("virtio-net: curr_queues %x > max_queues %x", ++ n->curr_queues, n->max_queues); ++ return -1; ++ } + for (i = 1; i < n->curr_queues; i++) { + n->vqs[i].tx_waiting = qemu_get_be32(f); + } diff --git a/0050-virtio-out-of-bounds-buffer-write-o.patch b/0050-virtio-out-of-bounds-buffer-write-o.patch new file mode 100644 index 00000000..84459435 --- /dev/null +++ b/0050-virtio-out-of-bounds-buffer-write-o.patch @@ -0,0 +1,57 @@ +From a76b7609802937bfc6f35a75cf0809c8f7197f76 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:14 +0300 +Subject: [PATCH] virtio: out-of-bounds buffer write on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in +virtio_load@hw/virtio/virtio.c + +So we have this code since way back when: + + num = qemu_get_be32(f); + + for (i = 0; i < num; i++) { + vdev->vq[i].vring.num = qemu_get_be32(f); + +array of vqs has size VIRTIO_PCI_QUEUE_MAX, so +on invalid input this will write beyond end of buffer. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Michael Roth +Signed-off-by: Juan Quintela +(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c) +[AF: BNC#864653] +Signed-off-by: Andreas Färber +--- + hw/virtio/virtio.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index aeabf3a..05f05e7 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) + + int virtio_load(VirtIODevice *vdev, QEMUFile *f) + { +- int num, i, ret; ++ int i, ret; ++ uint32_t num; + uint32_t features; + uint32_t supported_features; + BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); +@@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) + + num = qemu_get_be32(f); + ++ if (num > VIRTIO_PCI_QUEUE_MAX) { ++ error_report("Invalid number of PCI queues: 0x%x", num); ++ return -1; ++ } ++ + for (i = 0; i < num; i++) { + vdev->vq[i].vring.num = qemu_get_be32(f); + if (k->has_variable_vring_alignment) { diff --git a/0051-ahci-fix-buffer-overrun-on-invalid-.patch b/0051-ahci-fix-buffer-overrun-on-invalid-.patch new file mode 100644 index 00000000..749e38bd --- /dev/null +++ b/0051-ahci-fix-buffer-overrun-on-invalid-.patch @@ -0,0 +1,41 @@ +From b591a65b23630ee3707647d61fc69b3f0ff16665 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:18 +0300 +Subject: [PATCH] ahci: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4526 + +Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So +we use the old version of ports to read the array but then allow any +value for ports. This can cause the code to overflow. + +There's no reason to migrate ports - it never changes. +So just make sure it matches. + +Reported-by: Anthony Liguori +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell +Signed-off-by: Juan Quintela +(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5) +[AF: BNC#864671] +Signed-off-by: Andreas Färber +--- + hw/ide/ahci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index bfe633f..457a7a1 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = { + VMSTATE_UINT32(control_regs.impl, AHCIState), + VMSTATE_UINT32(control_regs.version, AHCIState), + VMSTATE_UINT32(idp_index, AHCIState), +- VMSTATE_INT32(ports, AHCIState), ++ VMSTATE_INT32_EQUAL(ports, AHCIState), + VMSTATE_END_OF_LIST() + }, + }; diff --git a/0052-hpet-fix-buffer-overrun-on-invalid-.patch b/0052-hpet-fix-buffer-overrun-on-invalid-.patch new file mode 100644 index 00000000..cd27ee29 --- /dev/null +++ b/0052-hpet-fix-buffer-overrun-on-invalid-.patch @@ -0,0 +1,56 @@ +From 085771b0f84bc9e3a9d868ff67c229e83b8431a2 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:23 +0300 +Subject: [PATCH] hpet: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4527 hw/timer/hpet.c buffer overrun + +hpet is a VARRAY with a uint8 size but static array of 32 + +To fix, make sure num_timers is valid using VMSTATE_VALID hook. + +Reported-by: Anthony Liguori +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Juan Quintela +(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584) +[AF: BNC#864673] +Signed-off-by: Andreas Färber +--- + hw/timer/hpet.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c +index e15d6bc..2792f89 100644 +--- a/hw/timer/hpet.c ++++ b/hw/timer/hpet.c +@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque) + return 0; + } + ++static bool hpet_validate_num_timers(void *opaque, int version_id) ++{ ++ HPETState *s = opaque; ++ ++ if (s->num_timers < HPET_MIN_TIMERS) { ++ return false; ++ } else if (s->num_timers > HPET_MAX_TIMERS) { ++ return false; ++ } ++ return true; ++} ++ + static int hpet_post_load(void *opaque, int version_id) + { + HPETState *s = opaque; +@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = { + VMSTATE_UINT64(isr, HPETState), + VMSTATE_UINT64(hpet_counter, HPETState), + VMSTATE_UINT8_V(num_timers, HPETState, 2), ++ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers), + VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0, + vmstate_hpet_timer, HPETTimer), + VMSTATE_END_OF_LIST() diff --git a/0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch b/0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch new file mode 100644 index 00000000..9cd36d20 --- /dev/null +++ b/0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch @@ -0,0 +1,60 @@ +From 3f2e8a7a3af50578270a058e658ce70680891bd8 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:31 +0300 +Subject: [PATCH] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +4) CVE-2013-4529 +hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is + too large + +There are two issues in this file: +1. log_max from remote can be larger than on local +then buffer will overrun with data coming from state file. +2. log_num can be larger then we get data corruption +again with an overflow but not adversary controlled. + +Fix both issues. + +Reported-by: Anthony Liguori +Reported-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Juan Quintela +(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1) +[AF: BNC#864678] +Signed-off-by: Andreas Färber +--- + hw/pci/pcie_aer.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c +index 991502e..535be2c 100644 +--- a/hw/pci/pcie_aer.c ++++ b/hw/pci/pcie_aer.c +@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = { + } + }; + ++static bool pcie_aer_state_log_num_valid(void *opaque, int version_id) ++{ ++ PCIEAERLog *s = opaque; ++ ++ return s->log_num <= s->log_max; ++} ++ + const VMStateDescription vmstate_pcie_aer_log = { + .name = "PCIE_AER_ERROR_LOG", + .version_id = 1, +@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = { + .minimum_version_id_old = 1, + .fields = (VMStateField[]) { + VMSTATE_UINT16(log_num, PCIEAERLog), +- VMSTATE_UINT16(log_max, PCIEAERLog), ++ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog), ++ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid), + VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num, + vmstate_pcie_aer_err, PCIEAERErr), + VMSTATE_END_OF_LIST() diff --git a/0054-pl022-fix-buffer-overun-on-invalid-.patch b/0054-pl022-fix-buffer-overun-on-invalid-.patch new file mode 100644 index 00000000..19fd528b --- /dev/null +++ b/0054-pl022-fix-buffer-overun-on-invalid-.patch @@ -0,0 +1,55 @@ +From d4e6359ea7c11e7ae6b8ff3c03394db96a2a6932 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:35 +0300 +Subject: [PATCH] pl022: fix buffer overun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4530 + +pl022.c did not bounds check tx_fifo_head and +rx_fifo_head after loading them from file and +before they are used to dereference array. + +Reported-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387) +[AF: BNC#864682] +Signed-off-by: Andreas Färber +--- + hw/ssi/pl022.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c +index fd479ef..b19bc71 100644 +--- a/hw/ssi/pl022.c ++++ b/hw/ssi/pl022.c +@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = { + .endianness = DEVICE_NATIVE_ENDIAN, + }; + ++static int pl022_post_load(void *opaque, int version_id) ++{ ++ PL022State *s = opaque; ++ ++ if (s->tx_fifo_head < 0 || ++ s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) || ++ s->rx_fifo_head < 0 || ++ s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) { ++ return -1; ++ } ++ return 0; ++} ++ + static const VMStateDescription vmstate_pl022 = { + .name = "pl022_ssp", + .version_id = 1, + .minimum_version_id = 1, + .minimum_version_id_old = 1, ++ .post_load = pl022_post_load, + .fields = (VMStateField[]) { + VMSTATE_UINT32(cr0, PL022State), + VMSTATE_UINT32(cr1, PL022State), diff --git a/0055-vmstate-fix-buffer-overflow-in-targ.patch b/0055-vmstate-fix-buffer-overflow-in-targ.patch new file mode 100644 index 00000000..8ffc9b5f --- /dev/null +++ b/0055-vmstate-fix-buffer-overflow-in-targ.patch @@ -0,0 +1,57 @@ +From 5c94e6582aaf791f603afbf4b1d8d86652d87f93 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:42 +0300 +Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4531 + +cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for +cpreg_vmstate_array_len will cause a buffer overflow. + +VMSTATE_INT32_LE was supposed to protect against this +but doesn't because it doesn't validate that input is +non-negative. + +Fix this macro to valide the value appropriately. + +The only other user of VMSTATE_INT32_LE doesn't +ever use negative numbers so it doesn't care. + +Reported-by: Anthony Liguori +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62) +[AF: BNC#864796] +Signed-off-by: Andreas Färber +--- + vmstate.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/vmstate.c b/vmstate.c +index d856319..105f184 100644 +--- a/vmstate.c ++++ b/vmstate.c +@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = { + .put = put_int32, + }; + +-/* 32 bit int. Check that the received value is less than or equal to +- the one in the field */ ++/* 32 bit int. Check that the received value is non-negative ++ * and less than or equal to the one in the field. ++ */ + + static int get_int32_le(QEMUFile *f, void *pv, size_t size) + { +@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size) + int32_t loaded; + qemu_get_sbe32s(f, &loaded); + +- if (loaded <= *cur) { ++ if (loaded >= 0 && loaded <= *cur) { + *cur = loaded; + return 0; + } diff --git a/0056-virtio-avoid-buffer-overrun-on-inco.patch b/0056-virtio-avoid-buffer-overrun-on-inco.patch new file mode 100644 index 00000000..bc2858fb --- /dev/null +++ b/0056-virtio-avoid-buffer-overrun-on-inco.patch @@ -0,0 +1,45 @@ +From 49af37a1dfdb6e7a54ae4ab9fd1c7816763bf6c1 Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Thu, 3 Apr 2014 19:51:46 +0300 +Subject: [PATCH] virtio: avoid buffer overrun on incoming migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-6399 + +vdev->queue_sel is read from the wire, and later used in the +emulation code as an index into vdev->vq[]. If the value of +vdev->queue_sel exceeds the length of vdev->vq[], currently +allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO +operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun +the buffer with arbitrary data originating from the source. + +Fix this by failing migration if the value from the wire exceeds +VIRTIO_PCI_QUEUE_MAX. + +Signed-off-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell +Signed-off-by: Juan Quintela +(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1) +[AF: BNC#864814] +Signed-off-by: Andreas Färber +--- + hw/virtio/virtio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 05f05e7..0072542 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) + qemu_get_8s(f, &vdev->status); + qemu_get_8s(f, &vdev->isr); + qemu_get_be16s(f, &vdev->queue_sel); ++ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { ++ return -1; ++ } + qemu_get_be32s(f, &features); + + if (virtio_set_features(vdev, features) < 0) { diff --git a/0057-virtio-validate-num_sg-when-mapping.patch b/0057-virtio-validate-num_sg-when-mapping.patch new file mode 100644 index 00000000..dc62f156 --- /dev/null +++ b/0057-virtio-validate-num_sg-when-mapping.patch @@ -0,0 +1,46 @@ +From c5b839d16efe607af264cd6c2d99124b2a10bc02 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:53 +0300 +Subject: [PATCH] virtio: validate num_sg when mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4535 +CVE-2013-4536 + +Both virtio-block and virtio-serial read, +VirtQueueElements are read in as buffers, and passed to +virtqueue_map_sg(), where num_sg is taken from the wire and can force +writes to indicies beyond VIRTQUEUE_MAX_SIZE. + +To fix, validate num_sg. + +Reported-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Cc: Amit Shah +Signed-off-by: Juan Quintela +(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4) +[AF: BNC#864665] +Signed-off-by: Andreas Färber +--- + hw/virtio/virtio.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 0072542..a70169a 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr, + unsigned int i; + hwaddr len; + ++ if (num_sg >= VIRTQUEUE_MAX_SIZE) { ++ error_report("virtio: map attempt out of bounds: %zd > %d", ++ num_sg, VIRTQUEUE_MAX_SIZE); ++ exit(1); ++ } ++ + for (i = 0; i < num_sg; i++) { + len = sg[i].iov_len; + sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write); diff --git a/0058-pxa2xx-avoid-buffer-overrun-on-inco.patch b/0058-pxa2xx-avoid-buffer-overrun-on-inco.patch new file mode 100644 index 00000000..2eba917f --- /dev/null +++ b/0058-pxa2xx-avoid-buffer-overrun-on-inco.patch @@ -0,0 +1,56 @@ +From f1cebceb572956ff820ecc29362c6ade0020d570 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:51:57 +0300 +Subject: [PATCH] pxa2xx: avoid buffer overrun on incoming migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4533 + +s->rx_level is read from the wire and used to determine how many bytes +to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the +length of s->rx_fifo[] the buffer can be overrun with arbitrary data +from the wire. + +Fix this by validating rx_level against the size of s->rx_fifo. + +Cc: Don Koch +Reported-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell +Reviewed-by: Don Koch +Signed-off-by: Juan Quintela +(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7) +[AF: BNC#864655] +Signed-off-by: Andreas Färber +--- + hw/arm/pxa2xx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c +index 0429148..e0cd847 100644 +--- a/hw/arm/pxa2xx.c ++++ b/hw/arm/pxa2xx.c +@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque) + static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) + { + PXA2xxSSPState *s = (PXA2xxSSPState *) opaque; +- int i; ++ int i, v; + + s->enable = qemu_get_be32(f); + +@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id) + qemu_get_8s(f, &s->ssrsa); + qemu_get_8s(f, &s->ssacd); + +- s->rx_level = qemu_get_byte(f); ++ v = qemu_get_byte(f); ++ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) { ++ return -EINVAL; ++ } ++ s->rx_level = v; + s->rx_start = 0; + for (i = 0; i < s->rx_level; i ++) + s->rx_fifo[i] = qemu_get_byte(f); diff --git a/0059-ssd0323-fix-buffer-overun-on-invali.patch b/0059-ssd0323-fix-buffer-overun-on-invali.patch new file mode 100644 index 00000000..2e31a824 --- /dev/null +++ b/0059-ssd0323-fix-buffer-overun-on-invali.patch @@ -0,0 +1,82 @@ +From fb4795c3470c9258f96324a7e49fabf33ae1b98b Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:05 +0300 +Subject: [PATCH] ssd0323: fix buffer overun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4538 + +s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. +Possible this field might then be supplied by guest to overwrite a +return addr somewhere. Same for row/col fields, which are indicies into +framebuffer array. + +To fix validate after load. + +Additionally, validate that the row/col_start/end are within bounds; +otherwise the guest can provoke an overrun by either setting the _end +field so large that the row++ increments just walk off the end of the +array, or by setting the _start value to something bogus and then +letting the "we hit end of row" logic reset row to row_start. + +For completeness, validate mode as well. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell +Signed-off-by: Juan Quintela +(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811) +[AF: BNC#864769] +Signed-off-by: Andreas Färber +--- + hw/display/ssd0323.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c +index 971152e..9727007 100644 +--- a/hw/display/ssd0323.c ++++ b/hw/display/ssd0323.c +@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id) + return -EINVAL; + + s->cmd_len = qemu_get_be32(f); ++ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) { ++ return -EINVAL; ++ } + s->cmd = qemu_get_be32(f); + for (i = 0; i < 8; i++) + s->cmd_data[i] = qemu_get_be32(f); + s->row = qemu_get_be32(f); ++ if (s->row < 0 || s->row >= 80) { ++ return -EINVAL; ++ } + s->row_start = qemu_get_be32(f); ++ if (s->row_start < 0 || s->row_start >= 80) { ++ return -EINVAL; ++ } + s->row_end = qemu_get_be32(f); ++ if (s->row_end < 0 || s->row_end >= 80) { ++ return -EINVAL; ++ } + s->col = qemu_get_be32(f); ++ if (s->col < 0 || s->col >= 64) { ++ return -EINVAL; ++ } + s->col_start = qemu_get_be32(f); ++ if (s->col_start < 0 || s->col_start >= 64) { ++ return -EINVAL; ++ } + s->col_end = qemu_get_be32(f); ++ if (s->col_end < 0 || s->col_end >= 64) { ++ return -EINVAL; ++ } + s->redraw = qemu_get_be32(f); + s->remap = qemu_get_be32(f); + s->mode = qemu_get_be32(f); ++ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) { ++ return -EINVAL; ++ } + qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer)); + + ss->cs = qemu_get_be32(f); diff --git a/0060-tsc210x-fix-buffer-overrun-on-inval.patch b/0060-tsc210x-fix-buffer-overrun-on-inval.patch new file mode 100644 index 00000000..2ca48221 --- /dev/null +++ b/0060-tsc210x-fix-buffer-overrun-on-inval.patch @@ -0,0 +1,52 @@ +From 9258d36c4392e02156a986a03a0d8ee8fb0c4284 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:09 +0300 +Subject: [PATCH] tsc210x: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4539 + +s->precision, nextprecision, function and nextfunction +come from wire and are used +as idx into resolution[] in TSC_CUT_RESOLUTION. + +Validate after load to avoid buffer overrun. + +Cc: Andreas Färber +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f) +[AF: BNC#864805] +Signed-off-by: Andreas Färber +--- + hw/input/tsc210x.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c +index 485c9e5..aa5b688 100644 +--- a/hw/input/tsc210x.c ++++ b/hw/input/tsc210x.c +@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id) + s->enabled = qemu_get_byte(f); + s->host_mode = qemu_get_byte(f); + s->function = qemu_get_byte(f); ++ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) { ++ return -EINVAL; ++ } + s->nextfunction = qemu_get_byte(f); ++ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) { ++ return -EINVAL; ++ } + s->precision = qemu_get_byte(f); ++ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) { ++ return -EINVAL; ++ } + s->nextprecision = qemu_get_byte(f); ++ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) { ++ return -EINVAL; ++ } + s->filter = qemu_get_byte(f); + s->pin_func = qemu_get_byte(f); + s->ref = qemu_get_byte(f); diff --git a/0061-zaurus-fix-buffer-overrun-on-invali.patch b/0061-zaurus-fix-buffer-overrun-on-invali.patch new file mode 100644 index 00000000..84afb38d --- /dev/null +++ b/0061-zaurus-fix-buffer-overrun-on-invali.patch @@ -0,0 +1,59 @@ +From a075e63d02fed4153136742624696b376918a820 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:13 +0300 +Subject: [PATCH] zaurus: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4540 + +Within scoop_gpio_handler_update, if prev_level has a high bit set, then +we get bit > 16 and that causes a buffer overrun. + +Since prev_level comes from wire indirectly, this can +happen on invalid state load. + +Similarly for gpio_level and gpio_dir. + +To fix, limit to 16 bit. + +Reported-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Juan Quintela +(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b) +[AF: BNC#864801] +Signed-off-by: Andreas Färber +--- + hw/gpio/zaurus.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c +index dc79a8b..8e2ce04 100644 +--- a/hw/gpio/zaurus.c ++++ b/hw/gpio/zaurus.c +@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id) + return version_id == 0; + } + ++static bool vmstate_scoop_validate(void *opaque, int version_id) ++{ ++ ScoopInfo *s = opaque; ++ ++ return !(s->prev_level & 0xffff0000) && ++ !(s->gpio_level & 0xffff0000) && ++ !(s->gpio_dir & 0xffff0000); ++} ++ + static const VMStateDescription vmstate_scoop_regs = { + .name = "scoop", + .version_id = 1, +@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = { + VMSTATE_UINT32(gpio_level, ScoopInfo), + VMSTATE_UINT32(gpio_dir, ScoopInfo), + VMSTATE_UINT32(prev_level, ScoopInfo), ++ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate), + VMSTATE_UINT16(mcr, ScoopInfo), + VMSTATE_UINT16(cdr, ScoopInfo), + VMSTATE_UINT16(ccr, ScoopInfo), diff --git a/0062-virtio-scsi-fix-buffer-overrun-on-i.patch b/0062-virtio-scsi-fix-buffer-overrun-on-i.patch new file mode 100644 index 00000000..1d1d55f8 --- /dev/null +++ b/0062-virtio-scsi-fix-buffer-overrun-on-i.patch @@ -0,0 +1,69 @@ +From 2f55ce6ce26c16796443a7765a7d5fad157340ed Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:17 +0300 +Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4542 + +hw/scsi/scsi-bus.c invokes load_request. + + virtio_scsi_load_request does: + qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); + +this probably can make elem invalid, for example, +make in_num or out_num huge, then: + + virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); + +will do: + + if (req->elem.out_num > 1) { + qemu_sgl_init_external(req, &req->elem.out_sg[1], + &req->elem.out_addr[1], + req->elem.out_num - 1); + } else { + qemu_sgl_init_external(req, &req->elem.in_sg[1], + &req->elem.in_addr[1], + req->elem.in_num - 1); + } + +and this will access out of array bounds. + +Note: this adds security checks within assert calls since +SCSIBusInfo's load_request cannot fail. +For now simply disable builds with NDEBUG - there seems +to be little value in supporting these. + +Cc: Andreas Färber +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976) +[AF: BNC#864804] +Signed-off-by: Andreas Färber +--- + hw/scsi/virtio-scsi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c +index b0d7517..1752193 100644 +--- a/hw/scsi/virtio-scsi.c ++++ b/hw/scsi/virtio-scsi.c +@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq) + qemu_get_be32s(f, &n); + assert(n < vs->conf.num_queues); + qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); ++ /* TODO: add a way for SCSIBusInfo's load_request to fail, ++ * and fail migration instead of asserting here. ++ * When we do, we might be able to re-enable NDEBUG below. ++ */ ++#ifdef NDEBUG ++#error building with NDEBUG is not supported ++#endif ++ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg)); ++ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg)); + virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); + + scsi_req_ref(sreq); diff --git a/0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch b/0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch new file mode 100644 index 00000000..b563678a --- /dev/null +++ b/0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch @@ -0,0 +1,69 @@ +From 075764d38e7916de4f2621c329d3b7d810a76500 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:21 +0300 +Subject: [PATCH] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As the macro verifies the value is positive, rename it +to make the function clearer. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57) +Signed-off-by: Andreas Färber +--- + hw/pci/pci.c | 4 ++-- + include/migration/vmstate.h | 2 +- + target-arm/machine.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 2a9f08e..517ff2a 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -475,7 +475,7 @@ const VMStateDescription vmstate_pci_device = { + .minimum_version_id = 1, + .minimum_version_id_old = 1, + .fields = (VMStateField []) { +- VMSTATE_INT32_LE(version_id, PCIDevice), ++ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice), + VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0, + vmstate_info_pci_config, + PCI_CONFIG_SPACE_SIZE), +@@ -492,7 +492,7 @@ const VMStateDescription vmstate_pcie_device = { + .minimum_version_id = 1, + .minimum_version_id_old = 1, + .fields = (VMStateField []) { +- VMSTATE_INT32_LE(version_id, PCIDevice), ++ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice), + VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0, + vmstate_info_pci_config, + PCIE_CONFIG_SPACE_SIZE), +diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h +index 5b71370..7e45048 100644 +--- a/include/migration/vmstate.h ++++ b/include/migration/vmstate.h +@@ -601,7 +601,7 @@ extern const VMStateInfo vmstate_info_bitmap; + #define VMSTATE_UINT64_EQUAL(_f, _s) \ + VMSTATE_UINT64_EQUAL_V(_f, _s, 0) + +-#define VMSTATE_INT32_LE(_f, _s) \ ++#define VMSTATE_INT32_POSITIVE_LE(_f, _s) \ + VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t) + + #define VMSTATE_UINT8_TEST(_f, _s, _t) \ +diff --git a/target-arm/machine.c b/target-arm/machine.c +index 7ced87a..5746ffd 100644 +--- a/target-arm/machine.c ++++ b/target-arm/machine.c +@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = { + /* The length-check must come before the arrays to avoid + * incoming data possibly overflowing the array. + */ +- VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU), ++ VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU), + VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU, + cpreg_vmstate_array_len, + 0, vmstate_info_uint64, uint64_t), diff --git a/0064-usb-sanity-check-setup_index-setup_.patch b/0064-usb-sanity-check-setup_index-setup_.patch new file mode 100644 index 00000000..52101926 --- /dev/null +++ b/0064-usb-sanity-check-setup_index-setup_.patch @@ -0,0 +1,43 @@ +From b94f504fbb4910705803236ec84805ac4ac9139e Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:25 +0300 +Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4541 + +s->setup_len and s->setup_index are fed into usb_packet_copy as +size/offset into s->data_buf, it's possible for invalid state to exploit +this to load arbitrary data. + +setup_len and setup_index should be checked to make sure +they are not negative. + +Cc: Gerd Hoffmann +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Gerd Hoffmann +Signed-off-by: Juan Quintela +(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a) +[AF: BNC#864802] +Signed-off-by: Andreas Färber +--- + hw/usb/bus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/bus.c b/hw/usb/bus.c +index fe70429..e48b19f 100644 +--- a/hw/usb/bus.c ++++ b/hw/usb/bus.c +@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) + } else { + dev->attached = 1; + } +- if (dev->setup_index >= sizeof(dev->data_buf) || ++ if (dev->setup_index < 0 || ++ dev->setup_len < 0 || ++ dev->setup_index >= sizeof(dev->data_buf) || + dev->setup_len >= sizeof(dev->data_buf)) { + return -EINVAL; + } diff --git a/0065-savevm-Ignore-minimum_version_id_ol.patch b/0065-savevm-Ignore-minimum_version_id_ol.patch new file mode 100644 index 00000000..9d7de215 --- /dev/null +++ b/0065-savevm-Ignore-minimum_version_id_ol.patch @@ -0,0 +1,102 @@ +From 9ad9afb2ff3fa91c1315bd198e0118f8025b8805 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Thu, 3 Apr 2014 19:52:28 +0300 +Subject: [PATCH] savevm: Ignore minimum_version_id_old if there is no + load_state_old +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +At the moment we require vmstate definitions to set minimum_version_id_old +to the same value as minimum_version_id if they do not provide a +load_state_old handler. Since the load_state_old functionality is +required only for a handful of devices that need to retain migration +compatibility with a pre-vmstate implementation, this means the bulk +of devices have pointless boilerplate. Relax the definition so that +minimum_version_id_old is ignored if there is no load_state_old handler. + +Note that under the old scheme we would segfault if the vmstate +specified a minimum_version_id_old that was less than minimum_version_id +but did not provide a load_state_old function, and the incoming state +specified a version number between minimum_version_id_old and +minimum_version_id. Under the new scheme this will just result in +our failing the migration. + +Signed-off-by: Peter Maydell +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 767adce2d9cd397de3418caa16be35ea18d56f22) +Signed-off-by: Andreas Färber +--- + docs/migration.txt | 12 +++++------- + vmstate.c | 9 +++++---- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/docs/migration.txt b/docs/migration.txt +index 0e0a1d4..fe1f2bb 100644 +--- a/docs/migration.txt ++++ b/docs/migration.txt +@@ -139,7 +139,6 @@ static const VMStateDescription vmstate_kbd = { + .name = "pckbd", + .version_id = 3, + .minimum_version_id = 3, +- .minimum_version_id_old = 3, + .fields = (VMStateField []) { + VMSTATE_UINT8(write_cmd, KBDState), + VMSTATE_UINT8(status, KBDState), +@@ -168,12 +167,13 @@ You can see that there are several version fields: + - minimum_version_id: the minimum version_id that VMState is able to understand + for that device. + - minimum_version_id_old: For devices that were not able to port to vmstate, we can +- assign a function that knows how to read this old state. ++ assign a function that knows how to read this old state. This field is ++ ignored if there is no load_state_old handler. + + So, VMState is able to read versions from minimum_version_id to +-version_id. And the function load_state_old() is able to load state +-from minimum_version_id_old to minimum_version_id. This function is +-deprecated and will be removed when no more users are left. ++version_id. And the function load_state_old() (if present) is able to ++load state from minimum_version_id_old to minimum_version_id. This ++function is deprecated and will be removed when no more users are left. + + === Massaging functions === + +@@ -255,7 +255,6 @@ const VMStateDescription vmstate_ide_drive_pio_state = { + .name = "ide_drive/pio_state", + .version_id = 1, + .minimum_version_id = 1, +- .minimum_version_id_old = 1, + .pre_save = ide_drive_pio_pre_save, + .post_load = ide_drive_pio_post_load, + .fields = (VMStateField []) { +@@ -275,7 +274,6 @@ const VMStateDescription vmstate_ide_drive = { + .name = "ide_drive", + .version_id = 3, + .minimum_version_id = 0, +- .minimum_version_id_old = 0, + .post_load = ide_drive_post_load, + .fields = (VMStateField []) { + .... several fields .... +diff --git a/vmstate.c b/vmstate.c +index 105f184..582c321 100644 +--- a/vmstate.c ++++ b/vmstate.c +@@ -19,11 +19,12 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd, + if (version_id > vmsd->version_id) { + return -EINVAL; + } +- if (version_id < vmsd->minimum_version_id_old) { +- return -EINVAL; +- } + if (version_id < vmsd->minimum_version_id) { +- return vmsd->load_state_old(f, opaque, version_id); ++ if (vmsd->load_state_old && ++ version_id >= vmsd->minimum_version_id_old) { ++ return vmsd->load_state_old(f, opaque, version_id); ++ } ++ return -EINVAL; + } + if (vmsd->pre_load) { + int ret = vmsd->pre_load(opaque); diff --git a/0066-ssi-sd-fix-buffer-overrun-on-invali.patch b/0066-ssi-sd-fix-buffer-overrun-on-invali.patch new file mode 100644 index 00000000..2d6117ae --- /dev/null +++ b/0066-ssi-sd-fix-buffer-overrun-on-invali.patch @@ -0,0 +1,46 @@ +From 9ec43fe48680cf5917eb3d41ad85201d4137871f Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 28 Apr 2014 16:08:14 +0300 +Subject: [PATCH] ssi-sd: fix buffer overrun on invalid state load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4537 + +s->arglen is taken from wire and used as idx +in ssi_sd_transfer(). + +Validate it before access. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b) +[AF: BNC#864391] +Signed-off-by: Andreas Färber +--- + hw/sd/ssi-sd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c +index 3273c8a..b012e57 100644 +--- a/hw/sd/ssi-sd.c ++++ b/hw/sd/ssi-sd.c +@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id) + for (i = 0; i < 5; i++) + s->response[i] = qemu_get_be32(f); + s->arglen = qemu_get_be32(f); ++ if (s->mode == SSI_SD_CMDARG && ++ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) { ++ return -EINVAL; ++ } + s->response_pos = qemu_get_be32(f); + s->stopping = qemu_get_be32(f); ++ if (s->mode == SSI_SD_RESPONSE && ++ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) || ++ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) { ++ return -EINVAL; ++ } + + ss->cs = qemu_get_be32(f); + diff --git a/0067-openpic-avoid-buffer-overrun-on-inc.patch b/0067-openpic-avoid-buffer-overrun-on-inc.patch new file mode 100644 index 00000000..c84e3ba2 --- /dev/null +++ b/0067-openpic-avoid-buffer-overrun-on-inc.patch @@ -0,0 +1,77 @@ +From e70b97747393a4d5544bdb9eb64a7f5b69b0bb91 Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Mon, 28 Apr 2014 16:08:17 +0300 +Subject: [PATCH] openpic: avoid buffer overrun on incoming migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4534 + +opp->nb_cpus is read from the wire and used to determine how many +IRQDest elements to read into opp->dst[]. If the value exceeds the +length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary +data from the wire. + +Fix this by failing migration if the value read from the wire exceeds +MAX_CPU. + +Signed-off-by: Michael Roth +Reviewed-by: Alexander Graf +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e) +[AF: BNC#864811] +Signed-off-by: Andreas Färber +--- + hw/intc/openpic.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c +index be76fbd..17136c9 100644 +--- a/hw/intc/openpic.c ++++ b/hw/intc/openpic.c +@@ -41,6 +41,7 @@ + #include "hw/sysbus.h" + #include "hw/pci/msi.h" + #include "qemu/bitops.h" ++#include "qapi/qmp/qerror.h" + + //#define DEBUG_OPENPIC + +@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q) + static int openpic_load(QEMUFile* f, void *opaque, int version_id) + { + OpenPICState *opp = (OpenPICState *)opaque; +- unsigned int i; ++ unsigned int i, nb_cpus; + + if (version_id != 1) { + return -EINVAL; +@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id) + qemu_get_be32s(f, &opp->spve); + qemu_get_be32s(f, &opp->tfrr); + +- qemu_get_be32s(f, &opp->nb_cpus); ++ qemu_get_be32s(f, &nb_cpus); ++ if (opp->nb_cpus != nb_cpus) { ++ return -EINVAL; ++ } ++ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); + + for (i = 0; i < opp->nb_cpus; i++) { + qemu_get_sbe32s(f, &opp->dst[i].ctpr); +@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp) + {NULL} + }; + ++ if (opp->nb_cpus > MAX_CPU) { ++ error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE, ++ TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus, ++ (uint64_t)0, (uint64_t)MAX_CPU); ++ return; ++ } ++ + switch (opp->model) { + case OPENPIC_MODEL_FSL_MPIC_20: + default: diff --git a/0068-virtio-net-out-of-bounds-buffer-wri.patch b/0068-virtio-net-out-of-bounds-buffer-wri.patch new file mode 100644 index 00000000..266ccf8f --- /dev/null +++ b/0068-virtio-net-out-of-bounds-buffer-wri.patch @@ -0,0 +1,60 @@ +From 2eae80d0ad4c9d0de849fbe8ad6d7d5fa788fdfb Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 28 Apr 2014 16:08:21 +0300 +Subject: [PATCH] virtio-net: out-of-bounds buffer write on load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in +virtio_net_load()@hw/net/virtio-net.c + +> } else if (n->mac_table.in_use) { +> uint8_t *buf = g_malloc0(n->mac_table.in_use); + +We are allocating buffer of size n->mac_table.in_use + +> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); + +and read to the n->mac_table.in_use size buffer n->mac_table.in_use * +ETH_ALEN bytes, corrupting memory. + +If adversary controls state then memory written there is controlled +by adversary. + +Reviewed-by: Michael Roth +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf) +[AF: BNC#864649] +Signed-off-by: Andreas Färber +--- + hw/net/virtio-net.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 0a8cb40..940a7cf 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id) + if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) { + qemu_get_buffer(f, n->mac_table.macs, + n->mac_table.in_use * ETH_ALEN); +- } else if (n->mac_table.in_use) { +- uint8_t *buf = g_malloc0(n->mac_table.in_use); +- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); +- g_free(buf); ++ } else { ++ int64_t i; ++ ++ /* Overflow detected - can happen if source has a larger MAC table. ++ * We simply set overflow flag so there's no need to maintain the ++ * table of addresses, discard them all. ++ * Note: 64 bit math to avoid integer overflow. ++ */ ++ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) { ++ qemu_get_byte(f); ++ } + n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1; + n->mac_table.in_use = 0; + } diff --git a/0069-virtio-validate-config_len-on-load.patch b/0069-virtio-validate-config_len-on-load.patch new file mode 100644 index 00000000..9632a118 --- /dev/null +++ b/0069-virtio-validate-config_len-on-load.patch @@ -0,0 +1,57 @@ +From 5d2ec830b492cc18205d3a10d9ed3595559cd831 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 28 Apr 2014 16:08:23 +0300 +Subject: [PATCH] virtio: validate config_len on load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Malformed input can have config_len in migration stream +exceed the array size allocated on destination, the +result will be heap overflow. + +To fix, that config_len matches on both sides. + +CVE-2014-0182 + +Reported-by: "Dr. David Alan Gilbert" +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela + +-- + +v2: use %ix and %zx to print config_len values +Signed-off-by: Juan Quintela +(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc) +[AF: BNC#874788] +Signed-off-by: Andreas Färber +--- + hw/virtio/virtio.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index a70169a..7f4e7ec 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val) + int virtio_load(VirtIODevice *vdev, QEMUFile *f) + { + int i, ret; ++ int32_t config_len; + uint32_t num; + uint32_t features; + uint32_t supported_features; +@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f) + features, supported_features); + return -1; + } +- vdev->config_len = qemu_get_be32(f); ++ config_len = qemu_get_be32(f); ++ if (config_len != vdev->config_len) { ++ error_report("Unexpected config length 0x%x. Expected 0x%zx", ++ config_len, vdev->config_len); ++ return -1; ++ } + qemu_get_buffer(f, vdev->config, vdev->config_len); + + num = qemu_get_be32(f); diff --git a/0070-virtio-allow-mapping-up-to-max-queu.patch b/0070-virtio-allow-mapping-up-to-max-queu.patch new file mode 100644 index 00000000..f060994f --- /dev/null +++ b/0070-virtio-allow-mapping-up-to-max-queu.patch @@ -0,0 +1,36 @@ +From f609ef91bccd8b1637575516a94a5dc0af804b40 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 12 May 2014 12:04:20 +0300 +Subject: [PATCH] virtio: allow mapping up to max queue size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so +it's OK if the value read is VIRTQUEUE_MAX_SIZE. + +Not a big problem in practice as people don't use +such big queues, but it's inelegant. + +Reported-by: "Dr. David Alan Gilbert" +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b) +Signed-off-by: Andreas Färber +--- + hw/virtio/virtio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 7f4e7ec..3557c17 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -430,7 +430,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr, + unsigned int i; + hwaddr len; + +- if (num_sg >= VIRTQUEUE_MAX_SIZE) { ++ if (num_sg > VIRTQUEUE_MAX_SIZE) { + error_report("virtio: map attempt out of bounds: %zd > %d", + num_sg, VIRTQUEUE_MAX_SIZE); + exit(1); diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 93af914c..c211848c 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -70,6 +70,31 @@ Patch0042: 0042-qtest-Be-paranoid-about-accept-addr.patch Patch0043: 0043-arm-translate.c-Fix-smlald-Instruct.patch Patch0044: 0044-target-arm-A64-fix-unallocated-test.patch Patch0045: 0045-tcg-ppc64-Support-the-ELFv2-ABI.patch +Patch0046: 0046-vmstate-add-VMS_MUST_EXIST.patch +Patch0047: 0047-vmstate-add-VMSTATE_VALIDATE.patch +Patch0048: 0048-virtio-net-fix-buffer-overflow-on-i.patch +Patch0049: 0049-virtio-net-out-of-bounds-buffer-wri.patch +Patch0050: 0050-virtio-out-of-bounds-buffer-write-o.patch +Patch0051: 0051-ahci-fix-buffer-overrun-on-invalid-.patch +Patch0052: 0052-hpet-fix-buffer-overrun-on-invalid-.patch +Patch0053: 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch +Patch0054: 0054-pl022-fix-buffer-overun-on-invalid-.patch +Patch0055: 0055-vmstate-fix-buffer-overflow-in-targ.patch +Patch0056: 0056-virtio-avoid-buffer-overrun-on-inco.patch +Patch0057: 0057-virtio-validate-num_sg-when-mapping.patch +Patch0058: 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch +Patch0059: 0059-ssd0323-fix-buffer-overun-on-invali.patch +Patch0060: 0060-tsc210x-fix-buffer-overrun-on-inval.patch +Patch0061: 0061-zaurus-fix-buffer-overrun-on-invali.patch +Patch0062: 0062-virtio-scsi-fix-buffer-overrun-on-i.patch +Patch0063: 0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch +Patch0064: 0064-usb-sanity-check-setup_index-setup_.patch +Patch0065: 0065-savevm-Ignore-minimum_version_id_ol.patch +Patch0066: 0066-ssi-sd-fix-buffer-overrun-on-invali.patch +Patch0067: 0067-openpic-avoid-buffer-overrun-on-inc.patch +Patch0068: 0068-virtio-net-out-of-bounds-buffer-wri.patch +Patch0069: 0069-virtio-validate-config_len-on-load.patch +Patch0070: 0070-virtio-allow-mapping-up-to-max-queu.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: rpmlintrc @@ -168,6 +193,31 @@ run cross-architecture builds. %patch0043 -p1 %patch0044 -p1 %patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ diff --git a/qemu.changes b/qemu.changes index 964d1cc5..3f27e37e 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Sat May 24 10:01:36 UTC 2014 - afaerber@suse.de + +- Fix CVE-2013-4148 (bnc#864812) + 0048-virtio-net-fix-buffer-overflow-on-i.patch +- Fix CVE-2013-4149 (bnc#864649) + 0068-virtio-net-out-of-bounds-buffer-wri.patch +- Fix CVE-2013-4150 (bnc#864650) + 0049-virtio-net-out-of-bounds-buffer-wri.patch +- Fix CVE-2013-4151 (bnc#864653) + 0050-virtio-out-of-bounds-buffer-write-o.patch +- Fix CVE-2013-4526 (bnc#864671) + 0051-ahci-fix-buffer-overrun-on-invalid-.patch +- Fix CVE-2013-4527 (bnc#864673) + 0052-hpet-fix-buffer-overrun-on-invalid-.patch +- Fix CVE-2013-4529 (bnc#864678) + 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch +- Fix CVE-2013-4530 (bnc#864682) + 0054-pl022-fix-buffer-overun-on-invalid-.patch +- Fix CVE-2013-4531 (bnc#864796) + 0055-vmstate-fix-buffer-overflow-in-targ.patch +- Fix CVE-2013-4533 (bnc#864655) + 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch +- Fix CVE-2013-4534 (bnc#864811) + 0067-openpic-avoid-buffer-overrun-on-inc.patch +- Fix CVE-2013-4535 / CVE-2013-4536 (bnc#864665) + 0057-virtio-validate-num_sg-when-mapping.patch +- Fix CVE-2013-4537 (bnc#864391) + 0066-ssi-sd-fix-buffer-overrun-on-invali.patch +- Fix CVE-2013-4538 (bnc#864769) + 0059-ssd0323-fix-buffer-overun-on-invali.patch +- Fix CVE-2013-4539 (bnc#864805) + 0060-tsc210x-fix-buffer-overrun-on-inval.patch +- Fix CVE-2013-4540 (bnc#864801) + 0061-zaurus-fix-buffer-overrun-on-invali.patch +- Fix CVE-2013-4541 (bnc#864802) + 0064-usb-sanity-check-setup_index-setup_.patch +- Fix CVE-2013-4542 (bnc#864804) + 0062-virtio-scsi-fix-buffer-overrun-on-i.patch +- Fix CVE-2013-6399 (bnc#864814) + 0067-virtio-avoid-buffer-overrun-on-inco.patch +- Fix CVE-2014-0182 (bnc#874788) + 0069-virtio-validate-config_len-on-load.patch +- Backported patch from stable branch (brogers): + 0070-virtio-allow-mapping-up-to-max-queu.patch + ------------------------------------------------------------------- Wed May 14 13:44:38 UTC 2014 - afaerber@suse.de diff --git a/qemu.spec b/qemu.spec index 51de5b5e..ab2a7402 100644 --- a/qemu.spec +++ b/qemu.spec @@ -99,6 +99,31 @@ Patch0042: 0042-qtest-Be-paranoid-about-accept-addr.patch Patch0043: 0043-arm-translate.c-Fix-smlald-Instruct.patch Patch0044: 0044-target-arm-A64-fix-unallocated-test.patch Patch0045: 0045-tcg-ppc64-Support-the-ELFv2-ABI.patch +Patch0046: 0046-vmstate-add-VMS_MUST_EXIST.patch +Patch0047: 0047-vmstate-add-VMSTATE_VALIDATE.patch +Patch0048: 0048-virtio-net-fix-buffer-overflow-on-i.patch +Patch0049: 0049-virtio-net-out-of-bounds-buffer-wri.patch +Patch0050: 0050-virtio-out-of-bounds-buffer-write-o.patch +Patch0051: 0051-ahci-fix-buffer-overrun-on-invalid-.patch +Patch0052: 0052-hpet-fix-buffer-overrun-on-invalid-.patch +Patch0053: 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch +Patch0054: 0054-pl022-fix-buffer-overun-on-invalid-.patch +Patch0055: 0055-vmstate-fix-buffer-overflow-in-targ.patch +Patch0056: 0056-virtio-avoid-buffer-overrun-on-inco.patch +Patch0057: 0057-virtio-validate-num_sg-when-mapping.patch +Patch0058: 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch +Patch0059: 0059-ssd0323-fix-buffer-overun-on-invali.patch +Patch0060: 0060-tsc210x-fix-buffer-overrun-on-inval.patch +Patch0061: 0061-zaurus-fix-buffer-overrun-on-invali.patch +Patch0062: 0062-virtio-scsi-fix-buffer-overrun-on-i.patch +Patch0063: 0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch +Patch0064: 0064-usb-sanity-check-setup_index-setup_.patch +Patch0065: 0065-savevm-Ignore-minimum_version_id_ol.patch +Patch0066: 0066-ssi-sd-fix-buffer-overrun-on-invali.patch +Patch0067: 0067-openpic-avoid-buffer-overrun-on-inc.patch +Patch0068: 0068-virtio-net-out-of-bounds-buffer-wri.patch +Patch0069: 0069-virtio-validate-config_len-on-load.patch +Patch0070: 0070-virtio-allow-mapping-up-to-max-queu.patch # Please do not add patches manually here, run update_git.sh. # roms/ipxe patches @@ -524,6 +549,31 @@ This package provides a service file for starting and stopping KSM. %patch0043 -p1 %patch0044 -p1 %patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 %patch1000 -p1 %patch1001 -p1