Accepting request 829654 from home:bfrogers:branches:Virtualization

- Fix OOB access while processing USB packets (CVE-2020-14364
  bsc#1175441)
  (somehow our script processing the patches stripped the first
  character "u" - will address later)
  sb-fix-setup_len-init-CVE-2020-14364.patch
- Re-sync openSUSE and SUSE SLE qemu packages. This changes file
  is the openSUSE one with this entry providing the intervening
  SLE CVE, JIRA, and bugzilla references, which are still addressed
  in this package, and not yet called out in this changes file.
* CVE-2020-1983  CVE-2020-10761 CVE-2020-13361 CVE-2020-13362
  CVE-2020-13659 CVE-2020-13800
* bsc#1167816 bsc#1170940 boo#1171712 bsc#1172383 bsc#1172384
  bsc#1172386 bsc#1172495 bsc#1172710
* Patches dropped (SLE) (included in current release tarball):
  exec-set-map-length-to-zero-when-returni.patch
  i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch
  megasas-use-unsigned-type-for-reply_queu.patch

OBS-URL: https://build.opensuse.org/request/show/829654
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=565

bundles.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:4005d41755ab814b7f88da9452909fa6133c3ecaa71dff6d060aa50c3b6de2d7
-size 34956
+oid sha256:054c58f5b1cdb6d78098cb77f119d414a5a2ad4950869a00eb6df2201ecddbbf
+size 35496

qemu.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Aug 25 22:42:27 UTC 2020 - Bruce Rogers <brogers@suse.com>
+
+- Fix OOB access while processing USB packets (CVE-2020-14364
+  bsc#1175441)
+  (somehow our script processing the patches stripped the first
+  character "u" - will address later)
+  sb-fix-setup_len-init-CVE-2020-14364.patch
+- Re-sync openSUSE and SUSE SLE qemu packages. This changes file
+  is the openSUSE one with this entry providing the intervening
+  SLE CVE, JIRA, and bugzilla references, which are still addressed
+  in this package, and not yet called out in this changes file.
+* CVE-2020-1983  CVE-2020-10761 CVE-2020-13361 CVE-2020-13362
+  CVE-2020-13659 CVE-2020-13800
+* bsc#1167816 bsc#1170940 boo#1171712 bsc#1172383 bsc#1172384
+  bsc#1172386 bsc#1172495 bsc#1172710
+* Patches dropped (SLE) (included in current release tarball):
+  exec-set-map-length-to-zero-when-returni.patch
+  i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch
+  megasas-use-unsigned-type-for-reply_queu.patch
+
 -------------------------------------------------------------------
 Thu Aug 20 13:19:12 UTC 2020 - Bruce Rogers <brogers@suse.com>
 

sb-fix-setup_len-init-CVE-2020-14364.patch

@@ -0,0 +1,86 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: usb: fix setup_len init (CVE-2020-14364)
+
+Git-commit: 0000000000000000000000000000000000000000
+References: bsc#1175441, CVE-2020-14364
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128b6bc5f5440e18b143fe41..5234dcc73fea6012f7143f307640 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);