diff --git a/CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch new file mode 100644 index 0000000..2565bb7 --- /dev/null +++ b/CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch @@ -0,0 +1,73 @@ +References: bsc#990843 CVE-2016-6351 + +Subject: scsi: esp: make cmdbuf big enough for maximum CDB size +From: Prasad J Pandit pjp@fedoraproject.org Thu Jun 16 00:22:35 2016 +0200 +Date: Thu Jun 16 18:39:05 2016 +0200: +Git: 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 + +While doing DMA read into ESP command buffer 's->cmdbuf', it could +write past the 's->cmdbuf' area, if it was transferring more than 16 +bytes. Increase the command buffer size to 32, which is maximum when +'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Paolo Bonzini + +Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +=================================================================== +--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c ++++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c +@@ -26,6 +26,8 @@ + #include "scsi-disk.h" + #include "scsi.h" + ++#include ++ + /* debug ESP card */ + //#define DEBUG_ESP + +@@ -49,6 +51,7 @@ do { printf("ESP ERROR: %s: " fmt, __fun + + #define ESP_REGS 16 + #define TI_BUFSZ 16 ++#define ESP_CMDBUF_SZ 32 + + typedef struct ESPState ESPState; + +@@ -64,7 +67,7 @@ struct ESPState { + uint32_t dma; + SCSIDevice *scsi_dev[ESP_MAX_DEVS]; + SCSIDevice *current_dev; +- uint8_t cmdbuf[TI_BUFSZ]; ++ uint8_t cmdbuf[ESP_CMDBUF_SZ]; + uint32_t cmdlen; + uint32_t do_cmd; + +@@ -294,6 +297,8 @@ static void esp_do_dma(ESPState *s) + len = s->dma_left; + if (s->do_cmd) { + DPRINTF("command len %d + %d\n", s->cmdlen, len); ++ assert (s->cmdlen <= sizeof(s->cmdbuf) && ++ len <= sizeof(s->cmdbuf) - s->cmdlen); + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + s->ti_size = 0; + s->cmdlen = 0; +@@ -382,7 +387,7 @@ static void handle_ti(ESPState *s) + s->dma_counter = dmalen; + + if (s->do_cmd) +- minlen = (dmalen < 32) ? dmalen : 32; ++ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; + else if (s->ti_size < 0) + minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; + else +@@ -476,7 +481,7 @@ static void esp_mem_writeb(void *opaque, + break; + case ESP_FIFO: + if (s->do_cmd) { +- if (s->cmdlen < TI_BUFSZ) { ++ if (s->cmdlen < ESP_CMDBUF_SZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + ESP_ERROR("fifo overrun\n"); diff --git a/pygrub-handle-one-line-menu-entries.patch b/pygrub-handle-one-line-menu-entries.patch new file mode 100644 index 0000000..af2f9ed --- /dev/null +++ b/pygrub-handle-one-line-menu-entries.patch @@ -0,0 +1,59 @@ +References: bsc#978413 + +The parsing code can't handle a single line menu entry. +For example: menuentry 'halt' { halt } +Force it to fall through where it will handle the closing brace. +Also change warning to debug to cut down on verbose output. + +Index: xen-4.7.0-testing/tools/pygrub/src/GrubConf.py +=================================================================== +--- xen-4.7.0-testing.orig/tools/pygrub/src/GrubConf.py ++++ xen-4.7.0-testing/tools/pygrub/src/GrubConf.py +@@ -147,7 +147,7 @@ class GrubImage(_GrubImage): + else: + logging.info("Ignored image directive %s" %(com,)) + else: +- logging.warning("Unknown image directive %s" %(com,)) ++ logging.debug("Unknown image directive %s" %(com,)) + + # now put the line in the list of lines + if replace is None: +@@ -302,7 +302,7 @@ class GrubConfigFile(_GrubConfigFile): + else: + logging.info("Ignored directive %s" %(com,)) + else: +- logging.warning("Unknown directive %s" %(com,)) ++ logging.debug("Unknown directive %s" %(com,)) + + if img: + self.add_image(GrubImage(title, img)) +@@ -336,7 +336,7 @@ class Grub2Image(_GrubImage): + elif com.startswith('set:'): + pass + else: +- logging.warning("Unknown image directive %s" %(com,)) ++ logging.debug("Unknown image directive %s" %(com,)) + + # now put the line in the list of lines + if replace is None: +@@ -401,7 +401,10 @@ class Grub2ConfigFile(_GrubConfigFile): + raise RuntimeError, "syntax error: cannot nest menuentry (%d %s)" % (len(img),img) + img = [] + title = title_match.group(1) +- continue ++ if not l.endswith('}'): ++ continue ++ # One line menuentry, Ex. menuentry 'halt' { halt } ++ l = '}' + + if l.startswith("submenu"): + menu_level += 1 +@@ -440,7 +443,7 @@ class Grub2ConfigFile(_GrubConfigFile): + elif com.startswith('set:'): + pass + else: +- logging.warning("Unknown directive %s" %(com,)) ++ logging.debug("Unknown directive %s" %(com,)) + + if img is not None: + raise RuntimeError, "syntax error: end of file with open menuentry(%d %s)" % (len(img),img) diff --git a/xen.changes b/xen.changes index 7bc16e1..975020d 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Jul 28 05:23:12 MDT 2016 - carnold@suse.com + +- bsc#978413 - PV guest upgrade from sles11sp4 to sles12sp2 alpha3 + failed on sles11sp4 xen host. + pygrub-handle-one-line-menu-entries.patch + +------------------------------------------------------------------- +Wed Jul 27 14:09:06 MDT 2016 - carnold@suse.com + +- bsc#990843 - VUL-1: CVE-2016-6351: xen: qemu: scsi: esp: OOB + write access in esp_do_dma + CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch + ------------------------------------------------------------------- Thu Jun 23 09:45:38 MDT 2016 - carnold@suse.com diff --git a/xen.spec b/xen.spec index c124ead..ce52705 100644 --- a/xen.spec +++ b/xen.spec @@ -165,7 +165,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.7.0_08 +Version: 4.7.0_09 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -238,6 +238,7 @@ Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-i Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch Patch279: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch Patch280: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch +Patch281: CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch # qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch @@ -280,13 +281,14 @@ Patch453: stdvga-cache.patch Patch454: ipxe-enable-nics.patch Patch455: pygrub-netware-xnloader.patch Patch456: pygrub-boot-legacy-sles.patch -Patch457: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch -Patch458: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch -Patch459: libxl.pvscsi.patch -Patch460: xen.libxl.dmmd.patch -Patch461: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch -Patch462: blktap2-no-uninit.patch -Patch463: libxl.set-migration-constraints-from-cmdline.patch +Patch457: pygrub-handle-one-line-menu-entries.patch +Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch +Patch459: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch +Patch460: libxl.pvscsi.patch +Patch461: xen.libxl.dmmd.patch +Patch462: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +Patch463: blktap2-no-uninit.patch +Patch464: libxl.set-migration-constraints-from-cmdline.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch @@ -559,6 +561,7 @@ Authors: %patch278 -p1 %patch279 -p1 %patch280 -p1 +%patch281 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1 @@ -608,6 +611,7 @@ Authors: %patch461 -p1 %patch462 -p1 %patch463 -p1 +%patch464 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1