diff -u qemu-kvm-1.0+noroms/debian/changelog qemu-kvm-1.0+noroms/debian/changelog --- qemu-kvm-1.0+noroms/debian/changelog +++ qemu-kvm-1.0+noroms/debian/changelog @@ -1,3 +1,110 @@ +qemu-kvm (1.0+noroms-0ubuntu14.30) precise-security; urgency=medium + + * SECURITY REGRESSION: crash on migration with memory stats enabled + (LP: #1612089) + - debian/patches/CVE-2016-5403.patch: disable for now pending + investigation. + + -- Marc Deslauriers Fri, 12 Aug 2016 08:49:38 -0400 + +qemu-kvm (1.0+noroms-0ubuntu14.29) precise-security; urgency=medium + + * SECURITY UPDATE: infinite loop in vmware_vga + - debian/patches/CVE-2016-4453.patch: limit fifo commands in + hw/vmware_vga.c. + - CVE-2016-4453 + * SECURITY UPDATE: DoS or host memory leakage in vmware_vga + - debian/patches/CVE-2016-4454.patch: fix sanity checks in + hw/vmware_vga.c. + - CVE-2016-4454 + * SECURITY UPDATE: DoS via unbounded memory allocation + - debian/patches/CVE-2016-5403.patch: check size in hw/virtio.c. + - CVE-2016-5403 + + -- Marc Deslauriers Thu, 04 Aug 2016 07:50:42 -0400 + +qemu-kvm (1.0+noroms-0ubuntu14.28) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via multiple eof_timers in ohci + - debian/patches/CVE-2016-2391.patch: allocate timer only once in + hw/usb-ohci.c. + - CVE-2016-2391 + * SECURITY UPDATE: denial of service in in remote NDIS control message + handling + - debian/patches/CVE-2016-2392.patch: check USB configuration + descriptor object in hw/usb-net.c. + - CVE-2016-2392 + * SECURITY UPDATE: denial of service or host information leak in USB Net + device emulation support + - debian/patches/CVE-2016-2538.patch: check RNDIS buffer offsets and + length in hw/usb-net.c. + - CVE-2016-2538 + * SECURITY UPDATE: denial of service via infinite loop in ne2000 + - debian/patches/CVE-2016-2841.patch: heck ring buffer control + registers in hw/ne2000.c. + - CVE-2016-2841 + * SECURITY UPDATE: denial of service via payload length in crafted packet + - debian/patches/CVE-2016-2857.patch: check packet payload length in + net/checksum.c. + - CVE-2016-2857 + * SECURITY UPDATE: arbitrary host code execution via VGA module + - debian/patches/CVE-2016-3710.patch: fix banked access bounds checking + in hw/vga.c. + - CVE-2016-3710 + * SECURITY UPDATE: denial of service via VGA module + - debian/patches/CVE-2016-3712.patch: make sure vga register setup for + vbe stays intact in hw/vga.c. + - CVE-2016-3712 + * SECURITY UPDATE: denial of service in Luminary Micro Stellaris Ethernet + - debian/patches/CVE-2016-4001.patch: check packet length against + receive buffer in hw/stellaris_enet.c. + - CVE-2016-4001 + * SECURITY UPDATE: denial of sevice and possible code execution in + MIPSnet + - debian/patches/CVE-2016-4002.patch: check size in hw/mipsnet.c. + - CVE-2016-4002 + * SECURITY UPDATE: denial of service via infinite loop in in usb_ehci + - debian/patches/CVE-2016-4037.patch: apply limit to iTD/sidt + descriptors in hw/usb-ehci.c. + - CVE-2016-4037 + + -- Marc Deslauriers Wed, 11 May 2016 08:24:36 -0400 + +qemu-kvm (1.0+noroms-0ubuntu14.27) precise-security; urgency=medium + + * SECURITY UPDATE: vnc floating point exception + - debian/patches/CVE-2015-8504.patch: handle zero values in ui/vnc.c. + - CVE-2015-8504 + * SECURITY UPDATE: paravirtualized drivers incautious about shared memory + contents + - debian/patches/CVE-2015-8550-1.patch: avoid double access in + hw/xen_blkif.h. + - debian/patches/CVE-2015-8550-2.patch: avoid reading twice in + hw/xenfb.c. + - CVE-2015-8550 + * SECURITY UPDATE: infinite loop in ehci_advance_state + - debian/patches/CVE-2015-8558.patch: make idt processing more robust + in hw/usb-ehci.c. + - CVE-2015-8558 + * SECURITY UPDATE: ne2000 OOB r/w in ioport operations + - debian/patches/CVE-2015-8743.patch: fix bounds check in ioport + operations in hw/ne2000.c. + - CVE-2015-8743 + * SECURITY UPDATE: ahci use-after-free vulnerability in aio port commands + - debian/patches/CVE-2016-1568.patch: reset ncq object to unused on + error in hw/ide/ahci.c. + - CVE-2016-1568 + * SECURITY UPDATE: firmware configuration device OOB rw access + - debian/patches/CVE-2016-1714.patch: avoid calculating invalid current + entry pointer in hw/fw_cfg.c. + - CVE-2016-1714 + * SECURITY UPDATE: e1000 infinite loop + - debian/patches/CVE-2016-1981.patch: eliminate infinite loops on + out-of-bounds transfer start in hw/e1000.c. + - CVE-2016-1981 + + -- Marc Deslauriers Tue, 02 Feb 2016 08:33:07 -0500 + qemu-kvm (1.0+noroms-0ubuntu14.26) precise-security; urgency=medium * SECURITY UPDATE: denial of service via jumbo frame flood in virtio diff -u qemu-kvm-1.0+noroms/debian/patches/series qemu-kvm-1.0+noroms/debian/patches/series --- qemu-kvm-1.0+noroms/debian/patches/series +++ qemu-kvm-1.0+noroms/debian/patches/series @@ -86,0 +87,21 @@ +CVE-2015-8504.patch +CVE-2015-8550-1.patch +CVE-2015-8550-2.patch +CVE-2015-8558.patch +CVE-2015-8743.patch +CVE-2016-1568.patch +CVE-2016-1714.patch +CVE-2016-1981.patch +CVE-2016-2391.patch +CVE-2016-2392.patch +CVE-2016-2538.patch +CVE-2016-2841.patch +CVE-2016-2857.patch +CVE-2016-3710.patch +CVE-2016-3712.patch +CVE-2016-4001.patch +CVE-2016-4002.patch +CVE-2016-4037.patch +CVE-2016-4454.patch +CVE-2016-4453.patch +#CVE-2016-5403.patch only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-3710.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-3710.patch @@ -0,0 +1,106 @@ +Backport of: + +From 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 08:49:10 +0200 +Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710) + +vga allows banked access to video memory using the window at 0xa00000 +and it supports a different access modes with different address +calculations. + +The VBE bochs extentions support banked access too, using the +VBE_DISPI_INDEX_BANK register. The code tries to take the different +address calculations into account and applies different limits to +VBE_DISPI_INDEX_BANK depending on the current access mode. + +Which is probably effective in stopping misprogramming by accident. +But from a security point of view completely useless as an attacker +can easily change access modes after setting the bank register. + +Drop the bogus check, add range checks to vga_mem_{readb,writeb} +instead. + +Fixes: CVE-2016-3710 +Reported-by: Qinghao Tang +Signed-off-by: Gerd Hoffmann +--- + hw/display/vga.c | 24 ++++++++++++++++++------ + 1 files changed, 18 insertions(+), 6 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/vga.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/vga.c 2016-05-11 08:00:32.637502876 -0400 ++++ qemu-kvm-1.0+noroms/hw/vga.c 2016-05-11 08:02:58.396462445 -0400 +@@ -183,6 +183,7 @@ + } + base += isa_mem_base; + region = g_malloc(sizeof(*region)); ++ assert(offset + size <= s->vram_size); + memory_region_init_alias(region, "vga.chain4", &s->vram, offset, size); + memory_region_add_subregion_overlap(s->legacy_address_space, base, + region, 2); +@@ -644,11 +645,7 @@ + } + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -786,13 +783,21 @@ + + if (s->sr[4] & 0x08) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[5] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[4] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[5] & 0x08)) { +@@ -848,6 +853,7 @@ + plane = addr & 3; + mask = (1 << plane); + if (s->sr[2] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -861,6 +867,9 @@ + mask = (1 << plane); + if (s->sr[2] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -933,6 +942,9 @@ + mask = s->sr[2]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2015-8504.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2015-8504.patch @@ -0,0 +1,43 @@ +Backport of: + +From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 3 Dec 2015 18:54:17 +0530 +Subject: [PATCH] ui: vnc: avoid floating point exception + +While sending 'SetPixelFormat' messages to a VNC server, +the client could set the 'red-max', 'green-max' and 'blue-max' +values to be zero. This leads to a floating point exception in +write_png_palette while doing frame buffer updates. + +Reported-by: Lian Yihan +Signed-off-by: Prasad J Pandit +Reviewed-by: Gerd Hoffmann +Signed-off-by: Peter Maydell +--- + ui/vnc.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +Index: qemu-kvm-1.0+noroms/ui/vnc.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/ui/vnc.c 2016-02-02 08:13:21.977145894 -0500 ++++ qemu-kvm-1.0+noroms/ui/vnc.c 2016-02-02 08:13:57.713549991 -0500 +@@ -1838,15 +1838,15 @@ + } + + vs->clientds = *(vs->vd->guest.ds); +- vs->clientds.pf.rmax = red_max; ++ vs->clientds.pf.rmax = red_max ? red_max : 0xFF; + vs->clientds.pf.rbits = hweight_long(red_max); + vs->clientds.pf.rshift = red_shift; + vs->clientds.pf.rmask = red_max << red_shift; +- vs->clientds.pf.gmax = green_max; ++ vs->clientds.pf.gmax = green_max ? green_max : 0xFF; + vs->clientds.pf.gbits = hweight_long(green_max); + vs->clientds.pf.gshift = green_shift; + vs->clientds.pf.gmask = green_max << green_shift; +- vs->clientds.pf.bmax = blue_max; ++ vs->clientds.pf.bmax = blue_max ? blue_max : 0xFF; + vs->clientds.pf.bbits = hweight_long(blue_max); + vs->clientds.pf.bshift = blue_shift; + vs->clientds.pf.bmask = blue_max << blue_shift; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2015-8558.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2015-8558.patch @@ -0,0 +1,47 @@ +Backport of: + +From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/usb-ehci.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/usb-ehci.c 2016-02-02 08:17:21.739851057 -0500 ++++ qemu-kvm-1.0+noroms/hw/usb-ehci.c 2016-02-02 08:18:05.140339252 -0500 +@@ -1408,7 +1408,7 @@ + USBPort *port; + USBDevice *dev; + int ret; +- uint32_t i, j, len, pid, dir, devaddr, endp; ++ uint32_t i, j, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION); +@@ -1513,9 +1513,10 @@ + } + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + /* This state is the entry point for asynchronous schedule only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2015-8550-1.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2015-8550-1.patch @@ -0,0 +1,51 @@ +Backport of: + +From f9e98e5d7a67367b862941e339a98b8322fa0cea Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Fri, 18 Dec 2015 15:09:58 +0000 +Subject: [PATCH] xen/blkif: Avoid double access to src->nr_segments + +src is stored in shared memory and src->nr_segments is dereferenced +twice at the end of the function. If a compiler decides to compile this +into two separate memory accesses then the size limitation could be +bypassed. + +Fix it by removing the double access to src->nr_segments. + +This is part of XSA-155. + +Signed-off-by: Stefano Stabellini +--- + hw/block/xen_blkif.h | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +Index: qemu-2.0.0+dfsg/hw/xen_blkif.h +=================================================================== +--- qemu-2.0.0+dfsg.orig/hw/xen_blkif.h 2016-02-02 07:23:50.573030994 -0500 ++++ qemu-2.0.0+dfsg/hw/xen_blkif.h 2016-02-02 07:25:26.142033886 -0500 +@@ -79,8 +79,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ barrier(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } +@@ -94,8 +96,10 @@ + dst->handle = src->handle; + dst->id = src->id; + dst->sector_number = src->sector_number; +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ barrier(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-2538.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-2538.patch @@ -0,0 +1,58 @@ +Backport of: + +From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 17 Feb 2016 00:23:41 +0530 +Subject: [PATCH] usb: check RNDIS buffer offsets & length + +When processing remote NDIS control message packets, +the USB Net device emulator uses a fixed length(4096) data buffer. +The incoming informationBufferOffset & Length combination could +overflow and cross that range. Check control message buffer +offsets and length to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/usb-net.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/usb-net.c 2016-05-11 07:32:53.449397944 -0400 ++++ qemu-kvm-1.0+noroms/hw/usb-net.c 2016-05-11 07:55:14.491226035 -0400 +@@ -908,8 +908,9 @@ + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + infobuflen = ndis_query(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen, infobuf, +@@ -954,8 +955,9 @@ + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + ret = ndis_set(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen); +@@ -1209,8 +1211,9 @@ + if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { + uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); + uint32_t size = le32_to_cpu(msg->DataLength); +- if (offs + size <= len) ++ if (offs < len && size < len && offs + size <= len) { + qemu_send_packet(&s->nic->nc, s->out_buf + offs, size); ++ } + } + s->out_ptr -= len; + memmove(s->out_buf, &s->out_buf[len], s->out_ptr); only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-1981.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-1981.patch @@ -0,0 +1,27 @@ +Description: eliminate infinite loops on out-of-bounds transfer start +Origin: backport, https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html + +Index: qemu-kvm-1.0+noroms/hw/e1000.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/e1000.c 2016-02-02 08:28:07.363069855 -0500 ++++ qemu-kvm-1.0+noroms/hw/e1000.c 2016-02-02 08:28:07.319069367 -0500 +@@ -559,7 +559,8 @@ + * bogus values to TDT/TDLEN. + * there's nothing too intelligent we could do about this. + */ +- if (s->mac_reg[TDH] == tdh_start) { ++ if (s->mac_reg[TDH] == tdh_start || ++ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { + DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", + tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); + break; +@@ -762,7 +763,8 @@ + s->mac_reg[RDH] = 0; + s->check_rxov = 1; + /* see comment in start_xmit; same here */ +- if (s->mac_reg[RDH] == rdh_start) { ++ if (s->mac_reg[RDH] == rdh_start || ++ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { + DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", + rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); + set_ics(s, 0, E1000_ICS_RXO); only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2015-8743.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2015-8743.patch @@ -0,0 +1,47 @@ +Backport of: + +From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/ne2000.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/ne2000.c 2016-02-02 08:22:14.967141013 -0500 ++++ qemu-kvm-1.0+noroms/hw/ne2000.c 2016-02-02 08:24:49.736869767 -0500 +@@ -499,8 +499,9 @@ + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + cpu_to_le32wu((uint32_t *)(s->mem + addr), val); + } + } +@@ -529,8 +530,9 @@ + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return le32_to_cpupu((uint32_t *)(s->mem + addr)); + } else { + return 0xffffffff; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-2391.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-2391.patch @@ -0,0 +1,36 @@ +Backport of: + +From: Prasad J Pandit + +When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL +state, it creates an eof timer object in 'ohci_bus_start'. +It does not check if one already exists. This results in memory +leakage and null dereference issue. Add a check to avoid it. + +Reported-by: Zuozhi Fzz +Signed-off-by: Prasad J Pandit +--- + hw/usb/hcd-ohci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/usb-ohci.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/usb-ohci.c 2011-12-04 05:38:06.000000000 -0500 ++++ qemu-kvm-1.0+noroms/hw/usb-ohci.c 2016-05-11 07:30:09.839843854 -0400 +@@ -1236,11 +1236,11 @@ + */ + static int ohci_bus_start(OHCIState *ohci) + { +- ohci->eof_timer = qemu_new_timer_ns(vm_clock, +- ohci_frame_boundary, +- ohci); +- +- if (ohci->eof_timer == NULL) { ++ if (!ohci->eof_timer) { ++ ohci->eof_timer = qemu_new_timer_ns(vm_clock, ++ ohci_frame_boundary, ohci); ++ } ++ if (!ohci->eof_timer) { + fprintf(stderr, "usb-ohci: %s: qemu_new_timer_ns failed\n", ohci->name); + /* TODO: Signal unrecoverable error */ + return 0; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-5403.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-5403.patch @@ -0,0 +1,64 @@ +Backport of: + +From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Tue, 19 Jul 2016 13:07:13 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits, causing unbounded memory allocation in QEMU. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is not allowed by the +VIRTIO 1.0 specification. + +In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification +says: + + 1. The driver places the buffer into free descriptor(s) in the + descriptor table, chaining as necessary + +and + + Note that the above code does not take precautions against the + available ring buffer wrapping around: this is not possible since the + ring buffer is the same size as the descriptor table, so step (1) will + prevent such a condition. + +This implies that placing more buffers into the virtqueue than the +descriptor table size is not allowed. + +QEMU is missing the check to prevent this case. Processing a request +allocates a VirtQueueElement leading to unbounded memory allocation +controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 +Marvel Team, China. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi +--- + hw/virtio/virtio.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/virtio.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/virtio.c 2016-08-04 07:46:10.853064092 -0400 ++++ qemu-kvm-1.0+noroms/hw/virtio.c 2016-08-04 07:46:10.849064058 -0400 +@@ -452,6 +452,11 @@ + + max = vq->vring.num; + ++ if (vq->inuse >= vq->vring.num) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) { + vring_avail_event(vq, vring_avail_idx(vq)); only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-2857.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-2857.patch @@ -0,0 +1,44 @@ +From 362786f14a753d8a5256ef97d7c10ed576d6572b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 2 Mar 2016 17:29:58 +0530 +Subject: [PATCH] net: check packet payload length + +While computing IP checksum, 'net_checksum_calculate' reads +payload length from the packet. It could exceed the given 'data' +buffer size. Add a check to avoid it. + +Reported-by: Liu Ling +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + net/checksum.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +Index: qemu-kvm-1.0+noroms/net/checksum.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/net/checksum.c 2016-05-11 07:57:26.038246202 -0400 ++++ qemu-kvm-1.0+noroms/net/checksum.c 2016-05-11 07:57:26.038246202 -0400 +@@ -57,6 +57,11 @@ + int hlen, plen, proto, csum_offset; + uint16_t csum; + ++ /* Ensure data has complete L2 & L3 headers. */ ++ if (length < 14 + 20) { ++ return; ++ } ++ + if ((data[14] & 0xf0) != 0x40) + return; /* not IPv4 */ + hlen = (data[14] & 0x0f) * 4; +@@ -74,8 +79,9 @@ + return; + } + +- if (plen < csum_offset+2) +- return; ++ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { ++ return; ++ } + + data[14+hlen+csum_offset] = 0; + data[14+hlen+csum_offset+1] = 0; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-1714.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-1714.patch @@ -0,0 +1,96 @@ +Backport of: + +From 5d12c17191e042a57e02749cedc55104a8251ac3 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 21 Jan 2016 07:17:43 +0100 +Subject: [PATCH] fw_cfg: add check to validate current entry value + (CVE-2016-1714) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <1453360663-5066-1-git-send-email-mrezanin@redhat.com> +Patchwork-id: 68834 +O-Subject: [RHEL-7.2.z/RHEL-7.3 qemu-kvm PATCH] fw_cfg: add check to validate current entry value (CVE-2016-1714) +Bugzilla: 1298047 +RH-Acked-by: Laurent Vivier +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Gerd Hoffmann + +From: Prasad J Pandit + +When processing firmware configurations, an OOB r/w access occurs +if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff). +Add a check to validate 's->cur_entry' to avoid such access. + +This patch is based on upstream commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2 + Author: Gabriel L. Somlo + Date: Thu Nov 5 09:32:50 2015 -0500 + + fw_cfg: avoid calculating invalid current entry pointer + + When calculating a pointer to the currently selected fw_cfg item, the + following is used: + + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + When s->cur_entry is FW_CFG_INVALID, we are calculating the address of + a non-existent element in s->entries[arch][...], which is undefined. + + This patch ensures the resulting entry pointer is set to NULL whenever + s->cur_entry is FW_CFG_INVALID. + + Reported-by: Laszlo Ersek + Reviewed-by: Laszlo Ersek + Signed-off-by: Gabriel Somlo + Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu + Cc: Marc Marí + Signed-off-by: Gabriel Somlo + Reviewed-by: Laszlo Ersek + Signed-off-by: Gerd Hoffmann + +with added chunk for fw_cfg_write() that was removed in commit +023e3148567ac898c7258138f8e86c3c2bb40d07 +and missing chunk for fw_cfg_dma_transfer that was added in commit +a4c0d1deb785611c96a455f65ec032976b00b36f. + +Reported-by: Donghai Zdh +Signed-off-by: Prasad J Pandit +Signed-off-by: Miroslav Rezanina +--- + hw/nvram/fw_cfg.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/fw_cfg.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/fw_cfg.c 2016-02-02 08:26:19.113865767 -0500 ++++ qemu-kvm-1.0+noroms/hw/fw_cfg.c 2016-02-02 08:27:09.942431448 -0500 +@@ -184,12 +184,15 @@ + static void fw_cfg_write(FWCfgState *s, uint8_t value) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + FW_CFG_DPRINTF("write %d\n", value); + +- if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback && +- s->cur_offset < e->len) { ++ if (s->cur_entry & FW_CFG_WRITE_CHANNEL ++ && e != NULL ++ && e->callback ++ && s->cur_offset < e->len) { + e->data[s->cur_offset++] = value; + if (s->cur_offset == e->len) { + e->callback(e->callback_opaque, e->data); +@@ -219,7 +222,8 @@ + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-4037.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-4037.patch @@ -0,0 +1,61 @@ +Backport of: + +From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Apr 2016 09:11:38 +0200 +Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a +DoS by the guest (create a circular iTD queue and let qemu ehci +emulation run in circles forever). Unfortunately this has two problems: +First it misses the case of siTDs, and second it reportedly breaks +FreeBSD. + +So lets go for a different approach: just count the number of iTDs and +siTDs we have seen per frame and apply a limit. That should really +catch all cases now. + +Reported-by: 杜少博 +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/usb-ehci.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/usb-ehci.c 2016-05-11 08:15:01.119183424 -0400 ++++ qemu-kvm-1.0+noroms/hw/usb-ehci.c 2016-05-11 08:23:02.155914843 -0400 +@@ -1985,6 +1985,7 @@ + int async) + { + EHCIQueue *q = NULL; ++ int itd_count = 0; + int again; + int iter = 0; + +@@ -2020,10 +2021,12 @@ + + case EST_FETCHITD: + again = ehci_state_fetchitd(ehci, async); ++ itd_count++; + break; + + case EST_FETCHSITD: + again = ehci_state_fetchsitd(ehci, async); ++ itd_count++; + break; + + case EST_ADVANCEQUEUE: +@@ -2060,7 +2063,8 @@ + break; + } + +- if (again < 0) { ++ if (again < 0 || itd_count > 16) { ++ /* TODO: notify guest (raise HSE irq?) */ + fprintf(stderr, "processing error - resetting ehci HC\n"); + ehci_reset(ehci); + again = 0; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-1568.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-1568.patch @@ -0,0 +1,38 @@ +Backport of: + +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: John Snow +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow +--- + hw/ide/ahci.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/ide/ahci.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/ide/ahci.c 2016-02-02 08:25:36.937395969 -0500 ++++ qemu-kvm-1.0+noroms/hw/ide/ahci.c 2016-02-02 08:25:36.885395390 -0500 +@@ -833,6 +833,7 @@ + default: + DPRINTF(port, "error: tried to process non-NCQ command as NCQ\n"); + qemu_sglist_destroy(&ncq_tfs->sglist); ++ ncq_tfs->used = 0; + break; + } + } only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2015-8550-2.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2015-8550-2.patch @@ -0,0 +1,48 @@ +Backport of: + +From 7ea11bf376aea4bf8340eb363de9777c7f93e556 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Fri, 18 Dec 2015 15:10:09 +0000 +Subject: [PATCH] xenfb: avoid reading twice the same fields from the shared page + +Reading twice the same field could give the guest an attack of +opportunity. In the case of event->type, gcc could compile the switch +statement into a jump table, effectively ending up reading the type +field multiple times. + +This is part of XSA-155. + +Signed-off-by: Stefano Stabellini +--- + hw/display/xenfb.c | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/xenfb.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/xenfb.c 2016-02-02 08:15:41.274719246 -0500 ++++ qemu-kvm-1.0+noroms/hw/xenfb.c 2016-02-02 08:15:41.238718840 -0500 +@@ -801,18 +801,20 @@ + + static void xenfb_handle_events(struct XenFB *xenfb) + { +- uint32_t prod, cons; ++ uint32_t prod, cons, out_cons; + struct xenfb_page *page = xenfb->c.page; + + prod = page->out_prod; +- if (prod == page->out_cons) ++ out_cons = page->out_cons; ++ if (prod == out_cons) + return; + xen_rmb(); /* ensure we see ring contents up to prod */ +- for (cons = page->out_cons; cons != prod; cons++) { ++ for (cons = out_cons; cons != prod; cons++) { + union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); ++ uint8_t type = event->type; + int x, y, w, h; + +- switch (event->type) { ++ switch (type) { + case XENFB_TYPE_UPDATE: + if (xenfb->up_count == UP_QUEUE) + xenfb->up_fullscreen = 1; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-4002.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-4002.patch @@ -0,0 +1,30 @@ +Backport of: + +From: Prasad J Pandit + +When receiving packets over MIPSnet network device, it uses + receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk + +Signed-off-by: Prasad J Pandit +--- + hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: qemu-kvm-1.0+noroms/hw/mipsnet.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/mipsnet.c 2016-05-11 08:18:25.141132828 -0400 ++++ qemu-kvm-1.0+noroms/hw/mipsnet.c 2016-05-11 08:18:25.137132791 -0400 +@@ -79,6 +79,9 @@ + if (!mipsnet_can_receive(nc)) + return -1; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return 0; ++ } + s->busy = 1; + + /* Just accept everything. */ only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-2841.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-2841.patch @@ -0,0 +1,36 @@ +Backport of: + +From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 24 Feb 2016 11:41:33 +0530 +Subject: [PATCH] net: ne2000: check ring buffer control registers + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. Registers PSTART & PSTOP +define ring buffer size & location. Setting these registers +to invalid values could lead to infinite loop or OOB r/w +access issues. Add check to avoid it. + +Reported-by: Yang Hongke +Tested-by: Yang Hongke +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/ne2000.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/ne2000.c 2016-05-11 07:55:54.696238059 -0400 ++++ qemu-kvm-1.0+noroms/hw/ne2000.c 2016-05-11 07:56:31.597093190 -0400 +@@ -178,6 +178,10 @@ + { + int avail, index, boundary; + ++ if (s->stop <= s->start) { ++ return 1; ++ } ++ + index = s->curpag << 8; + boundary = s->boundary << 8; + if (index < boundary) only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-4001.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-4001.patch @@ -0,0 +1,45 @@ +Backport of: + +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + hw/net/stellaris_enet.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/stellaris_enet.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/stellaris_enet.c 2016-05-11 08:15:06.343245977 -0400 ++++ qemu-kvm-1.0+noroms/hw/stellaris_enet.c 2016-05-11 08:15:06.343245977 -0400 +@@ -231,8 +231,18 @@ + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-3712.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-3712.patch @@ -0,0 +1,184 @@ +Description: fix denial of service via VGA module +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=bfa0f151a564a83b5a26f3e917da98674bf3cf62 +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71 +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=2068192dcccd8a80dddfcc8df6164cf9c26e0fc4 +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823830 + +Index: qemu-kvm-1.0+noroms/hw/vga.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/vga.c 2016-05-11 08:03:30.281215382 -0400 ++++ qemu-kvm-1.0+noroms/hw/vga.c 2016-05-11 08:13:33.590153418 -0400 +@@ -152,6 +152,13 @@ + static const char *screen_dump_filename; + static DisplayChangeListener *screen_dump_dcl; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ ++static inline bool vbe_enabled(VGACommonState *s) ++{ ++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + MemoryRegion *region, *old_region = s->chain4_alias; +@@ -489,6 +496,7 @@ + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == 1) s->update_retrace_info(s); + vga_update_memory_access(s); + break; +@@ -518,6 +526,7 @@ + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case 0x3b4: +@@ -534,9 +543,11 @@ + /* can always write bit 4 of CR7 */ + if (s->cr_index == 7) + s->cr[7] = (s->cr[7] & ~0x10) | (val & 0x10); ++ vbe_update_vgaregs(s); + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case 0x00: +@@ -557,6 +568,45 @@ + } + } + ++/* we initialize the VGA graphic mode */ ++static void vbe_update_vgaregs(VGACommonState *s) ++{ ++ int h, shift_control; ++ ++ if (!vbe_enabled(s)) { ++ /* vbe is turned off -- nothing to do */ ++ return; ++ } ++ ++ /* graphic mode + memory map 1 */ ++ s->gr[0x06] = (s->gr[0x06] & ~0x0c) | 0x05; /* graphic mode + memory map 1 */ ++ s->cr[0x17] |= 3; /* no CGA modes */ ++ s->cr[0x13] = s->vbe_line_offset >> 3; ++ /* width */ ++ s->cr[0x01] = (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; ++ /* height (only meaningful if < 1024) */ ++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; ++ s->cr[0x12] = h; ++ s->cr[0x07] = (s->cr[0x07] & ~0x42) | ++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); ++ /* line compare to 1023 */ ++ s->cr[0x18] = 0xff; ++ s->cr[0x07] |= 0x10; ++ s->cr[0x09] |= 0x40; ++ ++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { ++ shift_control = 0; ++ s->sr[0x01] &= ~8; /* no double line */ ++ } else { ++ shift_control = 2; ++ s->sr[4] |= 0x08; /* set chain 4 mode */ ++ s->sr[2] |= 0x0f; /* activate all planes */ ++ } ++ s->gr[0x05] = (s->gr[0x05] & ~0x60) | (shift_control << 5); ++ s->cr[0x09] &= ~0x9f; /* no double scan */ ++} ++ ++ + #ifdef CONFIG_BOCHS_VBE + static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) + { +@@ -653,7 +703,6 @@ + case VBE_DISPI_INDEX_ENABLE: + if ((val & VBE_DISPI_ENABLED) && + !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { +- int h, shift_control; + + s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = + s->vbe_regs[VBE_DISPI_INDEX_XRES]; +@@ -668,6 +717,7 @@ + s->vbe_line_offset = s->vbe_regs[VBE_DISPI_INDEX_XRES] * + ((s->vbe_regs[VBE_DISPI_INDEX_BPP] + 7) >> 3); + s->vbe_start_addr = 0; ++ vbe_update_vgaregs(s); + + /* clear the screen (should be done in BIOS) */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { +@@ -675,33 +725,6 @@ + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } + +- /* we initialize the VGA graphic mode (should be done +- in BIOS) */ +- s->gr[0x06] = (s->gr[0x06] & ~0x0c) | 0x05; /* graphic mode + memory map 1 */ +- s->cr[0x17] |= 3; /* no CGA modes */ +- s->cr[0x13] = s->vbe_line_offset >> 3; +- /* width */ +- s->cr[0x01] = (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ +- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; +- s->cr[0x12] = h; +- s->cr[0x07] = (s->cr[0x07] & ~0x42) | +- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); +- /* line compare to 1023 */ +- s->cr[0x18] = 0xff; +- s->cr[0x07] |= 0x10; +- s->cr[0x09] |= 0x40; +- +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- shift_control = 0; +- s->sr[0x01] &= ~8; /* no double line */ +- } else { +- shift_control = 2; +- s->sr[4] |= 0x08; /* set chain 4 mode */ +- s->sr[2] |= 0x0f; /* activate all planes */ +- } +- s->gr[0x05] = (s->gr[0x05] & ~0x60) | (shift_control << 5); +- s->cr[0x09] &= ~0x9f; /* no double scan */ + } else { + /* XXX: the bios should do that */ + s->bank_offset = 0; +@@ -742,6 +765,7 @@ + else + s->vbe_start_addr += x * ((s->vbe_regs[VBE_DISPI_INDEX_BPP] + 7) >> 3); + s->vbe_start_addr >>= 2; ++ vbe_update_vgaregs(s); + } + break; + default: +@@ -1107,7 +1131,7 @@ + { + uint32_t start_addr, line_offset, line_compare; + #ifdef CONFIG_BOCHS_VBE +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + line_offset = s->vbe_line_offset; + start_addr = s->vbe_start_addr; + line_compare = 65535; +@@ -1534,7 +1558,7 @@ + { + int ret; + #ifdef CONFIG_BOCHS_VBE +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; + } else + #endif +@@ -1549,7 +1573,7 @@ + int width, height; + + #ifdef CONFIG_BOCHS_VBE +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; + height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; + } else only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-4454.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-4454.patch @@ -0,0 +1,135 @@ +Description: fix DoS or host memory leak in vmware_vga +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=521360267876d3b6518b328051a2e56bca55bef8 +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e +Origin: backport, http://git.qemu.org/?p=qemu.git;a=commit;h=7e486f7577764a07aa35588e119903c80a5c30a2 + +Index: qemu-kvm-1.0+noroms/hw/vmware_vga.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/vmware_vga.c 2016-08-04 07:35:54.960012574 -0400 ++++ qemu-kvm-1.0+noroms/hw/vmware_vga.c 2016-08-04 07:38:42.733387728 -0400 +@@ -68,17 +68,11 @@ + uint8_t *fifo_ptr; + unsigned int fifo_size; + +- union { +- uint32_t *fifo; +- struct QEMU_PACKED { +- uint32_t min; +- uint32_t max; +- uint32_t next_cmd; +- uint32_t stop; +- /* Add registers here when adding capabilities. */ +- uint32_t fifo[0]; +- } *cmd; +- }; ++ uint32_t *fifo; ++ uint32_t fifo_min; ++ uint32_t fifo_max; ++ uint32_t fifo_next; ++ uint32_t fifo_stop; + + #define REDRAW_FIFO_LEN 512 + struct vmsvga_rect_s { +@@ -192,7 +186,7 @@ + */ + SVGA_FIFO_MIN = 0, + SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ +- SVGA_FIFO_NEXT_CMD, ++ SVGA_FIFO_NEXT, + SVGA_FIFO_STOP, + + /* +@@ -542,25 +536,49 @@ + } + #endif + +-#define CMD(f) le32_to_cpu(s->cmd->f) +- + static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + { + int num; + if (!s->config || !s->enable) + return 0; +- num = CMD(next_cmd) - CMD(stop); ++ ++ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); ++ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); ++ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); ++ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); ++ ++ /* Check range and alignment. */ ++ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { ++ return 0; ++ } ++ if (s->fifo_min < sizeof(uint32_t) * 4) { ++ return 0; ++ } ++ if (s->fifo_max > SVGA_FIFO_SIZE || ++ s->fifo_min >= SVGA_FIFO_SIZE || ++ s->fifo_stop >= SVGA_FIFO_SIZE || ++ s->fifo_next >= SVGA_FIFO_SIZE) { ++ return 0; ++ } ++ if (s->fifo_max < s->fifo_min + 10 * 1024) { ++ return 0; ++ } ++ ++ num = s->fifo_next - s->fifo_stop; + if (num < 0) +- num += CMD(max) - CMD(min); ++ num += s->fifo_max - s->fifo_min; + return num >> 2; + } + + static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) + { +- uint32_t cmd = s->fifo[CMD(stop) >> 2]; +- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); +- if (CMD(stop) >= CMD(max)) +- s->cmd->stop = s->cmd->min; ++ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; ++ ++ s->fifo_stop += 4; ++ if (s->fifo_stop >= s->fifo_max) { ++ s->fifo_stop = s->fifo_min; ++ } ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + return cmd; + } + +@@ -580,7 +598,7 @@ + len = vmsvga_fifo_length(s); + while (len > 0) { + /* May need to go back to the start of the command if incomplete */ +- cmd_start = s->cmd->stop; ++ cmd_start = s->fifo_stop; + + switch (cmd = vmsvga_fifo_read(s)) { + case SVGA_CMD_UPDATE: +@@ -726,7 +744,8 @@ + break; + + rewind: +- s->cmd->stop = cmd_start; ++ s->fifo_stop = cmd_start; ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + break; + } + } +@@ -916,16 +935,6 @@ + case SVGA_REG_CONFIG_DONE: + if (value) { + s->fifo = (uint32_t *) s->fifo_ptr; +- /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | +- CMD(next_cmd) | CMD(stop)) & 3) +- break; +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) +- break; +- if (CMD(max) > SVGA_FIFO_SIZE) +- break; +- if (CMD(max) < CMD(min) + 10 * 1024) +- break; + } + s->config = !!value; + break; only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-4453.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-4453.patch @@ -0,0 +1,44 @@ +Backport of: + +From 4e68a0ee17dad7b8d870df0081d4ab2e079016c2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:21 +0200 +Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +vmsvga_fifo_run is called in regular intervals (on each display update) +and will resume where it left off. So we can simply exit the loop, +without having to worry about how processing will continue. + +Fixes: CVE-2016-4453 +Cc: qemu-stable@nongnu.org +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com +--- + hw/display/vmware_vga.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/vmware_vga.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/vmware_vga.c 2016-08-04 07:40:07.414082081 -0400 ++++ qemu-kvm-1.0+noroms/hw/vmware_vga.c 2016-08-04 07:40:07.410082048 -0400 +@@ -590,13 +590,13 @@ + static void vmsvga_fifo_run(struct vmsvga_state_s *s) + { + uint32_t cmd, colour; +- int args, len; ++ int args, len, maxloop = 1024; + int x, y, dx, dy, width, height; + struct vmsvga_cursor_definition_s cursor; + uint32_t cmd_start; + + len = vmsvga_fifo_length(s); +- while (len > 0) { ++ while (len > 0 && --maxloop > 0) { + /* May need to go back to the start of the command if incomplete */ + cmd_start = s->fifo_stop; + only in patch2: unchanged: --- qemu-kvm-1.0+noroms.orig/debian/patches/CVE-2016-2392.patch +++ qemu-kvm-1.0+noroms/debian/patches/CVE-2016-2392.patch @@ -0,0 +1,34 @@ +Backport of: + +From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 11 Feb 2016 16:31:20 +0530 +Subject: [PATCH] usb: check USB configuration descriptor object + +When processing remote NDIS control message packets, the USB Net +device emulator checks to see if the USB configuration descriptor +object is of RNDIS type(2). But it does not check if it is null, +which leads to a null dereference error. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +Index: qemu-kvm-1.0+noroms/hw/usb-net.c +=================================================================== +--- qemu-kvm-1.0+noroms.orig/hw/usb-net.c 2011-12-04 05:38:06.000000000 -0500 ++++ qemu-kvm-1.0+noroms/hw/usb-net.c 2016-05-11 07:32:53.449397944 -0400 +@@ -650,7 +650,8 @@ + + static int is_rndis(USBNetState *s) + { +- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; ++ return s->dev.config ? ++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; + } + + static int ndis_query(USBNetState *s, uint32_t oid,