diff -Nru qemu-2.11+dfsg/debian/changelog qemu-2.11+dfsg/debian/changelog --- qemu-2.11+dfsg/debian/changelog 2018-04-18 05:29:50.000000000 +0000 +++ qemu-2.11+dfsg/debian/changelog 2018-05-11 17:26:42.000000000 +0000 @@ -1,3 +1,20 @@ +qemu (1:2.11+dfsg-1ubuntu7.1) bionic-security; urgency=medium + + * SECURITY UPDATE: out-of-bounds access during migration via ps2 + - debian/patches/ubuntu/CVE-2017-16845.patch: check PS2Queue pointers + in post_load routine in hw/input/ps2.c. + - CVE-2017-16845 + * SECURITY UPDATE: arbitrary code execution via load_multiboot + - debian/patches/ubuntu/CVE-2018-7550.patch: handle bss_end_addr being + zero in hw/i386/multiboot.c. + - CVE-2018-7550 + * SECURITY UPDATE: denial of service in Cirrus CLGD 54xx VGA + - debian/patches/ubuntu/CVE-2018-7858.patch: fix region calculation in + hw/display/vga.c. + - CVE-2018-7858 + + -- Marc Deslauriers Fri, 11 May 2018 13:26:42 -0400 + qemu (1:2.11+dfsg-1ubuntu7) bionic; urgency=medium * d/p/ubuntu/lp-1762854-*: fix issue with SCSI-2 devices denying Protection diff -Nru qemu-2.11+dfsg/debian/patches/series qemu-2.11+dfsg/debian/patches/series --- qemu-2.11+dfsg/debian/patches/series 2018-04-16 09:04:30.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/series 2018-05-11 17:26:42.000000000 +0000 @@ -31,3 +31,6 @@ ubuntu/lp-1763468-3-spapr-set-vsmt-to-MAX-8-smp_threads.patch ubuntu/lp-1763468-4-spapr-use-spapr-vsmt-to-compute-VCPU-ids.patch ubuntu/lp-1763468-9-spapr-register-dummy-ICPs-later.patch +ubuntu/CVE-2017-16845.patch +ubuntu/CVE-2018-7550.patch +ubuntu/CVE-2018-7858.patch diff -Nru qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2017-16845.patch qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2017-16845.patch --- qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2017-16845.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2017-16845.patch 2018-05-11 17:26:15.000000000 +0000 @@ -0,0 +1,59 @@ +From 802cbcb73002b92e6ddc8464d39b668a71b78d74 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 16 Nov 2017 13:21:55 +0530 +Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine + +During Qemu guest migration, a destination process invokes ps2 +post_load function. In that, if 'rptr' and 'count' values were +invalid, it could lead to OOB access or infinite loop issue. +Add check to avoid it. + +Reported-by: Cyrille Chatras +Signed-off-by: Prasad J Pandit +Message-id: 20171116075155.22378-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/input/ps2.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/hw/input/ps2.c b/hw/input/ps2.c +index f388a23..de171a2 100644 +--- a/hw/input/ps2.c ++++ b/hw/input/ps2.c +@@ -1225,24 +1225,21 @@ static void ps2_common_reset(PS2State *s) + static void ps2_common_post_load(PS2State *s) + { + PS2Queue *q = &s->queue; +- int size; +- int i; +- int tmp_data[PS2_QUEUE_SIZE]; ++ uint8_t i, size; ++ uint8_t tmp_data[PS2_QUEUE_SIZE]; + + /* set the useful data buffer queue size, < PS2_QUEUE_SIZE */ +- size = q->count > PS2_QUEUE_SIZE ? 0 : q->count; ++ size = (q->count < 0 || q->count > PS2_QUEUE_SIZE) ? 0 : q->count; + + /* move the queue elements to the start of data array */ +- if (size > 0) { +- for (i = 0; i < size; i++) { +- /* move the queue elements to the temporary buffer */ +- tmp_data[i] = q->data[q->rptr]; +- if (++q->rptr == 256) { +- q->rptr = 0; +- } ++ for (i = 0; i < size; i++) { ++ if (q->rptr < 0 || q->rptr >= sizeof(q->data)) { ++ q->rptr = 0; + } +- memcpy(q->data, tmp_data, size); ++ tmp_data[i] = q->data[q->rptr++]; + } ++ memcpy(q->data, tmp_data, size); ++ + /* reset rptr/wptr/count */ + q->rptr = 0; + q->wptr = size; +-- +1.8.3.1 + diff -Nru qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7550.patch qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7550.patch --- qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7550.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7550.patch 2018-05-11 17:26:29.000000000 +0000 @@ -0,0 +1,58 @@ +From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 +From: Jack Schwartz +Date: Thu, 21 Dec 2017 09:25:15 -0800 +Subject: [PATCH] multiboot: bss_end_addr can be zero + +The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), +section 3.1.3, allows for bss_end_addr to be zero. + +A zero bss_end_addr signifies there is no .bss section. + +Suggested-by: Daniel Kiper +Signed-off-by: Jack Schwartz +Reviewed-by: Daniel Kiper +Reviewed-by: Prasad J Pandit +Signed-off-by: Kevin Wolf +--- + hw/i386/multiboot.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 46d9c68..bb8d8e4 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { +- if (mh_bss_end_addr < mh_load_addr) { +- fprintf(stderr, "invalid mh_bss_end_addr address\n"); +- exit(1); +- } +- mb_kernel_size = mh_bss_end_addr - mh_load_addr; +- + if (mh_load_end_addr < mh_load_addr) { + fprintf(stderr, "invalid mh_load_end_addr address\n"); + exit(1); +@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, + fprintf(stderr, "invalid kernel_file_size\n"); + exit(1); + } +- mb_kernel_size = kernel_file_size - mb_kernel_text_offset; +- mb_load_size = mb_kernel_size; ++ mb_load_size = kernel_file_size - mb_kernel_text_offset; ++ } ++ if (mh_bss_end_addr) { ++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } ++ mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ } else { ++ mb_kernel_size = mb_load_size; + } + + /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. +-- +1.8.3.1 + diff -Nru qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7858.patch qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7858.patch --- qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7858.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.11+dfsg/debian/patches/ubuntu/CVE-2018-7858.patch 2018-05-11 17:26:39.000000000 +0000 @@ -0,0 +1,33 @@ +From 7cdc61becd095b64a786b2625f321624e7111f3d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 9 Mar 2018 15:37:04 +0100 +Subject: [PATCH] vga: fix region calculation + +Typically the scanline length and the line offset are identical. But +in case they are not our calculation for region_end is incorrect. Using +line_offset is fine for all scanlines, except the last one where we have +to use the actual scanline length. + +Fixes: CVE-2018-7550 +Reported-by: Ross Lagerwall +Signed-off-by: Gerd Hoffmann +Reviewed-by: Prasad J Pandit +Tested-by: Ross Lagerwall +Message-id: 20180309143704.13420-1-kraxel@redhat.com +--- + hw/display/vga.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: qemu-2.11+dfsg/hw/display/vga.c +=================================================================== +--- qemu-2.11+dfsg.orig/hw/display/vga.c 2018-05-11 13:26:37.677154982 -0400 ++++ qemu-2.11+dfsg/hw/display/vga.c 2018-05-11 13:26:37.673154973 -0400 +@@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonSt + + region_start = (s->start_addr * 4); + region_end = region_start + (ram_addr_t)s->line_offset * height; ++ region_end += width * s->get_bpp(s) / 8; /* scanline length */ ++ region_end -= s->line_offset; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0;