--- /dev/null
+From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 20 Oct 2016 13:10:24 +0530
+Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
+ transfer
+
+Intel HDA emulator uses stream of buffers during DMA data
+transfers. Each entry has buffer length and buffer pointer
+position, which are used to derive bytes to 'copy'. If this
+length and buffer pointer were to be same, 'copy' could be
+set to zero(0), leading to an infinite loop. Add check to
+avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/intel-hda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index cd95340..537face 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+ }
+
+ left = len;
+- while (left > 0) {
++ s = st->bentries;
++ while (left > 0 && s-- > 0) {
+ copy = left;
+ if (copy > st->bsize - st->lpib)
+ copy = st->bsize - st->lpib;
+--
+2.1.4
+
--- /dev/null
+From 8dea1624f9166d9dd52074c98f744e4a1e13a616 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 21 Oct 2016 17:39:29 +0530
+Subject: [PATCH 2/8] net: rtl8139: limit processing of ring descriptors
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson <hendersa@icculus.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+ int txcount = 0;
+
+- while (rtl8139_cplus_transmit_one(s))
++ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+ {
+ ++txcount;
+ }
+--
+2.1.4
+
--- /dev/null
+From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sat, 8 Oct 2016 05:07:25 -0700
+Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit
+
+The exit dispatch of eepro100 network card device doesn't free
+the 's->vmstate' field which was allocated in device realize thus
+leading a host memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/eepro100.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index bab4dbf..4bf71f2 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
+ EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
+
+ vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
++ g_free(s->vmstate);
+ eeprom93xx_free(&pci_dev->qdev, s->eeprom);
+ qemu_del_nic(s->nic);
+ }
+--
+2.1.4
+
--- /dev/null
+From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 3becdd0..f5af4e3 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++ g_free(xattr_fidp->fs.xattr.value);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+--
+2.1.4
+
--- /dev/null
+From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read
+
+9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+reads this memory before writing to it, this will leak host heap memory
+to the guest. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 75ba5f1..3becdd0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+ out_nofid:
+--
+2.1.4
+
--- /dev/null
+From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 12:00:40 +0100
+Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
+originated offset: they must ensure this offset does not go beyond
+the size of the extended attribute that was set in v9fs_xattrcreate().
+Unfortunately, the current code implement these checks with unsafe
+calculations on 32 and 64 bit values, which may allow a malicious
+guest to cause OOB access anyway.
+
+Fix this by comparing the offset and the xattr size, which are
+both uint64_t, before trying to compute the effective number of bytes
+to read or write.
+
+Suggested-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-By: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index af07846..fc4f2cd 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ ssize_t err;
+ size_t offset = 7;
+- int read_count;
+- int64_t xattr_len;
++ uint64_t read_count;
+ V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
+ VirtQueueElement *elem = v->elems[pdu->idx];
+
+- xattr_len = fidp->fs.xattr.len;
+- read_count = xattr_len - off;
++ if (fidp->fs.xattr.len < off) {
++ read_count = 0;
++ } else {
++ read_count = fidp->fs.xattr.len - off;
++ }
+ if (read_count > max_count) {
+ read_count = max_count;
+- } else if (read_count < 0) {
+- /*
+- * read beyond XATTR value
+- */
+- read_count = 0;
+ }
+ err = pdu_marshal(pdu, offset, "d", read_count);
+ if (err < 0) {
+@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+ int i, to_copy;
+ ssize_t err = 0;
+- int write_count;
+- int64_t xattr_len;
++ uint64_t write_count;
+ size_t offset = 7;
+
+
+- xattr_len = fidp->fs.xattr.len;
+- write_count = xattr_len - off;
+- if (write_count > count) {
+- write_count = count;
+- } else if (write_count < 0) {
+- /*
+- * write beyond XATTR value len specified in
+- * xattrcreate
+- */
++ if (fidp->fs.xattr.len < off) {
+ err = -ENOSPC;
+ goto out;
+ }
++ write_count = fidp->fs.xattr.len - off;
++ if (write_count > count) {
++ write_count = count;
++ }
+ err = pdu_marshal(pdu, offset, "d", write_count);
+ if (err < 0) {
+ return err;
+--
+2.1.4
+
--- /dev/null
+From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link
+
+The v9fs_link() function keeps a reference on the source fid object. This
+causes a memory leak since the reference never goes down to 0. This patch
+fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index f5af4e3..aa2b8c0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque)
+ if (!err) {
+ err = offset;
+ }
++ put_fid(pdu, oldfidp);
+ out:
+ put_fid(pdu, dfidp);
+ out_nofid:
+--
+2.1.4
+
--- /dev/null
+From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write
+
+If an error occurs when marshalling the transfer length to the guest, the
+v9fs_write() function doesn't free an IO vector, thus leading to a memory
+leak. This patch fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index aa2b8c0..af07846 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
+ offset = 7;
+ err = pdu_marshal(pdu, offset, "d", total);
+ if (err < 0) {
+- goto out;
++ goto out_qiov;
+ }
+ err += offset;
+ trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
+--
+2.1.4
+
extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
+extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
+extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
+extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
+extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
+extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
+extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
+extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
+extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
projects / pve-qemu-kvm.git / commitdiff