From d37e80a3d66a49a32ecfe50c808b1879e54c27a3 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 5 Oct 2016 14:35:12 +0200 Subject: [PATCH] various fixes CVE-2016-7161: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite CVE-2016-7422: virtio: add check for descriptor's mapped address CVE-2016-7907: net: imx: limit buffer descriptor count CVE-2016-7908: net: mcf: limit buffer descriptor count CVE-2016-7909: net: pcnet: check rx/tx descriptor ring length --- ...ap-overflow-in-xlnx.xps-ethernetlite.patch | 35 +++++++++++++ ...heck-for-descriptor-s-mapped-address.patch | 38 ++++++++++++++ ...et-imx-limit-buffer-descriptor-count.patch | 48 +++++++++++++++++ ...et-mcf-limit-buffer-descriptor-count.patch | 52 +++++++++++++++++++ ...t-check-rx-tx-descriptor-ring-length.patch | 36 +++++++++++++ debian/patches/series | 5 ++ 6 files changed, 214 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch create mode 100644 debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch create mode 100644 debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch create mode 100644 debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch create mode 100644 debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch diff --git a/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch new file mode 100644 index 0000000..1c14d8c --- /dev/null +++ b/debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch @@ -0,0 +1,35 @@ +From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001 +From: chaojianhu +Date: Tue, 9 Aug 2016 11:52:54 +0800 +Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite + +The .receive callback of xlnx.xps-ethernetlite doesn't check the length +of data before calling memcpy. As a result, the NetClientState object in +heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite +will be affected. + +Reported-by: chaojianhu +Signed-off-by: chaojianhu +Signed-off-by: Jason Wang +--- + hw/net/xilinx_ethlite.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c +index bc846e7..12b7419 100644 +--- a/hw/net/xilinx_ethlite.c ++++ b/hw/net/xilinx_ethlite.c +@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) + } + + D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); ++ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { ++ D(qemu_log("ethlite packet is too big, size=%x\n", size)); ++ return -1; ++ } + memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); + + s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch b/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch new file mode 100644 index 0000000..47e5135 --- /dev/null +++ b/debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch @@ -0,0 +1,38 @@ +From 77b365c29e9bf143ee4c024daa9f6f0a13213376 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 19 Sep 2016 23:55:45 +0530 +Subject: [PATCH 1/5] virtio: add check for descriptor's mapped address + +virtio back end uses set of buffers to facilitate I/O operations. +If its size is too large, 'cpu_physical_memory_map' could return +a null address. This would result in a null dereference while +un-mapping descriptors. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Laszlo Ersek +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 111ad8e..75f5ada 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -471,6 +471,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove + } + + iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); ++ if (!iov[num_sg].iov_base) { ++ error_report("virtio: bogus descriptor or out of resources"); ++ exit(1); ++ } ++ + iov[num_sg].iov_len = len; + addr[num_sg] = pa; + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch new file mode 100644 index 0000000..303a481 --- /dev/null +++ b/debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch @@ -0,0 +1,48 @@ +From 53102ff7c9c928e2c778a6440f7039ee29dc5acf Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:01:38 +0530 +Subject: [PATCH 3/5] net: imx: limit buffer descriptor count + +i.MX Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set an upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/net/imx_fec.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c +index e60e338..547fa99 100644 +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = { + #define PHY_INT_PARFAULT (1 << 2) + #define PHY_INT_AUTONEG_PAGE (1 << 1) + ++#define IMX_MAX_DESC 1024 ++ + static void imx_fec_update(IMXFECState *s); + + /* +@@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s) + + static void imx_fec_do_tx(IMXFECState *s) + { +- int frame_size = 0; ++ int frame_size = 0, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr = frame; + uint32_t addr = s->tx_descriptor; + +- while (1) { ++ while (descnt++ < IMX_MAX_DESC) { + IMXFECBufDesc bd; + int len; + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch b/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch new file mode 100644 index 0000000..2985778 --- /dev/null +++ b/debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch @@ -0,0 +1,52 @@ +From 50e74d1c748bde8d667e452d4d7cac3d8f869520 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH 4/5] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Paolo Bonzini +Signed-off-by: Jason Wang +--- + hw/net/mcf_fec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index 7c0398e..6d3418e 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch b/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch new file mode 100644 index 0000000..fab98ba --- /dev/null +++ b/debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch @@ -0,0 +1,36 @@ +From 9d315a91caeb359045b2c730294bba3889911127 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 30 Sep 2016 00:27:33 +0530 +Subject: [PATCH 5/5] net: pcnet: check rx/tx descriptor ring length + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/net/pcnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 198a01f..3078de8 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 5c17cf1..07cf5c4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,3 +78,8 @@ extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch extra/x86-lapic-Load-LAPIC-state-at-post_load.patch +extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch +extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch +extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch +extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch +extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch -- 2.39.5