From 3c19fc5351529a4ef51a6b10cdc5dfd3dcb5581b Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Thu, 13 Oct 2016 15:19:02 +0200 Subject: [PATCH] various fixes: CVE-2016-8576: xhci: limit the number of link trbs we are willing to process CVE-2016-8577: 9pfs: fix potential host memory leak in v9fs_read CVE-2016-8578: 9pfs: allocate space for guest originated empty strings --- ...umber-of-link-trbs-we-are-willing-to.patch | 69 +++++++++++++++++++ ...ential-host-memory-leak-in-v9fs_read.patch | 39 +++++++++++ ...ace-for-guest-originated-empty-strin.patch | 58 ++++++++++++++++ debian/patches/series | 3 + 4 files changed, 169 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch create mode 100644 debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch create mode 100644 debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch diff --git a/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch b/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch new file mode 100644 index 0000000..7019960 --- /dev/null +++ b/debian/patches/extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch @@ -0,0 +1,69 @@ +From b5ef1754de94247de307044b19e6bc3fa0ad5ba8 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 10 Oct 2016 12:46:22 +0200 +Subject: [PATCH 2/4] xhci: limit the number of link trbs we are willing to + process + +Needed to avoid we run in circles forever in case the guest builds +an endless loop with link trbs. + +Reported-by: Li Qiang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 281a2a5..8a9a31a 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch b/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch new file mode 100644 index 0000000..6583894 --- /dev/null +++ b/debian/patches/extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch @@ -0,0 +1,39 @@ +From 8794fc68736fda80d7191f100c03c960a5ef1224 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 11 Oct 2016 09:27:45 +0200 +Subject: [PATCH 3/4] 9pfs: fix potential host memory leak in v9fs_read + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index dfe293d..54e18a2 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque) + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch b/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch new file mode 100644 index 0000000..3ba78c8 --- /dev/null +++ b/debian/patches/extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch @@ -0,0 +1,58 @@ +From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 11 Oct 2016 09:27:45 +0200 +Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings + +If a guest sends an empty string paramater to any 9P operation, the current +code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. + +This is unfortunate because it can cause NULL pointer dereference to happen +at various locations in the 9pfs code. And we don't want to check str->data +everywhere we pass it to strcmp() or any other function which expects a +dereferenceable pointer. + +This patch enforces the allocation of genuine C empty strings instead, so +callers don't have to bother. + +Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if +the returned string is empty. It now uses v9fs_string_size() since +name.data cannot be NULL anymore. + +Signed-off-by: Li Qiang +[groug, rewritten title and changelog, + fix empty string check in v9fs_xattrwalk()] +Signed-off-by: Greg Kurz +--- + fsdev/9p-iov-marshal.c | 2 +- + hw/9pfs/9p.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c +index 663cad5..1d16f8d 100644 +--- a/fsdev/9p-iov-marshal.c ++++ b/fsdev/9p-iov-marshal.c +@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 54e18a2..75ba5f1 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque) + goto out; + } + v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); +- if (name.data == NULL) { ++ if (!v9fs_string_size(&name)) { + /* + * listxattr request. Get the size first + */ +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 87b7a66..fb8592b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -59,3 +59,6 @@ extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch +extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch +extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch +extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch -- 2.39.2