From 7fd7e00b6af4c803110dcc0562b746f9540887d8 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 2 Feb 2017 09:58:34 +0100
Subject: [PATCH] various fixes

---
 ...ransfer-mode-register-in-multi-block.patch | 61 +++++++++++++++++++
 ...ount-enable-not-relevant-in-single-b.patch | 42 +++++++++++++
 ...pu-3d-check-virgl-capabilities-max_s.patch | 44 +++++++++++++
 ...5-watchdog-6300esb-add-exit-function.patch | 50 +++++++++++++++
 debian/patches/series                         |  4 ++
 5 files changed, 201 insertions(+)
 create mode 100644 debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
 create mode 100644 debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
 create mode 100644 debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
 create mode 100644 debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch

diff --git a/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch b/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
new file mode 100644
index 0000000..017f55a
--- /dev/null
+++ b/debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
@@ -0,0 +1,61 @@
+From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:15 +0530
+Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block
+ transfer
+
+In SDHCI device emulation the transfer mode register value
+is used during multi block transfer to check if block count
+register is enabled and should be updated. Transfer mode
+register could be set such that, block count register would
+not be updated, thus leading to an infinite loop. Add check
+to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang@tencent.com>
+Reported-by: Jiang Xin <jiangxin1@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 01fbf22..35f953a 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+     uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
+     uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
+ 
++    if (!(s->trnmod & SDHC_TRNS_MULTI)
++        || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN)
++        || !s->blkcnt) {
++        return;
++    }
++
+     /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
+      * possible stop at page boundary if initial address is not page aligned,
+      * allow them to work properly */
+@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque)
+     if (s->trnmod & SDHC_TRNS_DMA) {
+         switch (SDHC_DMA_TYPE(s->hostctl)) {
+         case SDHC_CTRL_SDMA:
+-            if ((s->trnmod & SDHC_TRNS_MULTI) &&
+-                    (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
+-                break;
+-            }
+-
+             if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
+                 sdhci_sdma_transfer_single_block(s);
+             } else {
+@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+         if (!(s->capareg & SDHC_CAN_DO_DMA)) {
+             value &= ~SDHC_TRNS_DMA;
+         }
+-        MASKED_WRITE(s->trnmod, mask, value);
++        MASKED_WRITE(s->trnmod, mask, value & 0x0037);
+         MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
+ 
+         /* Writing to the upper byte of CMDREG triggers SD command generation */
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch b/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
new file mode 100644
index 0000000..aeca0a1
--- /dev/null
+++ b/debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
@@ -0,0 +1,42 @@
+From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:16 +0530
+Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single
+ block transfer
+
+In SDHCI device emulation the 'Block count enable' bit
+of the Transfer Mode register is only relevant in multi block
+transfers. We need not check it in single block transfers.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 35f953a..85cac42 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ }
+ 
+ /* single block SDMA transfer */
+-
+ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+ {
+     int n;
+@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+             sdbus_write_data(&s->sdbus, s->fifo_buffer[n]);
+         }
+     }
+-
+-    if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+-        s->blkcnt--;
+-    }
++    s->blkcnt--;
+ 
+     sdhci_end_transfer(s);
+ }
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch b/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
new file mode 100644
index 0000000..19e7599
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
@@ -0,0 +1,44 @@
+From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 14 Dec 2016 12:31:56 +0530
+Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
+
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
+command, retrieves the maximum capabilities size to fill in the
+response object. It continues to fill in capabilities even if
+retrieved 'max_size' is zero(0), thus resulting in OOB access.
+Add check to avoid it.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20161214070156.23368-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+
+Notes:
+    CVE-2016-10028
+
+ hw/display/virtio-gpu-3d.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index d98b140..cdd03a4 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
+-    resp = g_malloc0(sizeof(*resp) + max_size);
++    if (!max_size) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++        return;
++    }
+ 
++    resp = g_malloc0(sizeof(*resp) + max_size);
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+     virgl_renderer_fill_caps(gc.capset_id,
+                              gc.capset_version,
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch b/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
new file mode 100644
index 0000000..06567fc
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
@@ -0,0 +1,50 @@
+From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 28 Nov 2016 17:49:04 -0800
+Subject: [PATCH 1/8] watchdog: 6300esb: add exit function
+
+When the Intel 6300ESB watchdog is hot unplug. The timer allocated
+in realize isn't freed thus leaking memory leak. This patch avoid
+this through adding the exit function.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+
+Notes:
+    CVE-2016-10155
+
+ hw/watchdog/wdt_i6300esb.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
+index a83d951..49b3cd1 100644
+--- a/hw/watchdog/wdt_i6300esb.c
++++ b/hw/watchdog/wdt_i6300esb.c
+@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
+     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
+ }
+ 
++static void i6300esb_exit(PCIDevice *dev)
++{
++    I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
++
++    timer_del(d->timer);
++    timer_free(d->timer);
++}
++
+ static WatchdogTimerModel model = {
+     .wdt_name = "i6300esb",
+     .wdt_description = "Intel 6300ESB",
+@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
+     k->config_read = i6300esb_config_read;
+     k->config_write = i6300esb_config_write;
+     k->realize = i6300esb_realize;
++    k->exit = i6300esb_exit;
+     k->vendor_id = PCI_VENDOR_ID_INTEL;
+     k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
+     k->class_id = PCI_CLASS_SYSTEM_OTHER;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 3cc187b..e0c9bf5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -88,3 +88,7 @@ extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
 extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
 extra/0003-cirrus-fix-blit-address-mask-handling.patch
 extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
+extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
+extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
+extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
-- 
2.39.2