--- /dev/null
+From b5ef1754de94247de307044b19e6bc3fa0ad5ba8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 10 Oct 2016 12:46:22 +0200
+Subject: [PATCH 2/4] xhci: limit the number of link trbs we are willing to
+ process
+
+Needed to avoid we run in circles forever in case the guest builds
+an endless loop with link trbs.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 281a2a5..8a9a31a 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+ * to the specs when it gets them */
+ #define ER_FULL_HACK
+
++#define TRB_LINK_LIMIT 4
++
+ #define LEN_CAP 0x40
+ #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ dma_addr_t *addr)
+ {
+ PCIDevice *pci_dev = PCI_DEVICE(xhci);
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+ ring->dequeue += TRB_SIZE;
+ return type;
+ } else {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return 0;
++ }
+ ring->dequeue = xhci_mask64(trb->parameter);
+ if (trb->control & TRB_LK_TC) {
+ ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ bool ccs = ring->ccs;
+ /* hack to bundle together the two/three TDs that make a setup transfer */
+ bool control_td_set = 0;
++ uint32_t link_cnt = 0;
+
+ while (1) {
+ TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+ type = TRB_TYPE(trb);
+
+ if (type == TR_LINK) {
++ if (++link_cnt > TRB_LINK_LIMIT) {
++ return -length;
++ }
+ dequeue = xhci_mask64(trb.parameter);
+ if (trb.control & TRB_LK_TC) {
+ ccs = !ccs;
+--
+2.1.4
+
--- /dev/null
+From 8794fc68736fda80d7191f100c03c960a5ef1224 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 11 Oct 2016 09:27:45 +0200
+Subject: [PATCH 3/4] 9pfs: fix potential host memory leak in v9fs_read
+
+In 9pfs read dispatch function, it doesn't free two QEMUIOVector
+object thus causing potential memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index dfe293d..54e18a2 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
+ if (len < 0) {
+ /* IO error return the error */
+ err = len;
+- goto out;
++ goto out_free_iovec;
+ }
+ } while (count < max_count && len > 0);
+ err = pdu_marshal(pdu, offset, "d", count);
+ if (err < 0) {
+- goto out;
++ goto out_free_iovec;
+ }
+ err += offset + count;
++out_free_iovec:
+ qemu_iovec_destroy(&qiov);
+ qemu_iovec_destroy(&qiov_full);
+ } else if (fidp->fid_type == P9_FID_XATTR) {
+--
+2.1.4
+
--- /dev/null
+From 630abd0c70f272b36361348e9ee7d6a71577b72f Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 11 Oct 2016 09:27:45 +0200
+Subject: [PATCH 4/4] 9pfs: allocate space for guest originated empty strings
+
+If a guest sends an empty string paramater to any 9P operation, the current
+code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
+
+This is unfortunate because it can cause NULL pointer dereference to happen
+at various locations in the 9pfs code. And we don't want to check str->data
+everywhere we pass it to strcmp() or any other function which expects a
+dereferenceable pointer.
+
+This patch enforces the allocation of genuine C empty strings instead, so
+callers don't have to bother.
+
+Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
+the returned string is empty. It now uses v9fs_string_size() since
+name.data cannot be NULL anymore.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+[groug, rewritten title and changelog,
+ fix empty string check in v9fs_xattrwalk()]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ fsdev/9p-iov-marshal.c | 2 +-
+ hw/9pfs/9p.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
+index 663cad5..1d16f8d 100644
+--- a/fsdev/9p-iov-marshal.c
++++ b/fsdev/9p-iov-marshal.c
+@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+ str->data = g_malloc(str->size + 1);
+ copied = v9fs_unpack(str->data, out_sg, out_num, offset,
+ str->size);
+- if (copied > 0) {
++ if (copied >= 0) {
+ str->data[str->size] = 0;
+ } else {
+ v9fs_string_free(str);
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 54e18a2..75ba5f1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3161,7 +3161,7 @@ static void v9fs_xattrwalk(void *opaque)
+ goto out;
+ }
+ v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
+- if (name.data == NULL) {
++ if (!v9fs_string_size(&name)) {
+ /*
+ * listxattr request. Get the size first
+ */
+--
+2.1.4
+
extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
+extra/CVE-2016-8576-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
+extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
+extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
projects / pve-qemu-kvm.git / commitdiff