]> git.proxmox.com Git - pve-qemu-kvm.git/commitdiff
various fixes
authorWolfgang Bumiller <w.bumiller@proxmox.com>
Mon, 7 Nov 2016 10:10:01 +0000 (11:10 +0100)
committerWolfgang Bumiller <w.bumiller@proxmox.com>
Mon, 7 Nov 2016 10:10:04 +0000 (11:10 +0100)
CVE-2016-8909:
 audio: intel-hda: check stream entry count during transfer
CVE-2016-8910:
 net: rtl8139: limit processing of ring descriptors
CVE-2016-9101:
 net: eepro100: fix memory leak in device uninit
CVE-2016-9102:
 9pfs: fix memory leak in v9fs_xattrcreate
CVE-2016-9103:
 9pfs: fix information leak in xattr read
CVE-2016-9104:
 9pfs: fix integer overflow issue in xattr read/write
CVE-2016-9105:
 9pfs: fix memory leak in v9fs_link
CVE-2016-9106:
 9pfs: fix memory leak in v9fs_write

debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch [new file with mode: 0644]
debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch [new file with mode: 0644]
debian/patches/series

diff --git a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
new file mode 100644 (file)
index 0000000..d8102b3
--- /dev/null
@@ -0,0 +1,39 @@
+From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 20 Oct 2016 13:10:24 +0530
+Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
+ transfer
+
+Intel HDA emulator uses stream of buffers during DMA data
+transfers. Each entry has buffer length and buffer pointer
+position, which are used to derive bytes to 'copy'. If this
+length and buffer pointer were to be same, 'copy' could be
+set to zero(0), leading to an infinite loop. Add check to
+avoid it.
+
+Reported-by: Huawei PSIRT <psirt@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/intel-hda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
+index cd95340..537face 100644
+--- a/hw/audio/intel-hda.c
++++ b/hw/audio/intel-hda.c
+@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+     }
+     left = len;
+-    while (left > 0) {
++    s = st->bentries;
++    while (left > 0 && s-- > 0) {
+         copy = left;
+         if (copy > st->bsize - st->lpib)
+             copy = st->bsize - st->lpib;
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
new file mode 100644 (file)
index 0000000..eedbd17
--- /dev/null
@@ -0,0 +1,34 @@
+From 8dea1624f9166d9dd52074c98f744e4a1e13a616 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 21 Oct 2016 17:39:29 +0530
+Subject: [PATCH 2/8] net: rtl8139: limit processing of ring descriptors
+
+RTL8139 ethernet controller in C+ mode supports multiple
+descriptor rings, each with maximum of 64 descriptors. While
+processing transmit descriptor ring in 'rtl8139_cplus_transmit',
+it does not limit the descriptor count and runs forever. Add
+check to avoid it.
+
+Reported-by: Andrew Henderson <hendersa@icculus.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 3345bc6..f05e59c 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
+ {
+     int txcount = 0;
+-    while (rtl8139_cplus_transmit_one(s))
++    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
+     {
+         ++txcount;
+     }
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
new file mode 100644 (file)
index 0000000..0ae895a
--- /dev/null
@@ -0,0 +1,30 @@
+From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Sat, 8 Oct 2016 05:07:25 -0700
+Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit
+
+The exit dispatch of eepro100 network card device doesn't free
+the 's->vmstate' field which was allocated in device realize thus
+leading a host memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/eepro100.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index bab4dbf..4bf71f2 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
+     EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
+     vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
++    g_free(s->vmstate);
+     eeprom93xx_free(&pci_dev->qdev, s->eeprom);
+     qemu_del_nic(s->nic);
+ }
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
new file mode 100644 (file)
index 0000000..cad4baf
--- /dev/null
@@ -0,0 +1,34 @@
+From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 3becdd0..f5af4e3 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+     xattr_fidp->fs.xattr.flags = flags;
+     v9fs_string_init(&xattr_fidp->fs.xattr.name);
+     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++    g_free(xattr_fidp->fs.xattr.value);
+     xattr_fidp->fs.xattr.value = g_malloc0(size);
+     err = offset;
+     put_fid(pdu, file_fidp);
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
new file mode 100644 (file)
index 0000000..7d84422
--- /dev/null
@@ -0,0 +1,32 @@
+From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read
+
+9pfs uses g_malloc() to allocate the xattr memory space, if the guest
+reads this memory before writing to it, this will leak host heap memory
+to the guest. This patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 75ba5f1..3becdd0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
+     xattr_fidp->fs.xattr.flags = flags;
+     v9fs_string_init(&xattr_fidp->fs.xattr.name);
+     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+-    xattr_fidp->fs.xattr.value = g_malloc(size);
++    xattr_fidp->fs.xattr.value = g_malloc0(size);
+     err = offset;
+     put_fid(pdu, file_fidp);
+ out_nofid:
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
new file mode 100644 (file)
index 0000000..eec6b2a
--- /dev/null
@@ -0,0 +1,92 @@
+From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 1 Nov 2016 12:00:40 +0100
+Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
+originated offset: they must ensure this offset does not go beyond
+the size of the extended attribute that was set in v9fs_xattrcreate().
+Unfortunately, the current code implement these checks with unsafe
+calculations on 32 and 64 bit values, which may allow a malicious
+guest to cause OOB access anyway.
+
+Fix this by comparing the offset and the xattr size, which are
+both uint64_t, before trying to compute the effective number of bytes
+to read or write.
+
+Suggested-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-By: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index af07846..fc4f2cd 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+     ssize_t err;
+     size_t offset = 7;
+-    int read_count;
+-    int64_t xattr_len;
++    uint64_t read_count;
+     V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
+     VirtQueueElement *elem = v->elems[pdu->idx];
+-    xattr_len = fidp->fs.xattr.len;
+-    read_count = xattr_len - off;
++    if (fidp->fs.xattr.len < off) {
++        read_count = 0;
++    } else {
++        read_count = fidp->fs.xattr.len - off;
++    }
+     if (read_count > max_count) {
+         read_count = max_count;
+-    } else if (read_count < 0) {
+-        /*
+-         * read beyond XATTR value
+-         */
+-        read_count = 0;
+     }
+     err = pdu_marshal(pdu, offset, "d", read_count);
+     if (err < 0) {
+@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
+ {
+     int i, to_copy;
+     ssize_t err = 0;
+-    int write_count;
+-    int64_t xattr_len;
++    uint64_t write_count;
+     size_t offset = 7;
+-    xattr_len = fidp->fs.xattr.len;
+-    write_count = xattr_len - off;
+-    if (write_count > count) {
+-        write_count = count;
+-    } else if (write_count < 0) {
+-        /*
+-         * write beyond XATTR value len specified in
+-         * xattrcreate
+-         */
++    if (fidp->fs.xattr.len < off) {
+         err = -ENOSPC;
+         goto out;
+     }
++    write_count = fidp->fs.xattr.len - off;
++    if (write_count > count) {
++        write_count = count;
++    }
+     err = pdu_marshal(pdu, offset, "d", write_count);
+     if (err < 0) {
+         return err;
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
new file mode 100644 (file)
index 0000000..9138249
--- /dev/null
@@ -0,0 +1,32 @@
+From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link
+
+The v9fs_link() function keeps a reference on the source fid object. This
+causes a memory leak since the reference never goes down to 0. This patch
+fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index f5af4e3..aa2b8c0 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque)
+     if (!err) {
+         err = offset;
+     }
++    put_fid(pdu, oldfidp);
+ out:
+     put_fid(pdu, dfidp);
+ out_nofid:
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
new file mode 100644 (file)
index 0000000..3ee8b50
--- /dev/null
@@ -0,0 +1,33 @@
+From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write
+
+If an error occurs when marshalling the transfer length to the guest, the
+v9fs_write() function doesn't free an IO vector, thus leading to a memory
+leak. This patch fixes the issue.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, rephrased the changelog]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index aa2b8c0..af07846 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
+     offset = 7;
+     err = pdu_marshal(pdu, offset, "d", total);
+     if (err < 0) {
+-        goto out;
++        goto out_qiov;
+     }
+     err += offset;
+     trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
+-- 
+2.1.4
+
index d025009029d53c6023b812a4e190fb535a87f9bb..6c1c308a2cf79de06646cccb43c078357c71c9d4 100644 (file)
@@ -66,3 +66,11 @@ extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
 extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch
 extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch
 extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch
+extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch
+extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch
+extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch
+extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch
+extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch
+extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
+extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch
+extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch