From: Wolfgang Bumiller Date: Fri, 1 Apr 2016 07:56:26 +0000 (+0200) Subject: update to 2.5.1 X-Git-Url: https://git.proxmox.com/?p=pve-qemu-kvm.git;a=commitdiff_plain;h=44810b960aac24f4a061d8fe3234efaef18a3208 update to 2.5.1 And removing the now unnecessary patches. --- diff --git a/Makefile b/Makefile index d9951b3..154a765 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ download: #git clone git://git.qemu-project.org/qemu.git -b stable-2.4 ${KVMDIR} git clone git://git.qemu-project.org/qemu.git ${KVMDIR} # see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all - cd ${KVMDIR}; git checkout v2.5.0; git revert --no-edit b8eb5512fd8a115f164edbbe897cdf8884920ccb + cd ${KVMDIR}; git checkout v2.5.1; git revert --no-edit b8eb5512fd8a115f164edbbe897cdf8884920ccb tar czf ${KVMSRC} --exclude CVS --exclude .git --exclude .svn ${KVMDIR} ${DEBS} kvm: ${KVMSRC} diff --git a/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch b/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch deleted file mode 100644 index 743b68d..0000000 --- a/debian/patches/extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Gerd Hoffmann -Subject: [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust - -Make ehci_process_itd return an error in case we didn't do any actual -iso transfer because we've found no active transaction. That'll avoid -ehci happily run in circles forever if the guest builds a loop out of -idts. - -This is CVE-2015-8558. - -Cc: qemu-stable@nongnu.org -Reported-by: Qinghao Tang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 4e2161b..d07f228 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, - { - USBDevice *dev; - USBEndpoint *ep; -- uint32_t i, len, pid, dir, devaddr, endp; -+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; - uint32_t pg, off, ptr1, ptr2, max, mult; - - ehci->periodic_sched_active = PERIODIC_ACTIVE; -@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, - ehci_raise_irq(ehci, USBSTS_INT); - } - itd->transact[i] &= ~ITD_XACT_ACTIVE; -+ xfers++; - } - } -- return 0; -+ return xfers ? 0 : -1; - } - - --- -1.8.3.1 - - - - diff --git a/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch b/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch deleted file mode 100644 index ee0f36d..0000000 --- a/debian/patches/extra/CVE-2015-8613-scsi-initialize-info-object.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 5823b4a214ede884f4ba597fdd629862620e0f92 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 21 Dec 2015 14:48:18 +0530 -Subject: [PATCH] scsi: initialise info object with appropriate size - -While processing controller 'CTRL_GET_INFO' command, the routine -'megasas_ctrl_get_info' overflows the '&info' object size. Use its -appropriate size to null initialise it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index d7dc667..576f56c 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - BusChild *kid; - int num_pd_disks = 0; - -- memset(&info, 0x0, cmd->iov_size); -+ memset(&info, 0x0, dcmd_size); - if (cmd->iov_size < dcmd_size) { - trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, - dcmd_size); --- -2.4.3 -=== diff --git a/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch b/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch deleted file mode 100644 index 86e26db..0000000 --- a/debian/patches/extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 136dd5ac96fc21654a31aff7fa88b86570c8fc72 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 13 Jan 2016 08:46:31 +0100 -Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) - -When processing 'sendkey' command, hmp_sendkey routine null -terminates the 'keyname_buf' array. This results in an OOB -write issue, if 'keyname_len' was to fall outside of -'keyname_buf' array. - -Since the keyname's length is known the keyname_buf can be -removed altogether by adding a length parameter to -index_from_key() and using it for the error output as well. - -Reported-by: Ling Liu -Signed-off-by: Wolfgang Bumiller ---- - hmp.c | 17 +++++++---------- - include/ui/console.h | 2 +- - ui/input-legacy.c | 5 +++-- - 3 files changed, 11 insertions(+), 13 deletions(-) - -diff --git a/hmp.c b/hmp.c -index c2b2c16..066ccf8 100644 ---- a/hmp.c -+++ b/hmp.c -@@ -1742,21 +1742,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - int has_hold_time = qdict_haskey(qdict, "hold-time"); - int hold_time = qdict_get_try_int(qdict, "hold-time", -1); - Error *err = NULL; -- char keyname_buf[16]; - char *separator; - int keyname_len; - - while (1) { - separator = strchr(keys, '-'); - keyname_len = separator ? separator - keys : strlen(keys); -- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); - - /* Be compatible with old interface, convert user inputted "<" */ -- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { -- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); -+ if (!strncmp(keys, "<", 1) && keyname_len == 1) { -+ keys = "less"; - keyname_len = 4; - } -- keyname_buf[keyname_len] = 0; - - keylist = g_malloc0(sizeof(*keylist)); - keylist->value = g_malloc0(sizeof(*keylist->value)); -@@ -1769,16 +1766,16 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - } - tmp = keylist; - -- if (strstart(keyname_buf, "0x", NULL)) { -+ if (strstart(keys, "0x", NULL)) { - char *endp; -- int value = strtoul(keyname_buf, &endp, 0); -- if (*endp != '\0') { -+ int value = strtoul(keys, &endp, 0); -+ if (*endp != '\0' && *endp != '-') { - goto err_out; - } - keylist->value->type = KEY_VALUE_KIND_NUMBER; - keylist->value->u.number = value; - } else { -- int idx = index_from_key(keyname_buf); -+ int idx = index_from_key(keys, keyname_len); - if (idx == Q_KEY_CODE_MAX) { - goto err_out; - } -@@ -1800,7 +1797,7 @@ out: - return; - - err_out: -- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); -+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); - goto out; - } - -diff --git a/include/ui/console.h b/include/ui/console.h -index adac36d..116bc2b 100644 ---- a/include/ui/console.h -+++ b/include/ui/console.h -@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) - void curses_display_init(DisplayState *ds, int full_screen); - - /* input.c */ --int index_from_key(const char *key); -+int index_from_key(const char *key, size_t key_length); - - /* gtk.c */ - void early_gtk_display_init(int opengl); -diff --git a/ui/input-legacy.c b/ui/input-legacy.c -index 35dfc27..3454055 100644 ---- a/ui/input-legacy.c -+++ b/ui/input-legacy.c -@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { - static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = - QTAILQ_HEAD_INITIALIZER(led_handlers); - --int index_from_key(const char *key) -+int index_from_key(const char *key, size_t key_length) - { - int i; - - for (i = 0; QKeyCode_lookup[i] != NULL; i++) { -- if (!strcmp(key, QKeyCode_lookup[i])) { -+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && -+ !QKeyCode_lookup[i][key_length]) { - break; - } - } --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch b/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch deleted file mode 100644 index 7b17355..0000000 --- a/debian/patches/extra/CVE-2015-8701-net-rocker-off-by-one.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 60e8fd72b0faaf940e220a0514001b86b7149e09 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 28 Dec 2015 16:24:08 +0530 -Subject: [PATCH] net: rocker: fix an incorrect array bounds check - -While processing transmit(tx) descriptors in 'tx_consume' routine -the switch emulator suffers from an off-by-one error, if a -descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) -fragments. Fix an incorrect bounds check to avoid it. - -Reported-by: Qinghao Tang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/rocker/rocker.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index c57f1a6..2e77e50 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) - frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); - frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); - -+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { -+ goto err_too_many_frags; -+ } - iov[iovcnt].iov_len = frag_len; - iov[iovcnt].iov_base = g_malloc(frag_len); - if (!iov[iovcnt].iov_base) { -@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) - err = -ROCKER_ENXIO; - goto err_bad_io; - } -- -- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { -- goto err_too_many_frags; -- } -+ iovcnt++; - } - - if (iovcnt) { --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch b/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch deleted file mode 100644 index 5b34ecf..0000000 --- a/debian/patches/extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 31 Dec 2015 17:05:27 +0530 -Subject: [PATCH] net: ne2000: fix bounds check in ioport operations - -While doing ioport r/w operations, ne2000 device emulation suffers -from OOB r/w errors. Update respective array bounds check to avoid -OOB access. - -Reported-by: Ling Liu -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 010f9ef..a3dffff 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, - uint32_t val) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - stl_le_p(s->mem + addr, val); - } - } -@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) - static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - return ldl_le_p(s->mem + addr); - } else { - return 0xffffffff; --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch b/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch deleted file mode 100644 index e294b22..0000000 --- a/debian/patches/extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 47568e18c6599962f711bc2ae3cc45fe6900130d Mon Sep 17 00:00:00 2001 -From: P J P -Date: Fri, 18 Dec 2015 11:35:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - - Hello, - -A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It -occurs while doing I/O port write operations via hmp interface. In that, -'current_cpu' remains null as it is not called from cpu_exec loop, which -results in the said issue. - -Below is a proposed (tested)patch to fix this issue; Does it look okay? - -=== -From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 18 Dec 2015 11:16:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - -When I/O port write operation is called from hmp interface, -'current_cpu' remains null, as it is not called from cpu_exec() -loop. This leads to a null pointer dereference in vapic_write -routine. Add check to avoid it. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini ---- - hw/i386/kvmvapic.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c6d34b2..f0922da 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) - static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - unsigned int size) - { -- CPUState *cs = current_cpu; -- X86CPU *cpu = X86_CPU(cs); -- CPUX86State *env = &cpu->env; -- hwaddr rom_paddr; - VAPICROMState *s = opaque; -+ X86CPU *cpu; -+ CPUX86State *env; -+ hwaddr rom_paddr; - -- cpu_synchronize_state(cs); -+ if (!current_cpu) { -+ return; -+ } -+ -+ cpu_synchronize_state(current_cpu); -+ cpu = X86_CPU(current_cpu); -+ env = &cpu->env; - - /* - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch b/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch deleted file mode 100644 index baf86bf..0000000 --- a/debian/patches/extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch +++ /dev/null @@ -1,98 +0,0 @@ -From e55bfae32b6e3ea1e9a8a318e1b9e76acbcdd50b Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 19 Jan 2016 14:17:20 +0100 -Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer - start - -The start_xmit() and e1000_receive_iov() functions implement DMA transfers -iterating over a set of descriptors that the guest's e1000 driver -prepares: - -- the TDLEN and RDLEN registers store the total size of the descriptor - area, - -- while the TDH and RDH registers store the offset (in whole tx / rx - descriptors) into the area where the transfer is supposed to start. - -Each time a descriptor is processed, the TDH and RDH register is bumped -(as appropriate for the transfer direction). - -QEMU already contains logic to deal with bogus transfers submitted by the -guest: - -- Normally, the transmit case wants to increase TDH from its initial value - to TDT. (TDT is allowed to be numerically smaller than the initial TDH - value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe - that QEMU currently has here is a check against reaching the original - TDH value again -- a complete wraparound, which should never happen. - -- In the receive case RDH is increased from its initial value until - "total_size" bytes have been received; preferably in a single step, or - in "s->rxbuf_size" byte steps, if the latter is smaller. However, null - RX descriptors are skipped without receiving data, while RDH is - incremented just the same. QEMU tries to prevent an infinite loop - (processing only null RX descriptors) by detecting whether RDH assumes - its original value during the loop. (Again, wrapping from RDLEN to 0 is - normal.) - -What both directions miss is that the guest could program TDLEN and RDLEN -so low, and the initial TDH and RDH so high, that these registers will -immediately be truncated to zero, and then never reassume their initial -values in the loop -- a full wraparound will never occur. - -The condition that expresses this is: - - xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) - -i.e., TDH or RDH start out after the last whole rx or tx descriptor that -fits into the TDLEN or RDLEN sized area. - -This condition could be checked before we enter the loops, but -pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for -bogus DMA addresses, so we just extend the existing failsafes with the -above condition. - -This is CVE-2016-1981. - -Cc: "Michael S. Tsirkin" -Cc: Petr Matousek -Cc: Stefano Stabellini -Cc: Prasad Pandit -Cc: Michael Roth -Cc: Jason Wang -Cc: qemu-stable@nongnu.org -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jason Wang -Signed-off-by: Jason Wang ---- - hw/net/e1000.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index bec06e9..34d0823 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -908,7 +908,8 @@ start_xmit(E1000State *s) - * bogus values to TDT/TDLEN. - * there's nothing too intelligent we could do about this. - */ -- if (s->mac_reg[TDH] == tdh_start) { -+ if (s->mac_reg[TDH] == tdh_start || -+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { - DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", - tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); - break; -@@ -1165,7 +1166,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) - if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) - s->mac_reg[RDH] = 0; - /* see comment in start_xmit; same here */ -- if (s->mac_reg[RDH] == rdh_start) { -+ if (s->mac_reg[RDH] == rdh_start || -+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { - DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", - rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); - set_ics(s, 0, E1000_ICS_RXO); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch b/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch deleted file mode 100644 index 1a3da44..0000000 --- a/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 867dcfc8c153c463090b972c2afc7b90700bab91 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 29 Jan 2016 01:18:50 +0530 -Subject: [PATCH 2/2] ide: ahci: add check before calling dma_memory_unmap - -When IDE AHCI emulation uses Frame Information Structures(FIS) -engine for data transfer, the mapped FIS buffer address is stored -in a static 'bounce.buffer'. When a request is made to map another -memory region, address_space_map() returns NULL because -'bounce.buffer' is in_use. It leads to a null pointer dereference -error while doing 'dma_memory_unmap'. Add a check to avoid it. - -Reported-by: Zuozhi fzz -Signed-off-by: Prasad J Pandit ---- - hw/ide/ahci.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index dd1912e..ea351fe 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDevice *ad) - - static void ahci_unmap_fis_address(AHCIDevice *ad) - { -- dma_memory_unmap(ad->hba->as, ad->res_fis, 256, -- DMA_DIRECTION_FROM_DEVICE, 256); -- ad->res_fis = NULL; -+ if (ad->res_fis) { -+ dma_memory_unmap(ad->hba->as, ad->res_fis, 256, -+ DMA_DIRECTION_FROM_DEVICE, 256); -+ ad->res_fis = NULL; -+ } - } - - static bool ahci_map_clb_address(AHCIDevice *ad) -@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDevice *ad) - - static void ahci_unmap_clb_address(AHCIDevice *ad) - { -- dma_memory_unmap(ad->hba->as, ad->lst, 1024, -- DMA_DIRECTION_FROM_DEVICE, 1024); -- ad->lst = NULL; -+ if (ad->lst) { -+ dma_memory_unmap(ad->hba->as, ad->lst, 1024, -+ DMA_DIRECTION_FROM_DEVICE, 1024); -+ ad->lst = NULL; -+ } - } - - static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs) --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch b/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch deleted file mode 100644 index 6616649..0000000 --- a/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f979659e509e9d6da5cd3d74c459b944e131ce73 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 11 Feb 2016 16:31:20 +0530 -Subject: [PATCH] usb: check USB configuration descriptor object - -When processing remote NDIS control message packets, the USB Net -device emulator checks to see if the USB configuration descriptor -object is of RNDIS type(2). But it does not check if it is null, -which leads to a null dereference error. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/usb/dev-network.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 7800cee..8a4ff49 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -653,7 +653,8 @@ typedef struct USBNetState { - - static int is_rndis(USBNetState *s) - { -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; -+ return s->dev.config ? -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; - } - - static int ndis_query(USBNetState *s, uint32_t oid, --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch b/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch deleted file mode 100644 index 57491ef..0000000 --- a/debian/patches/extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 56ed8c01f949f8a0ee45bfe91aed3a973c79a5db Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 17 Feb 2016 00:23:40 +0530 -Subject: [PATCH] usb: check RNDIS message length - -When processing remote NDIS control message packets, the USB Net -device emulator uses a fixed length(4096) data buffer. The incoming -packet length could exceed this limit. Add a check to avoid it. - -Signed-off-by: Prasad J Pandit - -usb: check RNDIS buffer offsets & length - -When processing remote NDIS control message packets, -the USB Net device emulator uses a fixed length(4096) data buffer. -The incoming informationBufferOffset & Length combination could -overflow and cross that range. Check control message buffer -offsets and length to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/usb/core.c | 18 +++++++++--------- - hw/usb/dev-network.c | 9 ++++++--- - 2 files changed, 15 insertions(+), 12 deletions(-) - -diff --git a/hw/usb/core.c b/hw/usb/core.c -index d0025db..7f46370 100644 ---- a/hw/usb/core.c -+++ b/hw/usb/core.c -@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p) - } - - usb_packet_copy(p, s->setup_buf, p->iov.size); -+ s->setup_index = 0; - p->actual_length = 0; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -- s->setup_index = 0; -+ if (s->setup_len > sizeof(s->data_buf)) { -+ fprintf(stderr, -+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -+ s->setup_len, sizeof(s->data_buf)); -+ p->status = USB_RET_STALL; -+ return; -+ } - - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; -@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p) - } - s->setup_state = SETUP_STATE_DATA; - } else { -- if (s->setup_len > sizeof(s->data_buf)) { -- fprintf(stderr, -- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -- s->setup_len, sizeof(s->data_buf)); -- p->status = USB_RET_STALL; -- return; -- } - if (s->setup_len == 0) - s->setup_state = SETUP_STATE_ACK; - else -@@ -176,7 +176,7 @@ static void do_token_in(USBDevice *s, USBPacket *p) - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; - index = (s->setup_buf[5] << 8) | s->setup_buf[4]; -- -+ - switch(s->setup_state) { - case SETUP_STATE_ACK: - if (!(s->setup_buf[0] & USB_DIR_IN)) { -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 8a4ff49..180adce 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -915,8 +915,9 @@ static int rndis_query_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf, -@@ -961,8 +962,9 @@ static int rndis_set_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - ret = ndis_set(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen); -@@ -1212,8 +1214,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); - uint32_t size = le32_to_cpu(msg->DataLength); -- if (offs + size <= len) -+ if (offs < len && size < len && offs + size <= len) { - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); -+ } - } - s->out_ptr -= len; - memmove(s->out_buf, &s->out_buf[len], s->out_ptr); --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch b/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch deleted file mode 100644 index c92068e..0000000 --- a/debian/patches/extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 081109008ca6f6adae2bcda2bc5c3472553cc110 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 24 Feb 2016 11:41:33 +0530 -Subject: [PATCH] net: ne2000: check ring buffer control registers - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. Registers PSTART & PSTOP -define ring buffer size & location. Setting these registers -to invalid values could lead to infinite loop or OOB r/w -access issues. Add check to avoid it. - -Reported-by: Yang Hongke -Tested-by: Yang Hongke -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 010f9ef..84a7263 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) - { - int avail, index, boundary; - -+ if (s->stop <= s->start) { -+ return 1; -+ } -+ - index = s->curpag << 8; - boundary = s->boundary << 8; - if (index < boundary) --- -2.1.4 - diff --git a/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch b/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch deleted file mode 100644 index 4a20cd8..0000000 --- a/debian/patches/extra/CVE-2016-2857-net-check-packet-payload-length.patch +++ /dev/null @@ -1,47 +0,0 @@ -From c0d732a6233af2f148c59f3b81f95f429ea235cb Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 2 Mar 2016 17:29:58 +0530 -Subject: [PATCH] net: check packet payload length - -While computing IP checksum, 'net_checksum_calculate' reads -payload length from the packet. It could exceed the given 'data' -buffer size. Add a check to avoid it. - -Reported-by: Liu Ling -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - net/checksum.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/net/checksum.c b/net/checksum.c -index 14c0855..0942437 100644 ---- a/net/checksum.c -+++ b/net/checksum.c -@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) - int hlen, plen, proto, csum_offset; - uint16_t csum; - -+ /* Ensure data has complete L2 & L3 headers. */ -+ if (length < 14 + 20) { -+ return; -+ } -+ - if ((data[14] & 0xf0) != 0x40) - return; /* not IPv4 */ - hlen = (data[14] & 0x0f) * 4; -@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) - return; - } - -- if (plen < csum_offset+2) -- return; -+ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { -+ return; -+ } - - data[14+hlen+csum_offset] = 0; - data[14+hlen+csum_offset+1] = 0; --- -2.1.4 - diff --git a/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch b/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch deleted file mode 100644 index 3426471..0000000 --- a/debian/patches/extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch +++ /dev/null @@ -1,159 +0,0 @@ -From patchwork Thu Feb 18 19:31:00 2016 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Subject: fw_cfg: unbreak migration compatibility for 2.4 and earlier machines -From: Laszlo Ersek -X-Patchwork-Id: 584876 -Message-Id: <1455823860-22268-1-git-send-email-lersek@redhat.com> -To: qemu-devel@nongnu.org -Cc: =?UTF-8?q?Marc=20Mar=ED?= , - Gerd Hoffmann , - Alexandre DERUMIER , qemu-stable@nongnu.org -Date: Thu, 18 Feb 2016 20:31:00 +0100 - -When I reviewed Marc's fw_cfg DMA patches, I completely missed that the -way we set dma_enabled would break migration. - -Gerd explained the right way (see reference below): dma_enabled should be -set to true by default, and only true->false transitions should be -possible: - -- when the user requests that with - - -global fw_cfg_mem.dma_enabled=off - - or - - -global fw_cfg_io.dma_enabled=off - - as appropriate for the platform, - -- when HW_COMPAT_2_4 dictates it, - -- when board code initializes fw_cfg without requesting DMA support. - -Cc: Marc Marí -Cc: Gerd Hoffmann -Cc: Alexandre DERUMIER -Cc: qemu-stable@nongnu.org -Ref: http://thread.gmane.org/gmane.comp.emulators.qemu/390272/focus=391042 -Ref: https://bugs.launchpad.net/qemu/+bug/1536487 -Suggested-by: Gerd Hoffmann -Signed-off-by: Laszlo Ersek ---- - -Notes: - Tested the following cases with gdb, using qemu-system-x86_64, setting a - breakpoint on (s->dma_enabled) in fw_cfg_init_io_dma(): - - * no special params (DMA enabled) - * -global fw_cfg_io.dma_enabled=off (DMA disabled) - * -M pc-i440fx-2.4 (DMA disabled), similarly with 2.3 and Q35 too - - Also tested the memory mapped case in practice, using - qemu-system-aarch64 -M virt, -kernel / -initrd / -append, with guest - UEFI: - * no special params (DMA enabled) - * -global fw_cfg_mem.dma_enabled=off (DMA disabled) - - Not tested: - * actual migration - * when board code doesn't request DMA support - - Testing feedback from people who use migration would be nice. - - include/hw/compat.h | 8 ++++++++ - hw/nvram/fw_cfg.c | 20 ++++++++++++-------- - 2 files changed, 20 insertions(+), 8 deletions(-) - -diff --git a/include/hw/compat.h b/include/hw/compat.h -index 2ebe739fcb5c..a5dbbf8984b1 100644 -index d0b1c4f..b7973db 100644 ---- a/include/hw/compat.h -+++ b/include/hw/compat.h -@@ -18,6 +18,14 @@ - .driver = "virtio-pci",\ - .property = "migrate-extra",\ - .value = "off",\ -+ },{\ -+ .driver = "fw_cfg_mem",\ -+ .property = "dma_enabled",\ -+ .value = "off",\ -+ },{\ -+ .driver = "fw_cfg_io",\ -+ .property = "dma_enabled",\ -+ .value = "off",\ - }, - - #define HW_COMPAT_2_3 \ -diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c -index 79c5742b3362..f3acb47bd4dc 100644 ---- a/hw/nvram/fw_cfg.c -+++ b/hw/nvram/fw_cfg.c -@@ -778,17 +778,19 @@ FWCfgState *fw_cfg_init_io_dma(uint32_t iobase, uint32_t dma_iobase, - DeviceState *dev; - FWCfgState *s; - uint32_t version = FW_CFG_VERSION; -- bool dma_enabled = dma_iobase && dma_as; -+ bool dma_requested = dma_iobase && dma_as; - - dev = qdev_create(NULL, TYPE_FW_CFG_IO); - qdev_prop_set_uint32(dev, "iobase", iobase); - qdev_prop_set_uint32(dev, "dma_iobase", dma_iobase); -- qdev_prop_set_bit(dev, "dma_enabled", dma_enabled); -+ if (!dma_requested) { -+ qdev_prop_set_bit(dev, "dma_enabled", false); -+ } - - fw_cfg_init1(dev); - s = FW_CFG(dev); - -- if (dma_enabled) { -+ if (s->dma_enabled) { - /* 64 bits for the address field */ - s->dma_as = dma_as; - s->dma_addr = 0; -@@ -814,11 +816,13 @@ FWCfgState *fw_cfg_init_mem_wide(hwaddr ctl_addr, - SysBusDevice *sbd; - FWCfgState *s; - uint32_t version = FW_CFG_VERSION; -- bool dma_enabled = dma_addr && dma_as; -+ bool dma_requested = dma_addr && dma_as; - - dev = qdev_create(NULL, TYPE_FW_CFG_MEM); - qdev_prop_set_uint32(dev, "data_width", data_width); -- qdev_prop_set_bit(dev, "dma_enabled", dma_enabled); -+ if (!dma_requested) { -+ qdev_prop_set_bit(dev, "dma_enabled", false); -+ } - - fw_cfg_init1(dev); - -@@ -828,7 +832,7 @@ FWCfgState *fw_cfg_init_mem_wide(hwaddr ctl_addr, - - s = FW_CFG(dev); - -- if (dma_enabled) { -+ if (s->dma_enabled) { - s->dma_as = dma_as; - s->dma_addr = 0; - sysbus_mmio_map(sbd, 2, dma_addr); -@@ -873,7 +877,7 @@ static Property fw_cfg_io_properties[] = { - DEFINE_PROP_UINT32("iobase", FWCfgIoState, iobase, -1), - DEFINE_PROP_UINT32("dma_iobase", FWCfgIoState, dma_iobase, -1), - DEFINE_PROP_BOOL("dma_enabled", FWCfgIoState, parent_obj.dma_enabled, -- false), -+ true), - DEFINE_PROP_END_OF_LIST(), - }; - -@@ -913,7 +917,7 @@ static const TypeInfo fw_cfg_io_info = { - static Property fw_cfg_mem_properties[] = { - DEFINE_PROP_UINT32("data_width", FWCfgMemState, data_width, -1), - DEFINE_PROP_BOOL("dma_enabled", FWCfgMemState, parent_obj.dma_enabled, -- false), -+ true), - DEFINE_PROP_END_OF_LIST(), - }; - diff --git a/debian/patches/extra/vmxnet3-host-memory-leakage.patch b/debian/patches/extra/vmxnet3-host-memory-leakage.patch deleted file mode 100644 index dcc76b9..0000000 --- a/debian/patches/extra/vmxnet3-host-memory-leakage.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 15 Dec 2015 12:17:28 +0530 -Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device - -Vmxnet3 device emulator does not check if the device is active -before activating it, also it did not free the transmit & receive -buffers while deactivating the device, thus resulting in memory -leakage on the host. This patch fixes both these issues to avoid -host memory leakage. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Reviewed-by: Dmitry Fleytman ---- - hw/net/vmxnet3.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 37373e5..2b4aad7 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) - - static void vmxnet3_deactivate_device(VMXNET3State *s) - { -- VMW_CBPRN("Deactivating vmxnet3..."); -- s->device_active = false; -+ if (s->device_active) { -+ VMW_CBPRN("Deactivating vmxnet3..."); -+ vmxnet_tx_pkt_reset(s->tx_pkt); -+ vmxnet_tx_pkt_uninit(s->tx_pkt); -+ vmxnet_rx_pkt_uninit(s->rx_pkt); -+ s->device_active = false; -+ } - } - - static void vmxnet3_reset(VMXNET3State *s) -@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) - - vmxnet3_deactivate_device(s); - vmxnet3_reset_interrupt_states(s); -- vmxnet_tx_pkt_reset(s->tx_pkt); - s->drv_shmem = 0; - s->tx_sop = true; - s->skip_current_tx_pkt = false; -@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) - return; - } - -+ /* Verify if device is active */ -+ if (s->device_active) { -+ VMW_CFPRN("Vmxnet3 device is active"); -+ return; -+ } -+ - vmxnet3_adjust_by_guest_type(s); - vmxnet3_update_features(s); - vmxnet3_update_pm_state(s); -@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) - break; - - case VMXNET3_CMD_QUIESCE_DEV: -- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); -+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); - vmxnet3_deactivate_device(s); - break; - -@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, - * shared address only after we get the high part - */ - if (val == 0) { -- s->device_active = false; -+ vmxnet3_deactivate_device(s); - } - s->temp_shared_guest_driver_memory = val; - s->drv_shmem = 0; -@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) - static void vmxnet3_net_uninit(VMXNET3State *s) - { - g_free(s->mcast_list); -- vmxnet_tx_pkt_reset(s->tx_pkt); -- vmxnet_tx_pkt_uninit(s->tx_pkt); -- vmxnet_rx_pkt_uninit(s->rx_pkt); -+ vmxnet3_deactivate_device(s); - qemu_del_nic(s->nic); - } - --- -2.4.3 - diff --git a/debian/patches/series b/debian/patches/series index e8f1710..3ff759d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -42,23 +42,9 @@ pve/0041-PVE-VNC-authentication.patch pve/0042-vma-writer-don-t-bail-out-on-zero-length-files.patch pve/0043-vma-better-driver-guessing-for-bdrv_open.patch pve/0044-block-add-zeroinit.patch -extra/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch -extra/CVE-2015-8613-scsi-initialize-info-object.patch -extra/CVE-2015-8701-net-rocker-off-by-one.patch -extra/CVE-2015-8743-ne2000-ioport-bounds-check.patch -extra/vmxnet3-host-memory-leakage.patch -extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch -extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch -extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch -extra/CVE-2016-2197-ahci-null-pointer.patch extra/CVE-2016-2198-ehci-null-pointer.patch extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch -extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch -extra/fw_cfg-unbreak-migration-compatibility-for-2.4.patch -extra/CVE-2016-2538-usb-check-RNDIS-message-length.patch -extra/CVE-2016-2841-net-ne2000-check-ring-buffer-control-registers.patch -extra/CVE-2016-2857-net-check-packet-payload-length.patch extra/0001-rng-remove-the-unused-request-cancellation-code.patch extra/0002-rng-move-request-queue-from-RngEgd-to-RngBackend.patch extra/0003-rng-move-request-queue-cleanup-from-RngEgd-to-RngBac.patch