From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 7 Jan 2016 10:11:10 +0000 (+0100)
Subject: fixes for CVEs 2015-7549, 2015-8858 and for vmxnet3
X-Git-Url: https://git.proxmox.com/?p=pve-qemu-kvm.git;a=commitdiff_plain;h=6168d90b3f9dc4d952e284ef474c38656411003f

fixes for CVEs 2015-7549, 2015-8858 and for vmxnet3

The third one has no number assigned yet but was reviewed
and is queued for 2.6 and probably also 2.5.1.
---

diff --git a/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch b/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch
new file mode 100644
index 0000000..631ae37
--- /dev/null
+++ b/debian/patches/CVE-2015-7549-msix-pba-write-ro.patch
@@ -0,0 +1,52 @@
+commit 43b11a91dd861a946b231b89b7542856ade23d1b
+Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Date:   Fri Jun 26 14:25:29 2015 +0200
+
+    msix: implement pba write (but read-only)
+    
+    qpci_msix_pending() writes on pba region, causing qemu to SEGV:
+    
+      Program received signal SIGSEGV, Segmentation fault.
+      [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
+      0x0000000000000000 in ?? ()
+      (gdb) bt
+      #0  0x0000000000000000 in  ()
+      #1  0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
+      #2  0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
+      #3  0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176
+      #4  0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
+      #5  0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
+      #6  0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80
+      #7  0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
+      #8  0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
+      #9  0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581
+      #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
+      #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
+      #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122
+    
+    (without this patch, this can be reproduced with the ivshmem qtest)
+    
+    Implement an empty mmio write to avoid the crash.
+    
+    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+
+diff --git a/hw/pci/msix.c b/hw/pci/msix.c
+index 2fdada4..64c93d8 100644
+--- a/hw/pci/msix.c
++++ b/hw/pci/msix.c
+@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr,
+     return pci_get_long(dev->msix_pba + addr);
+ }
+ 
++static void msix_pba_mmio_write(void *opaque, hwaddr addr,
++                                uint64_t val, unsigned size)
++{
++}
++
+ static const MemoryRegionOps msix_pba_mmio_ops = {
+     .read = msix_pba_mmio_read,
++    .write = msix_pba_mmio_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+         .min_access_size = 4,
diff --git a/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch b/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
new file mode 100644
index 0000000..743b68d
--- /dev/null
+++ b/debian/patches/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
@@ -0,0 +1,49 @@
+From: Gerd Hoffmann
+Subject: [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction.  That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..d07f228 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+     USBDevice *dev;
+     USBEndpoint *ep;
+-    uint32_t i, len, pid, dir, devaddr, endp;
++    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+     uint32_t pg, off, ptr1, ptr2, max, mult;
+ 
+     ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+                 ehci_raise_irq(ehci, USBSTS_INT);
+             }
+             itd->transact[i] &= ~ITD_XACT_ACTIVE;
++            xfers++;
+         }
+     }
+-    return 0;
++    return xfers ? 0 : -1;
+ }
+ 
+ 
+-- 
+1.8.3.1
+
+
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 5ee8bb8..364a7af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,6 @@ net-add-checks-to-validate-ring-buffer-pointers.patch
 CVE-2015-1779-incrementally-decode-websocket-frames.patch
 CVE-2015-1779-limit-size-of-HTTP-headers-from-websockets-clients.patch
 0001-ui-vnc-avoid-floating-point-exception.patch
+CVE-2015-7549-msix-pba-write-ro.patch
+CVE-2015-8558-ehci_make_idt_processing_more_robust.patch
+vmxnet3-host-memory-leakage.patch
diff --git a/debian/patches/vmxnet3-host-memory-leakage.patch b/debian/patches/vmxnet3-host-memory-leakage.patch
new file mode 100644
index 0000000..dcc76b9
--- /dev/null
+++ b/debian/patches/vmxnet3-host-memory-leakage.patch
@@ -0,0 +1,91 @@
+From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Dec 2015 12:17:28 +0530
+Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
+
+Vmxnet3 device emulator does not check if the device is active
+before activating it, also it did not free the transmit & receive
+buffers while deactivating the device, thus resulting in memory
+leakage on the host. This patch fixes both these issues to avoid
+host memory leakage.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+---
+ hw/net/vmxnet3.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 37373e5..2b4aad7 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
+ 
+ static void vmxnet3_deactivate_device(VMXNET3State *s)
+ {
+-    VMW_CBPRN("Deactivating vmxnet3...");
+-    s->device_active = false;
++    if (s->device_active) {
++        VMW_CBPRN("Deactivating vmxnet3...");
++        vmxnet_tx_pkt_reset(s->tx_pkt);
++        vmxnet_tx_pkt_uninit(s->tx_pkt);
++        vmxnet_rx_pkt_uninit(s->rx_pkt);
++        s->device_active = false;
++    }
+ }
+ 
+ static void vmxnet3_reset(VMXNET3State *s)
+@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
+ 
+     vmxnet3_deactivate_device(s);
+     vmxnet3_reset_interrupt_states(s);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+     s->drv_shmem = 0;
+     s->tx_sop = true;
+     s->skip_current_tx_pkt = false;
+@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         return;
+     }
+ 
++    /* Verify if device is active */
++    if (s->device_active) {
++        VMW_CFPRN("Vmxnet3 device is active");
++        return;
++    }
++
+     vmxnet3_adjust_by_guest_type(s);
+     vmxnet3_update_features(s);
+     vmxnet3_update_pm_state(s);
+@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
+         break;
+ 
+     case VMXNET3_CMD_QUIESCE_DEV:
+-        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
++        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
+         vmxnet3_deactivate_device(s);
+         break;
+ 
+@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
+          * shared address only after we get the high part
+          */
+         if (val == 0) {
+-            s->device_active = false;
++            vmxnet3_deactivate_device(s);
+         }
+         s->temp_shared_guest_driver_memory = val;
+         s->drv_shmem = 0;
+@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
+ static void vmxnet3_net_uninit(VMXNET3State *s)
+ {
+     g_free(s->mcast_list);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+-    vmxnet_tx_pkt_uninit(s->tx_pkt);
+-    vmxnet_rx_pkt_uninit(s->rx_pkt);
++    vmxnet3_deactivate_device(s);
+     qemu_del_nic(s->nic);
+ }
+ 
+-- 
+2.4.3
+