From: Wolfgang Bumiller Date: Tue, 24 May 2016 10:50:03 +0000 (+0200) Subject: Fix CVE-2016-4952 X-Git-Url: https://git.proxmox.com/?p=pve-qemu-kvm.git;a=commitdiff_plain;h=7795e994cb8e25930061edf0f4af51f4cb7f642d Fix CVE-2016-4952 scsi: pvscsi: check command descriptor ring buffer size --- diff --git a/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch new file mode 100644 index 0000000..b3187f9 --- /dev/null +++ b/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch @@ -0,0 +1,97 @@ +From 6b7e3826cdc316808bd6e866320237049665c417 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 23 May 2016 16:18:05 +0530 +Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the ring buffer size to an arbitrary +value leading to OOB access issue. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 9c71f31..a6c5cc4 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -126,7 +126,7 @@ pvscsi_log2(uint32_t input) + return log; + } + +-static void ++static int + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -134,6 +134,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + ++ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) ++ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { ++ return -1; ++ } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -165,15 +169,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + +-static void ++static int + pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + { + int i; + uint32_t len_log2; + uint32_t ring_size; + ++ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ return -1; ++ } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; + len_log2 = pvscsi_log2(ring_size - 1); + +@@ -193,6 +202,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + + static void +@@ -743,7 +754,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + + pvscsi_dbg_dump_tx_rings_config(rc); +- pvscsi_ring_init_data(&s->rings, rc); ++ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } +@@ -823,7 +837,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) + } + + if (s->rings_info_valid) { +- pvscsi_ring_init_msg(&s->rings, rc); ++ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } + s->msg_ring_info_valid = TRUE; + } + return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 6d0d70b..fe89dd1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -54,3 +54,4 @@ extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch extra/0001-i386-kvmvapic-initialise-imm32-variable.patch extra/0001-vga-add-sr_vbe-register-set.patch +extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch