From d37b55659ea00aca148a89aa2c78fc8b6b6184df Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 7 Nov 2016 11:10:01 +0100 Subject: [PATCH] various fixes CVE-2016-8909: audio: intel-hda: check stream entry count during transfer CVE-2016-8910: net: rtl8139: limit processing of ring descriptors CVE-2016-9101: net: eepro100: fix memory leak in device uninit CVE-2016-9102: 9pfs: fix memory leak in v9fs_xattrcreate CVE-2016-9103: 9pfs: fix information leak in xattr read CVE-2016-9104: 9pfs: fix integer overflow issue in xattr read/write CVE-2016-9105: 9pfs: fix memory leak in v9fs_link CVE-2016-9106: 9pfs: fix memory leak in v9fs_write --- ...check-stream-entry-count-during-tran.patch | 39 ++++++++ ...limit-processing-of-ring-descriptors.patch | 34 +++++++ ...100-fix-memory-leak-in-device-uninit.patch | 30 ++++++ ...-fix-memory-leak-in-v9fs_xattrcreate.patch | 34 +++++++ ...s-fix-information-leak-in-xattr-read.patch | 32 +++++++ ...r-overflow-issue-in-xattr-read-write.patch | 92 +++++++++++++++++++ ...05-9pfs-fix-memory-leak-in-v9fs_link.patch | 32 +++++++ ...6-9pfs-fix-memory-leak-in-v9fs_write.patch | 33 +++++++ debian/patches/series | 8 ++ 9 files changed, 334 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch create mode 100644 debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch create mode 100644 debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch create mode 100644 debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch create mode 100644 debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch create mode 100644 debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch create mode 100644 debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch create mode 100644 debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch diff --git a/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch new file mode 100644 index 0000000..d8102b3 --- /dev/null +++ b/debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch @@ -0,0 +1,39 @@ +From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 20 Oct 2016 13:10:24 +0530 +Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during + transfer + +Intel HDA emulator uses stream of buffers during DMA data +transfers. Each entry has buffer length and buffer pointer +position, which are used to derive bytes to 'copy'. If this +length and buffer pointer were to be same, 'copy' could be +set to zero(0), leading to an infinite loop. Add check to +avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Reviewed-by: Stefan Hajnoczi +Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/intel-hda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index cd95340..537face 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + } + + left = len; +- while (left > 0) { ++ s = st->bentries; ++ while (left > 0 && s-- > 0) { + copy = left; + if (copy > st->bsize - st->lpib) + copy = st->bsize - st->lpib; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch new file mode 100644 index 0000000..eedbd17 --- /dev/null +++ b/debian/patches/extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch @@ -0,0 +1,34 @@ +From 8dea1624f9166d9dd52074c98f744e4a1e13a616 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 21 Oct 2016 17:39:29 +0530 +Subject: [PATCH 2/8] net: rtl8139: limit processing of ring descriptors + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 3345bc6..f05e59c 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) + { + int txcount = 0; + +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch new file mode 100644 index 0000000..0ae895a --- /dev/null +++ b/debian/patches/extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch @@ -0,0 +1,30 @@ +From 1fab838b55ee7cc199b105d80de4a80f336231b3 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 8 Oct 2016 05:07:25 -0700 +Subject: [PATCH 3/8] net: eepro100: fix memory leak in device uninit + +The exit dispatch of eepro100 network card device doesn't free +the 's->vmstate' field which was allocated in device realize thus +leading a host memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Jason Wang +--- + hw/net/eepro100.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index bab4dbf..4bf71f2 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev) + EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev); + + vmstate_unregister(&pci_dev->qdev, s->vmstate, s); ++ g_free(s->vmstate); + eeprom93xx_free(&pci_dev->qdev, s->eeprom); + qemu_del_nic(s->nic); + } +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch new file mode 100644 index 0000000..cad4baf --- /dev/null +++ b/debian/patches/extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch @@ -0,0 +1,34 @@ +From f132108afabf074403afadf822ad2d2275d115cd Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH 5/8] 9pfs: fix memory leak in v9fs_xattrcreate + +The 'fs.xattr.value' field in V9fsFidState object doesn't consider the +situation that this field has been allocated previously. Every time, it +will be allocated directly. This leads to a host memory leak issue if +the client sends another Txattrcreate message with the same fid number +before the fid from the previous time got clunked. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, updated the changelog to indicate how the leak can occur] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 3becdd0..f5af4e3 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); ++ g_free(xattr_fidp->fs.xattr.value); + xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch new file mode 100644 index 0000000..7d84422 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch @@ -0,0 +1,32 @@ +From 644566ea6fe2896b6b171797cfe6e7219939d968 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH 4/8] 9pfs: fix information leak in xattr read + +9pfs uses g_malloc() to allocate the xattr memory space, if the guest +reads this memory before writing to it, this will leak host heap memory +to the guest. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 75ba5f1..3becdd0 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3269,7 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); + out_nofid: +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch new file mode 100644 index 0000000..eec6b2a --- /dev/null +++ b/debian/patches/extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch @@ -0,0 +1,92 @@ +From 86a37b0a0ed8f32db819782ca4a367712ece1453 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 12:00:40 +0100 +Subject: [PATCH 8/8] 9pfs: fix integer overflow issue in xattr read/write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Reviewed-By: Guido Günther +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 file changed, 12 insertions(+), 20 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index af07846..fc4f2cd 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); + VirtQueueElement *elem = v->elems[pdu->idx]; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch new file mode 100644 index 0000000..9138249 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch @@ -0,0 +1,32 @@ +From 94979ec1a852871eaee150cb56f0e8cac4316e35 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH 6/8] 9pfs: fix memory leak in v9fs_link + +The v9fs_link() function keeps a reference on the source fid object. This +causes a memory leak since the reference never goes down to 0. This patch +fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index f5af4e3..aa2b8c0 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -2403,6 +2403,7 @@ static void v9fs_link(void *opaque) + if (!err) { + err = offset; + } ++ put_fid(pdu, oldfidp); + out: + put_fid(pdu, dfidp); + out_nofid: +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch new file mode 100644 index 0000000..3ee8b50 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch @@ -0,0 +1,33 @@ +From 2c5bcb2d5f32ffcf5064d3557e44836fa70700be Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH 7/8] 9pfs: fix memory leak in v9fs_write + +If an error occurs when marshalling the transfer length to the guest, the +v9fs_write() function doesn't free an IO vector, thus leading to a memory +leak. This patch fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index aa2b8c0..af07846 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque) + offset = 7; + err = pdu_marshal(pdu, offset, "d", total); + if (err < 0) { +- goto out; ++ goto out_qiov; + } + err += offset; + trace_v9fs_write_return(pdu->tag, pdu->id, total, err); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index d025009..6c1c308 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -66,3 +66,11 @@ extra/CVE-2016-8577-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch extra/CVE-2016-8578-9pfs-allocate-space-for-guest-originated-empty-strin.patch extra/CVE-2016-8668-net-rocker-set-limit-to-DMA-buffer-size.patch extra/CVE-2016-8669-char-serial-check-divider-value-against-baud-base.patch +extra/CVE-2016-8910-net-rtl8139-limit-processing-of-ring-descriptors.patch +extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch +extra/CVE-2016-9103-9pfs-fix-information-leak-in-xattr-read.patch +extra/CVE-2016-9101-net-eepro100-fix-memory-leak-in-device-uninit.patch +extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch +extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch +extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch +extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch -- 2.39.2