From 6ccd2869953886e2605ada381819b7d39c8d3742 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Mon, 19 Sep 2016 09:58:14 +0200
Subject: [PATCH] various CVE fixes

CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks
CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size
CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest object
---
 ...orrect-bitmap-and-pixmap-size-checks.patch | 45 +++++++++++++++++++
 ...i-limit-process-IO-loop-to-ring-size.patch | 38 ++++++++++++++++
 ...g_new0-to-allocate-MPTSASRequest-obj.patch | 35 +++++++++++++++
 debian/patches/series                         |  3 ++
 4 files changed, 121 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
 create mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
 create mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch

diff --git a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
new file mode 100644
index 0000000..732f679
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
@@ -0,0 +1,45 @@
+From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 8 Sep 2016 18:15:54 +0530
+Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+             cursor.bpp = vmsvga_fifo_read(s);
+ 
+             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+-            if (cursor.width > 256 ||
+-                cursor.height > 256 ||
+-                cursor.bpp > 32 ||
+-                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+-                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++            if (cursor.width > 256
++                || cursor.height > 256
++                || cursor.bpp > 32
++                || SVGA_BITMAP_SIZE(x, y)
++                    > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++                || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++                    > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+                     goto badcmd;
+             }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
new file mode 100644
index 0000000..05ab4a5
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
@@ -0,0 +1,38 @@
+From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 14 Sep 2016 15:09:12 +0530
+Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
+
+Vmware Paravirtual SCSI emulator while processing IO requests
+could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
+always returned positive value. Limit IO loop to the ring size.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/vmw_pvscsi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index babac5a..a5ce7de 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -247,8 +247,11 @@ static hwaddr
+ pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
+ {
+     uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
++    uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
++                            * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+ 
+-    if (ready_ptr != mgr->consumed_ptr) {
++    if (ready_ptr != mgr->consumed_ptr
++        && ready_ptr - mgr->consumed_ptr < ring_size) {
+         uint32_t next_ready_ptr =
+             mgr->consumed_ptr++ & mgr->txr_len_mask;
+         uint32_t next_ready_page =
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
new file mode 100644
index 0000000..f1ba947
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
@@ -0,0 +1,35 @@
+From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 12 Sep 2016 18:14:11 +0530
+Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 0e0a22f..eaae1bb 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+         goto bad;
+     }
+ 
+-    req = g_new(MPTSASRequest, 1);
++    req = g_new0(MPTSASRequest, 1);
+     QTAILQ_INSERT_TAIL(&s->pending, req, next);
+     req->scsi_io = *scsi_io;
+     req->dev = s;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index d1470ba..d6aab89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -74,3 +74,6 @@ extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
 extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
 extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
 extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
+extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
+extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
+extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
-- 
2.39.2