From 717a79aa50e06c7ce4f719859724c92747c6368a Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 1 Feb 2016 10:57:25 +0100
Subject: [PATCH] Fix CVE-2016-2197 and CVE-2016-2198

CVE-2016-2197: ide: ahci: add check before calling dma_memory_unmap
CVE-2016-2198: usb: ehci: add capability mmio write function
---
 .../CVE-2016-2197-ahci-null-pointer.patch     | 55 +++++++++++++++++++
 .../CVE-2016-2198-ehci-null-pointer.patch     | 44 +++++++++++++++
 debian/patches/series                         |  2 +
 3 files changed, 101 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
 create mode 100644 debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch

diff --git a/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch b/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
new file mode 100644
index 0000000..1a3da44
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-2197-ahci-null-pointer.patch
@@ -0,0 +1,55 @@
+From 867dcfc8c153c463090b972c2afc7b90700bab91 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 29 Jan 2016 01:18:50 +0530
+Subject: [PATCH 2/2] ide: ahci: add check before calling dma_memory_unmap
+
+When IDE AHCI emulation uses Frame Information Structures(FIS)
+engine for data transfer, the mapped FIS buffer address is stored
+in a static 'bounce.buffer'. When a request is made to map another
+memory region, address_space_map() returns NULL because
+'bounce.buffer' is in_use. It leads to a null pointer dereference
+error while doing 'dma_memory_unmap'. Add a check to avoid it.
+
+Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/ide/ahci.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index dd1912e..ea351fe 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
+ 
+ static void ahci_unmap_fis_address(AHCIDevice *ad)
+ {
+-    dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
+-                     DMA_DIRECTION_FROM_DEVICE, 256);
+-    ad->res_fis = NULL;
++    if (ad->res_fis) {
++        dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
++                         DMA_DIRECTION_FROM_DEVICE, 256);
++        ad->res_fis = NULL;
++    }
+ }
+ 
+ static bool ahci_map_clb_address(AHCIDevice *ad)
+@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
+ 
+ static void ahci_unmap_clb_address(AHCIDevice *ad)
+ {
+-    dma_memory_unmap(ad->hba->as, ad->lst, 1024,
+-                     DMA_DIRECTION_FROM_DEVICE, 1024);
+-    ad->lst = NULL;
++    if (ad->lst) {
++        dma_memory_unmap(ad->hba->as, ad->lst, 1024,
++                         DMA_DIRECTION_FROM_DEVICE, 1024);
++        ad->lst = NULL;
++    }
+ }
+ 
+ static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs)
+-- 
+2.1.4
+
diff --git a/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch b/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
new file mode 100644
index 0000000..640fa2b
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-2198-ehci-null-pointer.patch
@@ -0,0 +1,44 @@
+From f1a42b805bb9290e7c03358ce803c311f5aa8a69 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 29 Jan 2016 18:30:34 +0530
+Subject: [PATCH 1/2] usb: ehci: add capability mmio write function
+
+USB Ehci emulation supports host controller capability registers.
+But its mmio '.write' function was missing, which lead to a null
+pointer dereference issue. Add a do nothing 'ehci_caps_write'
+definition to avoid it; Do nothing because capability registers
+are Read Only(RO).
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/usb/hcd-ehci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..5f726a9 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
+     return s->caps[addr];
+ }
+ 
++static void ehci_caps_write(void *ptr, hwaddr addr,
++                             uint64_t val, unsigned size)
++{
++}
++
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
+                                 unsigned size)
+ {
+@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaque)
+ 
+ static const MemoryRegionOps ehci_mmio_caps_ops = {
+     .read = ehci_caps_read,
++    .write = ehci_caps_write,
+     .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .impl.min_access_size = 1,
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 240f054..0368984 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -48,3 +48,5 @@ extra/CVE-2015-8619-hmp-sendkey-oob-fix.patch
 extra/0001-vnc-clear-vs-tlscreds-after-unparenting-it.patch
 extra/CVE-2016-1922-i386-avoid-null-pointer-dereference.patch
 extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
+extra/CVE-2016-2197-ahci-null-pointer.patch
+extra/CVE-2016-2198-ehci-null-pointer.patch
-- 
2.39.2