From f262231e41135d5e9bbcd5b8e3c70e490cfe99b9 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 12 Dec 2016 14:10:54 +0100 Subject: [PATCH] various fixes: CVE-2016-9776: net: mcf: check receive buffer size register value CVE-2016-9845: virtio-gpu: fix information leak in getting capset info dispatch CVE-2016-9846: virtio-gpu: fix memory leak in update_cursor_data_virgl CVE-2016-9907: usbredir: free vm_change_state_handler in usbredir destroy dispatch CVE-2016-9908: virtio-gpu: fix information leak in capset get dispatch CVE-2016-9911: usb: ehci: fix memory leak in ehci_init_transfer CVE-2016-9912: virtio-gpu: call cleanup mapping function in resource destroy CVE-2016-9913: 9pfs: adjust the order of resource cleanup in device unrealize CVE-2016-9914: 9pfs: add cleanup operation in FileOperations CVE-2016-9915: 9pfs: add cleanup operation for handle backend driver CVE-2016-9916: 9pfs: add cleanup operation for proxy backend driver CVE-2016-9921 and CVE-2016-9922: display: cirrus: check vga bits per pixel(bpp) value --- ...k-receive-buffer-size-register-value.patch | 34 ++++++++ ...nformation-leak-in-getting-capset-in.patch | 37 +++++++++ ...emory-leak-in-update_cursor_data_vir.patch | 36 +++++++++ ..._change_state_handler-in-usbredir-de.patch | 54 +++++++++++++ ...nformation-leak-in-capset-get-dispat.patch | 31 +++++++ ...ix-memory-leak-in-ehci_init_transfer.patch | 31 +++++++ ...cleanup-mapping-function-in-resource.patch | 39 +++++++++ ...order-of-resource-cleanup-in-device-.patch | 43 ++++++++++ ...-cleanup-operation-in-FileOperations.patch | 56 +++++++++++++ ...-operation-for-handle-backend-driver.patch | 47 +++++++++++ ...p-operation-for-proxy-backend-driver.patch | 47 +++++++++++ ...s-check-vga-bits-per-pixel-bpp-value.patch | 81 +++++++++++++++++++ debian/patches/series | 12 +++ 13 files changed, 548 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch create mode 100644 debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch create mode 100644 debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch create mode 100644 debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch create mode 100644 debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch create mode 100644 debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch create mode 100644 debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch create mode 100644 debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch create mode 100644 debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch create mode 100644 debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch create mode 100644 debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch create mode 100644 debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch diff --git a/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch new file mode 100644 index 0000000..85fa543 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch @@ -0,0 +1,34 @@ +From 2a4848046ad64db5cb1c1090565a28a5cb2c518e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 29 Nov 2016 00:38:39 +0530 +Subject: [PATCH 01/12] net: mcf: check receive buffer size register value + +ColdFire Fast Ethernet Controller uses a receive buffer size +register(EMRBR) to hold maximum size of all receive buffers. +It is set by a user before any operation. If it was set to be +zero, ColdFire emulator would go into an infinite loop while +receiving data in mcf_fec_receive. Add check to avoid it. + +Reported-by: Wjjzhang +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/mcf_fec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index d31fea1..3d4b3b3 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr, + s->tx_descriptor = s->etdsr; + break; + case 0x188: +- s->emrbr = value & 0x7f0; ++ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0; + break; + default: + hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr); +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch new file mode 100644 index 0000000..8bec00a --- /dev/null +++ b/debian/patches/extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch @@ -0,0 +1,37 @@ +From 71ee39ea06cbcbd1971213aa1f3a9036c50b6a57 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 02:53:11 -0700 +Subject: [PATCH 02/12] virtio-gpu: fix information leak in getting capset info + dispatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't +been full initialized before writing to the guest. This will leak +the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This +patch fix this issue. + +Signed-off-by: Li Qiang +Message-id: 5818661e.0860240a.77264.7a56@mx.google.com +Reviewed-by: Marc-André Lureau +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu-3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 758d33a..23f39de 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g, + + VIRTIO_GPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch new file mode 100644 index 0000000..4ba5aa7 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch @@ -0,0 +1,36 @@ +From 74a46afa58632277063ca4990cf0c954f342dd7d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 04:06:58 -0700 +Subject: [PATCH 03/12] virtio-gpu: fix memory leak in update_cursor_data_virgl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In update_cursor_data_virgl function, if the 'width'/ 'height' +is not equal to current cursor's width/height it will return +without free the 'data' allocated previously. This will lead +a memory leak issue. This patch fix this issue. + +Signed-off-by: Li Qiang +Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com +Reviewed-by: Marc-André Lureau +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 5b6d17b..41f8096 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g, + + if (width != s->current_cursor->width || + height != s->current_cursor->height) { ++ free(data); + return; + } + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch new file mode 100644 index 0000000..39a5622 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch @@ -0,0 +1,54 @@ +From 5bbb994dd062eb3950d67db3c6189dab0df7ec9b Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 7 Nov 2016 21:57:46 -0800 +Subject: [PATCH 04/12] usbredir: free vm_change_state_handler in usbredir + destroy dispatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In usbredir destroy dispatch function, it doesn't free the vm change +state handler once registered in usbredir_realize function. This will +lead a memory leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/redirect.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 444672a..42aeaa4 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -132,6 +132,7 @@ struct USBRedirDevice { + struct usbredirfilter_rule *filter_rules; + int filter_rules_count; + int compatible_speedmask; ++ VMChangeStateEntry *vmstate; + }; + + #define TYPE_USB_REDIR "usb-redir" +@@ -1409,7 +1410,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp) + qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read, + usbredir_chardev_read, usbredir_chardev_event, dev); + +- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev); ++ dev->vmstate = ++ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev); + } + + static void usbredir_cleanup_device_queues(USBRedirDevice *dev) +@@ -1446,6 +1448,7 @@ static void usbredir_handle_destroy(USBDevice *udev) + } + + free(dev->filter_rules); ++ qemu_del_vm_change_state_handler(dev->vmstate); + } + + static int usbredir_check_filter(USBRedirDevice *dev) +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch new file mode 100644 index 0000000..7fe0533 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch @@ -0,0 +1,31 @@ +From bde803ceb42d6bddc06a1881c00acdf203214772 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 05:37:57 -0700 +Subject: [PATCH 10/12] virtio-gpu: fix information leak in capset get dispatch + +In virgl_cmd_get_capset function, it uses g_malloc to allocate +a response struct to the guest. As the 'resp'struct hasn't been full +initialized it will lead the 'resp->padding' field to the guest. +Use g_malloc0 to avoid this. + +Signed-off-by: Li Qiang +--- + hw/display/virtio-gpu-3d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 23f39de..d98b140 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); +- resp = g_malloc(sizeof(*resp) + max_size); ++ resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; + virgl_renderer_fill_caps(gc.capset_id, +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch new file mode 100644 index 0000000..fbe7cd5 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch @@ -0,0 +1,31 @@ +From 824f78bb0135cff4cb29e26c3de1cb4c2da35b46 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 8 Nov 2016 04:11:10 -0800 +Subject: [PATCH 05/12] usb: ehci: fix memory leak in ehci_init_transfer + +In ehci_init_transfer function, if the 'cpage' is bigger than 4, +it doesn't free the 'p->sgl' once allocated previously thus leading +a memory leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index f4ece9a..7622a3a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p) + while (bytes > 0) { + if (cpage > 4) { + fprintf(stderr, "cpage out of range (%d)\n", cpage); ++ qemu_sglist_destroy(&p->sgl); + return -1; + } + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch new file mode 100644 index 0000000..94f51c8 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch @@ -0,0 +1,39 @@ +From efc44f269fe72bab2c496f21809f6bef20d9c398 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 28 Nov 2016 21:29:25 -0500 +Subject: [PATCH 11/12] virtio-gpu: call cleanup mapping function in resource + destroy + +If the guest destroy the resource before detach banking, the 'iov' +and 'addrs' field in resource is not freed thus leading memory +leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +--- + hw/display/virtio-gpu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 41f8096..8903dee 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -28,6 +28,8 @@ + static struct virtio_gpu_simple_resource* + virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); + ++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); ++ + #ifdef CONFIG_VIRGL + #include + #define VIRGL(_g, _virgl, _simple, ...) \ +@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, + struct virtio_gpu_simple_resource *res) + { + pixman_image_unref(res->image); ++ virtio_gpu_cleanup_mapping(res); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); + } +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch new file mode 100644 index 0000000..9db7466 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch @@ -0,0 +1,43 @@ +From 9be364d4b3bc173103bec0dc76259f40d232eb88 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH 06/12] 9pfs: adjust the order of resource cleanup in device + unrealize + +Unrealize should undo things that were set during realize in +reverse order. So should do in the error path in realize. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index fc4f2cd..ced7b4c 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3490,8 +3490,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) + rc = 0; + out: + if (rc) { +- g_free(s->ctx.fs_root); + g_free(s->tag); ++ g_free(s->ctx.fs_root); + v9fs_path_free(&path); + } + return rc; +@@ -3499,8 +3499,8 @@ out: + + void v9fs_device_unrealize_common(V9fsState *s, Error **errp) + { +- g_free(s->ctx.fs_root); + g_free(s->tag); ++ g_free(s->ctx.fs_root); + } + + static void __attribute__((__constructor__)) v9fs_set_fd_limit(void) +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch new file mode 100644 index 0000000..c6fc38d --- /dev/null +++ b/debian/patches/extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch @@ -0,0 +1,56 @@ +From f2ef9ae2a512fca1df0d56c226adc24ddf002b8b Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH 07/12] 9pfs: add cleanup operation in FileOperations + +Currently, the backend of VirtFS doesn't have a cleanup +function. This will lead resource leak issues if the backed +driver allocates resources. This patch addresses this issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + fsdev/file-op-9p.h | 1 + + hw/9pfs/9p.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h +index 6db9fea..a56dc84 100644 +--- a/fsdev/file-op-9p.h ++++ b/fsdev/file-op-9p.h +@@ -100,6 +100,7 @@ struct FileOperations + { + int (*parse_opts)(QemuOpts *, struct FsDriverEntry *); + int (*init)(struct FsContext *); ++ void (*cleanup)(struct FsContext *); + int (*lstat)(FsContext *, V9fsPath *, struct stat *); + ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t); + int (*chmod)(FsContext *, V9fsPath *, FsCred *); +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index ced7b4c..f2a90d4 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3490,6 +3490,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) + rc = 0; + out: + if (rc) { ++ if (s->ops->cleanup && s->ctx.private) { ++ s->ops->cleanup(&s->ctx); ++ } + g_free(s->tag); + g_free(s->ctx.fs_root); + v9fs_path_free(&path); +@@ -3499,6 +3502,9 @@ out: + + void v9fs_device_unrealize_common(V9fsState *s, Error **errp) + { ++ if (s->ops->cleanup) { ++ s->ops->cleanup(&s->ctx); ++ } + g_free(s->tag); + g_free(s->ctx.fs_root); + } +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch new file mode 100644 index 0000000..cc78623 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch @@ -0,0 +1,47 @@ +From 4196726e44c437793294af15d95e53164cf9a02d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH 08/12] 9pfs: add cleanup operation for handle backend driver + +In the init operation of handle backend dirver, it allocates a +handle_data struct and opens a mount file. We should free these +resources when the 9pfs device is unrealized. This is what this +patch does. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p-handle.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c +index 3d77594..1687661 100644 +--- a/hw/9pfs/9p-handle.c ++++ b/hw/9pfs/9p-handle.c +@@ -649,6 +649,14 @@ out: + return ret; + } + ++static void handle_cleanup(FsContext *ctx) ++{ ++ struct handle_data *data = ctx->private; ++ ++ close(data->mountfd); ++ g_free(data); ++} ++ + static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) + { + const char *sec_model = qemu_opt_get(opts, "security_model"); +@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) + FileOperations handle_ops = { + .parse_opts = handle_parse_opts, + .init = handle_init, ++ .cleanup = handle_cleanup, + .lstat = handle_lstat, + .readlink = handle_readlink, + .close = handle_close, +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch new file mode 100644 index 0000000..78c49cb --- /dev/null +++ b/debian/patches/extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch @@ -0,0 +1,47 @@ +From ae9b5c9dae96dd8d3bdf9bb6b9a0f7a2d6f532f7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH 09/12] 9pfs: add cleanup operation for proxy backend driver + +In the init operation of proxy backend dirver, it allocates a +V9fsProxy struct and some other resources. We should free these +resources when the 9pfs device is unrealized. This is what this +patch does. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p-proxy.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c +index f265501..336e9fe 100644 +--- a/hw/9pfs/9p-proxy.c ++++ b/hw/9pfs/9p-proxy.c +@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx) + return 0; + } + ++static void proxy_cleanup(FsContext *ctx) ++{ ++ V9fsProxy *proxy = ctx->private; ++ ++ g_free(proxy->out_iovec.iov_base); ++ g_free(proxy->in_iovec.iov_base); ++ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) { ++ close(proxy->sockfd); ++ } ++ g_free(proxy); ++} ++ + FileOperations proxy_ops = { + .parse_opts = proxy_parse_opts, + .init = proxy_init, ++ .cleanup = proxy_cleanup, + .lstat = proxy_lstat, + .readlink = proxy_readlink, + .close = proxy_close, +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch new file mode 100644 index 0000000..acaeb95 --- /dev/null +++ b/debian/patches/extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch @@ -0,0 +1,81 @@ +From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 18 Oct 2016 13:15:17 +0530 +Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value + +In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, +'cirrus_get_bpp' returns zero(0), which could lead to a divide +by zero error in while copying pixel data. The same could occur +via blit pitch values. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + +Notes: + CVE-2016-9921 + CVE-2016-9922 + + hw/display/cirrus_vga.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 3d712d5..bdb092e 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); + static bool blit_region_is_unsafe(struct CirrusVGAState *s, + int32_t pitch, int32_t addr) + { ++ if (!pitch) { ++ return true; ++ } + if (pitch < 0) { + int64_t min = addr + + ((int64_t)s->cirrus_blt_height-1) * pitch; +@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) + s->cirrus_addr_mask)); + } + +-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) ++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + { + int sx = 0, sy = 0; + int dx = 0, dy = 0; +@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + int width, height; + + depth = s->vga.get_bpp(&s->vga) / 8; ++ if (!depth) { ++ return 0; ++ } + s->vga.get_resolution(&s->vga, &width, &height); + + /* extra x, y */ +@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_width, + s->cirrus_blt_height); ++ ++ return 1; + } + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) +@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + if (blit_is_unsafe(s)) + return 0; + +- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, ++ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, + s->cirrus_blt_srcaddr - s->vga.start_addr, + s->cirrus_blt_width, s->cirrus_blt_height); +- +- return 1; + } + + /*************************************** +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index bc87c7a..f868c7e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -77,3 +77,15 @@ extra/CVE-2016-9105-9pfs-fix-memory-leak-in-v9fs_link.patch extra/CVE-2016-9102-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch extra/CVE-2016-9106-9pfs-fix-memory-leak-in-v9fs_write.patch extra/CVE-2016-9104-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch +extra/CVE-2016-9776-net-mcf-check-receive-buffer-size-register-value.patch +extra/CVE-2016-9845-virtio-gpu-fix-information-leak-in-getting-capset-in.patch +extra/CVE-2016-9846-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch +extra/CVE-2016-9907-usbredir-free-vm_change_state_handler-in-usbredir-de.patch +extra/CVE-2016-9908-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch +extra/CVE-2016-9911-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch +extra/CVE-2016-9912-virtio-gpu-call-cleanup-mapping-function-in-resource.patch +extra/CVE-2016-9913-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch +extra/CVE-2016-9914-9pfs-add-cleanup-operation-in-FileOperations.patch +extra/CVE-2016-9915-9pfs-add-cleanup-operation-for-handle-backend-driver.patch +extra/CVE-2016-9916-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch +extra/CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch -- 2.39.2