qemu: Secuirty fix for CVE-2016-5403

affects qemu < 2.7.0-rc0 (From OE-Core rev: c53820180cdccd97de1f314078570fac1ff16052) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-09-19 20:01:16 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-23 15:27:06 +0100
commit: 76aa0c3d5d99661ccc0272257899ad0df21f445a (patch)
tree: 64e65d32b9293cf10e701eb97c6a8a8ae4a3c400 /meta/recipes-devtools/qemu
parent: 11c8c8aa155f134679fe0d2a12a8943a8d6b8c05 (diff)
download: poky-76aa0c3d5d99661ccc0272257899ad0df21f445a.tar.gz
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644
index 0000000000..fe084f5b08
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
+From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 19 Jul 2016 13:07:13 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+A broken or malicious guest can submit more requests than the virtqueue
+size permits, causing unbounded memory allocation in QEMU.
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is not allowed by the
+VIRTIO 1.0 specification.
+In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
+says:
+  1. The driver places the buffer into free descriptor(s) in the
+     descriptor table, chaining as necessary
+and
+  Note that the above code does not take precautions against the
+  available ring buffer wrapping around: this is not possible since the
+  ring buffer is the same size as the descriptor table, so step (1) will
+  prevent such a condition.
+This implies that placing more buffers into the virtqueue than the
+descriptor table size is not allowed.
+QEMU is missing the check to prevent this case.  Processing a request
+allocates a VirtQueueElement leading to unbounded memory allocation
+controlled by the guest.
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
+Marvel Team, China.
+Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2106-5403
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
+++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
+    if (vq->inuse >= vq->vring.num) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
+         vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 0ffec9889c..ed8d911ea6 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://CVE-2016-6351_p1.patch \
            file://CVE-2016-6351_p2.patch \
            file://CVE-2016-4002.patch \
+            file://CVE-2016-5403.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
author	Armin Kuster <akuster@mvista.com>	2016-09-19 20:01:16 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-23 15:27:06 +0100
commit	76aa0c3d5d99661ccc0272257899ad0df21f445a (patch)
tree	64e65d32b9293cf10e701eb97c6a8a8ae4a3c400 /meta/recipes-devtools/qemu
parent	11c8c8aa155f134679fe0d2a12a8943a8d6b8c05 (diff)
download	poky-76aa0c3d5d99661ccc0272257899ad0df21f445a.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch new file mode 100644 index 0000000000..fe084f5b08 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
		1	From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
		2	From: Stefan Hajnoczi <stefanha@redhat.com>
		3	Date: Tue, 19 Jul 2016 13:07:13 +0100
		4	Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
		5
		6	A broken or malicious guest can submit more requests than the virtqueue
		7	size permits, causing unbounded memory allocation in QEMU.
		8
		9	The guest can submit requests without bothering to wait for completion
		10	and is therefore not bound by virtqueue size. This requires reusing
		11	vring descriptors in more than one request, which is not allowed by the
		12	VIRTIO 1.0 specification.
		13
		14	In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
		15	says:
		16
		17	1. The driver places the buffer into free descriptor(s) in the
		18	descriptor table, chaining as necessary
		19
		20	and
		21
		22	Note that the above code does not take precautions against the
		23	available ring buffer wrapping around: this is not possible since the
		24	ring buffer is the same size as the descriptor table, so step (1) will
		25	prevent such a condition.
		26
		27	This implies that placing more buffers into the virtqueue than the
		28	descriptor table size is not allowed.
		29
		30	QEMU is missing the check to prevent this case. Processing a request
		31	allocates a VirtQueueElement leading to unbounded memory allocation
		32	controlled by the guest.
		33
		34	Exit with an error if the guest provides more requests than the
		35	virtqueue size permits. This bounds memory allocation and makes the
		36	buggy guest visible to the user.
		37
		38	This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
		39	Marvel Team, China.
		40
		41	Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
		42	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
		43
		44	Upstream-Status: Backport
		45	CVE: CVE-2106-5403
		46	Signed-off-by: Armin Kuster <akuster@mvista.com>
		47
		48	---
		49	hw/virtio/virtio.c \| 5 +++++
		50	1 file changed, 5 insertions(+)
		51
		52	Index: qemu-2.4.0/hw/virtio/virtio.c
		53	===================================================================
		54	--- qemu-2.4.0.orig/hw/virtio/virtio.c
		55	+++ qemu-2.4.0/hw/virtio/virtio.c
		56	@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
		57
		58	max = vq->vring.num;
		59
		60	+ if (vq->inuse >= vq->vring.num) {
		61	+ error_report("Virtqueue size exceeded");
		62	+ exit(1);
		63	+ }
		64	+
		65	i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
		66	if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
		67	vring_set_avail_event(vq, vq->last_avail_idx);


diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 0ffec9889c..ed8d911ea6 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
25	file://CVE-2016-6351_p1.patch \	25	file://CVE-2016-6351_p1.patch \
26	file://CVE-2016-6351_p2.patch \	26	file://CVE-2016-6351_p2.patch \
27	file://CVE-2016-4002.patch \	27	file://CVE-2016-4002.patch \
		28	file://CVE-2016-5403.patch \
28	"	29	"
29	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	30	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
30	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"	31	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"