qemu: ui: vnc: CVE-2015-5225

Fixes heap memory corruption in vnc_refresh_server_surface. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5225 Reference to upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-05-02 09:33:24 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-05-03 16:05:46 +0200
commit: 3291d1de776eb008e665746f93a65aa90f8750ce (patch)
tree: 4c22931054b90d7e0a719a33c422efd1c4390988 /meta
parent: d3d0c7af34b996b4518b26d4f3b4eff831a651af (diff)
download: poky-3291d1de776eb008e665746f93a65aa90f8750ce.tar.gz
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch
new file mode 100644
index 0000000000..262c2b9871
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch
@@ -0,0 +1,88 @@
+From efec4dcd2552e85ed57f276b58f09fc385727450 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 17 Aug 2015 19:56:53 +0200
+Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
+memory corruption issues" can become negative.  Result is (possibly
+exploitable) memory corruption.  Reason for that is it uses the stride
+instead of bytes per scanline to apply limits.
+For the server surface is is actually fine.  vnc creates that itself,
+there is never any padding and thus scanline length always equals stride.
+For the guest surface scanline length and stride are typically identical
+too, but it doesn't has to be that way.  So add and use a new variable
+(guest_ll) for the guest scanline length.  Also rename min_stride to
+line_bytes to make more clear what it actually is.  Finally sprinkle
+in an assert() to make sure we never use a negative _cmp_bytes again.
+CVE: CVE-2015-5225
+Upstream-Status: Backport
+Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
+Reviewed-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ui/vnc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/ui/vnc.c b/ui/vnc.c
+index e26973a..caf82f5 100644
+--- a/ui/vnc.c
+++ b/ui/vnc.c
+@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+                     pixman_image_get_width(vd->server));
+     int height = MIN(pixman_image_get_height(vd->guest.fb),
+                      pixman_image_get_height(vd->server));
+-    int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+    int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
+     uint8_t *guest_row0 = NULL, *server_row0;
+     VncState *vs;
+     int has_dirty = 0;
+@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+      * Update server dirty map.
+      */
+     server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
+-    server_stride = guest_stride = pixman_image_get_stride(vd->server);
+    server_stride = guest_stride = guest_ll =
+        pixman_image_get_stride(vd->server);
+     cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
+                     server_stride);
+     if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
+         int width = pixman_image_get_width(vd->server);
+         tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
+     } else {
+        int guest_bpp =
+            PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
+         guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
+         guest_stride = pixman_image_get_stride(vd->guest.fb);
+        guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
+     }
+-    min_stride = MIN(server_stride, guest_stride);
+    line_bytes = MIN(server_stride, guest_ll);
+ 
+     for (;;) {
+         int x;
+@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
+             if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
+                 continue;
+             }
+-            if ((x + 1) * cmp_bytes > min_stride) {
+-                _cmp_bytes = min_stride - x * cmp_bytes;
+            if ((x + 1) * cmp_bytes > line_bytes) {
+                _cmp_bytes = line_bytes - x * cmp_bytes;
+             }
+            assert(_cmp_bytes >= 0);
+             if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
+                 continue;
+             }
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index 8d47b16e64..444fb02e47 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -20,6 +20,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://CVE-2015-7295_3.patch \
            file://CVE-2016-2197.patch \
            file://CVE-2016-2198.patch \
+            file://vnc-CVE-2015-5225.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-05-02 09:33:24 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-05-03 16:05:46 +0200
commit	3291d1de776eb008e665746f93a65aa90f8750ce (patch)
tree	4c22931054b90d7e0a719a33c422efd1c4390988 /meta
parent	d3d0c7af34b996b4518b26d4f3b4eff831a651af (diff)
download	poky-3291d1de776eb008e665746f93a65aa90f8750ce.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch new file mode 100644 index 0000000000..262c2b9871 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch
@@ -0,0 +1,88 @@
		1	From efec4dcd2552e85ed57f276b58f09fc385727450 Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Mon, 17 Aug 2015 19:56:53 +0200
		4	Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
		10	memory corruption issues" can become negative. Result is (possibly
		11	exploitable) memory corruption. Reason for that is it uses the stride
		12	instead of bytes per scanline to apply limits.
		13
		14	For the server surface is is actually fine. vnc creates that itself,
		15	there is never any padding and thus scanline length always equals stride.
		16
		17	For the guest surface scanline length and stride are typically identical
		18	too, but it doesn't has to be that way. So add and use a new variable
		19	(guest_ll) for the guest scanline length. Also rename min_stride to
		20	line_bytes to make more clear what it actually is. Finally sprinkle
		21	in an assert() to make sure we never use a negative _cmp_bytes again.
		22
		23	CVE: CVE-2015-5225
		24	Upstream-Status: Backport
		25
		26	Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
		27	Reviewed-by: P J P <ppandit@redhat.com>
		28	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		29	(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
		30	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
		31	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		32	---
		33	ui/vnc.c \| 15 ++++++++++-----
		34	1 file changed, 10 insertions(+), 5 deletions(-)
		35
		36	diff --git a/ui/vnc.c b/ui/vnc.c
		37	index e26973a..caf82f5 100644
		38	--- a/ui/vnc.c
		39	+++ b/ui/vnc.c
		40	@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
		41	pixman_image_get_width(vd->server));
		42	int height = MIN(pixman_image_get_height(vd->guest.fb),
		43	pixman_image_get_height(vd->server));
		44	- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
		45	+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
		46	uint8_t guest_row0 = NULL, server_row0;
		47	VncState *vs;
		48	int has_dirty = 0;
		49	@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
		50	* Update server dirty map.
		51	*/
		52	server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
		53	- server_stride = guest_stride = pixman_image_get_stride(vd->server);
		54	+ server_stride = guest_stride = guest_ll =
		55	+ pixman_image_get_stride(vd->server);
		56	cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
		57	server_stride);
		58	if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
		59	int width = pixman_image_get_width(vd->server);
		60	tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
		61	} else {
		62	+ int guest_bpp =
		63	+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
		64	guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
		65	guest_stride = pixman_image_get_stride(vd->guest.fb);
		66	+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
		67	}
		68	- min_stride = MIN(server_stride, guest_stride);
		69	+ line_bytes = MIN(server_stride, guest_ll);
		70
		71	for (;;) {
		72	int x;
		73	@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
		74	if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
		75	continue;
		76	}
		77	- if ((x + 1) * cmp_bytes > min_stride) {
		78	- _cmp_bytes = min_stride - x * cmp_bytes;
		79	+ if ((x + 1) * cmp_bytes > line_bytes) {
		80	+ _cmp_bytes = line_bytes - x * cmp_bytes;
		81	}
		82	+ assert(_cmp_bytes >= 0);
		83	if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
		84	continue;
		85	}
		86	--
		87	1.9.1
		88


diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 8d47b16e64..444fb02e47 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -20,6 +20,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
20	file://CVE-2015-7295_3.patch \	20	file://CVE-2015-7295_3.patch \
21	file://CVE-2016-2197.patch \	21	file://CVE-2016-2197.patch \
22	file://CVE-2016-2198.patch \	22	file://CVE-2016-2198.patch \
		23	file://vnc-CVE-2015-5225.patch \
23	"	24	"
24	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	25	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
25	SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"	26	SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"