From c190b396d5d2b0ce2caabf7366f3b08546187f11 Mon Sep 17 00:00:00 2001 From: Tudor Florea Date: Tue, 7 Jul 2015 00:29:37 +0200 Subject: qemu: fixed multiple CVEs CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access CVE-2014-5263, missing field list terminator in vmstate_xhci_event CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle functions CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../qemu/qemu/fdc-CVE-2015-3456.patch | 87 ++++++++++++++++++++++ .../qemu/vmstate_xhci_event-CVE-2014-5263.patch | 53 +++++++++++++ .../qemu/qemu/vmware-vga-CVE-2014-3689.patch | 41 ++++++++++ .../qemu/qemu/vnc-CVE-2014-7815.patch | 51 +++++++++++++ meta/recipes-devtools/qemu/qemu_1.7.2.bb | 6 +- 5 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch create mode 100644 meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch create mode 100644 meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch create mode 100644 meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch diff --git a/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch new file mode 100644 index 0000000000..751949dcb4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/fdc-CVE-2015-3456.patch @@ -0,0 +1,87 @@ +From 46aa72e4466d3a58dcea2c8b3cce48c053cd108f Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Wed, 6 May 2015 09:48:59 +0200 +Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated + buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. +Upstream-Status: Backport + +Signed-off-by: Petr Matousek +Reviewed-by: John Snow +Signed-off-by: John Snow +Signed-off-by: Sona Sarmadi +--- + hw/block/fdc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index c5a6c21..2552fb1 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -1440,7 +1440,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + { + FDrive *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1449,8 +1449,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1794,10 +1794,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) + static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) + { + FDrive *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1897,7 +1900,7 @@ static uint8_t command_to_handler[256]; + static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + { + FDrive *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1945,7 +1948,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch @@ -0,0 +1,53 @@ +From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 22 Jul 2014 17:26:41 +0200 +Subject: [PATCH] vmstate_xhci_event: fix unterminated field list + +"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live +migration support"), and first released in v1.6.0. The field list in this +VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. + +During normal use (ie. migration), the issue is practically invisible, +because the "vmstate_xhci_event" object (with the unterminated field list) +is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() +returns true, for the "ev_buffer" test. Since that field_exists() check +(apparently) almost always returns false, we almost never traverse +"vmstate_xhci_event" during migration, which hides the bug. + +However, Amit's vmstate checker forces recursion into this VMSD as well, +and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator +check (field->name != NULL) in dump_vmstate_vmsd(). The result is +undefined behavior, which in my case translates to infinite recursion +(because the loop happens to overflow into "vmstate_xhci_intr", which then +links back to "vmstate_xhci_event"). + +Add the missing terminator. + +Fixes CVE-2014-5263. +Upstream-Status: Backport + +Signed-off-by: Laszlo Ersek +Reviewed-by: Amit Shah +Reviewed-by: Paolo Bonzini +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +Signed-off-by: Sona Sarmadi +--- + hw/usb/hcd-xhci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 835f65e..745617e 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = { + VMSTATE_UINT32(flags, XHCIEvent), + VMSTATE_UINT8(slotid, XHCIEvent), + VMSTATE_UINT8(epid, XHCIEvent), ++ VMSTATE_END_OF_LIST() + } + }; + +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch new file mode 100644 index 0000000000..74cf8465ce --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmware-vga-CVE-2014-3689.patch @@ -0,0 +1,41 @@ +From 56b6131a153668bbb77e1b9b7e86379c41f8fdf9 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 6 Oct 2014 11:42:34 +0200 +Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel + +Quick & easy stopgap for CVE-2014-3689: We just compile out the +hardware acceleration functions which lack sanity checks. Thankfully +we have capability bits for them (SVGA_CAP_RECT_COPY and +SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory. + +Subsequent patches will add the missing checks and re-enable the +hardware acceleration emulation. + +Upstream-Status: Backport + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +Signed-off-by: Sona Sarmadi +--- + hw/display/vmware_vga.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index a6a8cdc..113ce1f 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -27,8 +27,10 @@ + #include "hw/pci/pci.h" + + #undef VERBOSE ++#if 0 + #define HW_RECT_ACCEL + #define HW_FILL_ACCEL ++#endif + #define HW_MOUSE_ACCEL + + #include "vga_int.h" +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch new file mode 100644 index 0000000000..cf90984f6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch @@ -0,0 +1,51 @@ +From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Mon, 27 Oct 2014 12:41:44 +0100 +Subject: [PATCH] vnc: sanitize bits_per_pixel from the client + +bits_per_pixel that are less than 8 could result in accessing +non-initialized buffers later in the code due to the expectation +that bytes_per_pixel value that is used to initialize these buffers is +never zero. + +To fix this check that bits_per_pixel from the client is one of the +values that the rfb protocol specification allows. + +This is CVE-2014-7815. + +Upstream-Status: Backport + +Signed-off-by: Petr Matousek + +[ kraxel: apply codestyle fix ] + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sona Sarmadi +--- + ui/vnc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 0fe6eff..8bca597 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, + return; + } + ++ switch (bits_per_pixel) { ++ case 8: ++ case 16: ++ case 32: ++ break; ++ default: ++ vnc_client_error(vs); ++ return; ++ } ++ + vs->client_pf.rmax = red_max; + vs->client_pf.rbits = hweight_long(red_max); + vs->client_pf.rshift = red_shift; +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu_1.7.2.bb b/meta/recipes-devtools/qemu/qemu_1.7.2.bb index 60a7937219..c3c6d3652d 100644 --- a/meta/recipes-devtools/qemu/qemu_1.7.2.bb +++ b/meta/recipes-devtools/qemu/qemu_1.7.2.bb @@ -7,7 +7,11 @@ SRC_URI += "file://fxrstorssefix.patch \ file://qemu-enlarge-env-entry-size.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ file://ide-CVE-2014-2894.patch \ - file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch" + file://slirp-udp-NULL-pointer-dereference-CVE-2014-3640.patch \ + file://vmware-vga-CVE-2014-3689.patch \ + file://vmstate_xhci_event-CVE-2014-5263.patch \ + file://vnc-CVE-2014-7815.patch \ + file://fdc-CVE-2015-3456.patch" SRC_URI_prepend = "http://wiki.qemu.org/download/qemu-${PV}.tar.bz2" SRC_URI[md5sum] = "a52e0acd37b0c9b06228fe98da0b1b43" -- cgit v1.2.3-54-g00ecf