From 90f204043b646be0a6d5001e147735978d156d5c Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Thu, 28 Apr 2016 11:23:31 -0700 Subject: qemu: Security fix CVE-2016-2858 (From OE-Core rev: 48909052e7b19ba108ee7813c1efdbed0c2e06ab) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../recipes-devtools/qemu/qemu/CVE-2016-2858.patch | 183 +++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch new file mode 100644 index 0000000000..d5395e6152 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch @@ -0,0 +1,183 @@ +From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:18 +0100 +Subject: [PATCH] rng: add request queue support to rng-random + +Requests are now created in the RngBackend parent class and the +code path is shared by both rng-egd and rng-random. + +This commit fixes the rng-random implementation which processed +only one request at a time and simply discarded all but the most +recent one. In the guest this manifested as delayed completion +of reads from virtio-rng, i.e. a read was completed only after +another read was issued. + +By switching rng-random to use the same request queue as rng-egd, +the unsafe stack-based allocation of the entropy buffer is +eliminated and replaced with g_malloc. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah + +Upstream-Status: Backport +CVE: CVE-2016-2858 + +http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475 +Signed-off-by: Armin Kuster + +--- + backends/rng-egd.c | 16 ++-------------- + backends/rng-random.c | 43 +++++++++++++++++++------------------------ + backends/rng.c | 13 ++++++++++++- + include/sysemu/rng.h | 3 +-- + 4 files changed, 34 insertions(+), 41 deletions(-) + +Index: qemu-2.5.0/backends/rng-egd.c +=================================================================== +--- qemu-2.5.0.orig/backends/rng-egd.c ++++ qemu-2.5.0/backends/rng-egd.c +@@ -26,20 +26,10 @@ typedef struct RngEgd + char *chr_name; + } RngEgd; + +-static void rng_egd_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) + { + RngEgd *s = RNG_EGD(b); +- RngRequest *req; +- +- req = g_malloc(sizeof(*req)); +- +- req->offset = 0; +- req->size = size; +- req->receive_entropy = receive_entropy; +- req->opaque = opaque; +- req->data = g_malloc(req->size); ++ size_t size = req->size; + + while (size > 0) { + uint8_t header[2]; +@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB + + size -= len; + } +- +- s->parent.requests = g_slist_append(s->parent.requests, req); + } + + static int rng_egd_chr_can_read(void *opaque) +Index: qemu-2.5.0/backends/rng-random.c +=================================================================== +--- qemu-2.5.0.orig/backends/rng-random.c ++++ qemu-2.5.0/backends/rng-random.c +@@ -21,10 +21,6 @@ struct RndRandom + + int fd; + char *filename; +- +- EntropyReceiveFunc *receive_func; +- void *opaque; +- size_t size; + }; + + /** +@@ -37,36 +33,35 @@ struct RndRandom + static void entropy_available(void *opaque) + { + RndRandom *s = RNG_RANDOM(opaque); +- uint8_t buffer[s->size]; +- ssize_t len; + +- len = read(s->fd, buffer, s->size); +- if (len < 0 && errno == EAGAIN) { +- return; +- } +- g_assert(len != -1); ++ while (s->parent.requests != NULL) { ++ RngRequest *req = s->parent.requests->data; ++ ssize_t len; ++ ++ len = read(s->fd, req->data, req->size); ++ if (len < 0 && errno == EAGAIN) { ++ return; ++ } ++ g_assert(len != -1); ++ ++ req->receive_entropy(req->opaque, req->data, len); + +- s->receive_func(s->opaque, buffer, len); +- s->receive_func = NULL; ++ rng_backend_finalize_request(&s->parent, req); ++ } + ++ /* We've drained all requests, the fd handler can be reset. */ + qemu_set_fd_handler(s->fd, NULL, NULL, NULL); + } + +-static void rng_random_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_random_request_entropy(RngBackend *b, RngRequest *req) + { + RndRandom *s = RNG_RANDOM(b); + +- if (s->receive_func) { +- s->receive_func(s->opaque, NULL, 0); ++ if (s->parent.requests == NULL) { ++ /* If there are no pending requests yet, we need to ++ * install our fd handler. */ ++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } +- +- s->receive_func = receive_entropy; +- s->opaque = opaque; +- s->size = size; +- +- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } + + static void rng_random_opened(RngBackend *b, Error **errp) +Index: qemu-2.5.0/backends/rng.c +=================================================================== +--- qemu-2.5.0.orig/backends/rng.c ++++ qemu-2.5.0/backends/rng.c +@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack + void *opaque) + { + RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); ++ RngRequest *req; + + if (k->request_entropy) { +- k->request_entropy(s, size, receive_entropy, opaque); ++ req = g_malloc(sizeof(*req)); ++ ++ req->offset = 0; ++ req->size = size; ++ req->receive_entropy = receive_entropy; ++ req->opaque = opaque; ++ req->data = g_malloc(req->size); ++ ++ k->request_entropy(s, req); ++ ++ s->requests = g_slist_append(s->requests, req); + } + } + +Index: qemu-2.5.0/include/sysemu/rng.h +=================================================================== +--- qemu-2.5.0.orig/include/sysemu/rng.h ++++ qemu-2.5.0/include/sysemu/rng.h +@@ -46,8 +46,7 @@ struct RngBackendClass + { + ObjectClass parent_class; + +- void (*request_entropy)(RngBackend *s, size_t size, +- EntropyReceiveFunc *receive_entropy, void *opaque); ++ void (*request_entropy)(RngBackend *s, RngRequest *req); + + void (*opened)(RngBackend *s, Error **errp); + }; -- cgit v1.2.3-54-g00ecf