From c190b396d5d2b0ce2caabf7366f3b08546187f11 Mon Sep 17 00:00:00 2001 From: Tudor Florea Date: Tue, 7 Jul 2015 00:29:37 +0200 Subject: qemu: fixed multiple CVEs CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access CVE-2014-5263, missing field list terminator in vmstate_xhci_event CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle functions CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../qemu/vmstate_xhci_event-CVE-2014-5263.patch | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch (limited to 'meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch') diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch new file mode 100644 index 0000000000..ef70c16423 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch @@ -0,0 +1,53 @@ +From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 22 Jul 2014 17:26:41 +0200 +Subject: [PATCH] vmstate_xhci_event: fix unterminated field list + +"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live +migration support"), and first released in v1.6.0. The field list in this +VMSD is not terminated with the VMSTATE_END_OF_LIST() macro. + +During normal use (ie. migration), the issue is practically invisible, +because the "vmstate_xhci_event" object (with the unterminated field list) +is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full() +returns true, for the "ev_buffer" test. Since that field_exists() check +(apparently) almost always returns false, we almost never traverse +"vmstate_xhci_event" during migration, which hides the bug. + +However, Amit's vmstate checker forces recursion into this VMSD as well, +and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator +check (field->name != NULL) in dump_vmstate_vmsd(). The result is +undefined behavior, which in my case translates to infinite recursion +(because the loop happens to overflow into "vmstate_xhci_intr", which then +links back to "vmstate_xhci_event"). + +Add the missing terminator. + +Fixes CVE-2014-5263. +Upstream-Status: Backport + +Signed-off-by: Laszlo Ersek +Reviewed-by: Amit Shah +Reviewed-by: Paolo Bonzini +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +Signed-off-by: Sona Sarmadi +--- + hw/usb/hcd-xhci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 835f65e..745617e 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = { + VMSTATE_UINT32(flags, XHCIEvent), + VMSTATE_UINT8(slotid, XHCIEvent), + VMSTATE_UINT8(epid, XHCIEvent), ++ VMSTATE_END_OF_LIST() + } + }; + +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf