qemu: Security fix CVE-2016-4952

affects qemu < 2.7.0 Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus emulation support is vulnerable to an OOB r/w access issue. It could occur while processing SCSI commands 'PVSCSI_CMD_SETUP_RINGS' or 'PVSCSI_CMD_SETUP_MSG_RING'. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. References: ---------- http://www.openwall.com/lists/oss-security/2016/05/23/1 Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Adrian Dudau <adrian.dudau@enea.com> 2016-11-03 14:18:01 +0100
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-10 12:21:36 +0100
commit: 10bef78e2135fb191166e3893cc4a1326deede8c (patch)
tree: 6a043f57ba9b01189c4eca279b88ebef21a51219
parent: ad13ebb1a522389441b526ddf11301761e7c3938 (diff)
download: poky-10bef78e2135fb191166e3893cc4a1326deede8c.tar.gz
2 files changed, 106 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
new file mode 100644
index 0000000000..52d2a1e3d0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
@@ -0,0 +1,105 @@
+From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 23 May 2016 16:18:05 +0530
+Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the ring buffer size to an arbitrary
+value leading to OOB access issue. Add check to avoid it.
+Upstream-Status: Backported
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
+Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
+---
+ hw/scsi/vmw_pvscsi.c |   24 ++++++++++++++++++++----
+ 1 files changed, 20 insertions(+), 4 deletions(-)
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index f67b5bf..2d7528d 100644
+--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
+@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
+     return log;
+ }
+ 
+-static void
+static int
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+     int i;
+@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+     uint32_t req_ring_size, cmp_ring_size;
+     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+ 
+    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+        return -1;
+    }
+     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
+
+    return 0;
+ }
+ 
+-static void
+static int
+ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ {
+     int i;
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
+    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+        return -1;
+    }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+     len_log2 = pvscsi_log2(ring_size - 1);
+ 
+@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ 
+     /* Flush ring state page changes */
+     smp_wmb();
+
+    return 0;
+ }
+ 
+ static void
+@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+ 
+     pvscsi_dbg_dump_tx_rings_config(rc);
+-    pvscsi_ring_init_data(&s->rings, rc);
+    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+        return PVSCSI_COMMAND_PROCESSING_FAILED;
+    }
+
+     s->rings_info_valid = TRUE;
+     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+ }
+@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
+     }
+ 
+     if (s->rings_info_valid) {
+-        pvscsi_ring_init_msg(&s->rings, rc);
+        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
+            return PVSCSI_COMMAND_PROCESSING_FAILED;
+        }
+         s->msg_ring_info_valid = TRUE;
+     }
+     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
+-- 
+1.7.0.4
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 58902b1988..b965f6916c 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -27,6 +27,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://CVE-2016-4002.patch \
            file://CVE-2016-5403.patch \
            file://CVE-2016-4441.patch \
+            file://CVE-2016-4952.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
author	Adrian Dudau <adrian.dudau@enea.com>	2016-11-03 14:18:01 +0100
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-10 12:21:36 +0100
commit	10bef78e2135fb191166e3893cc4a1326deede8c (patch)
tree	6a043f57ba9b01189c4eca279b88ebef21a51219
parent	ad13ebb1a522389441b526ddf11301761e7c3938 (diff)
download	poky-10bef78e2135fb191166e3893cc4a1326deede8c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch new file mode 100644 index 0000000000..52d2a1e3d0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
@@ -0,0 +1,105 @@
		1	From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Mon, 23 May 2016 16:18:05 +0530
		4	Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
		5
		6	Vmware Paravirtual SCSI emulation uses command descriptors to
		7	process SCSI commands. These descriptors come with their ring
		8	buffers. A guest could set the ring buffer size to an arbitrary
		9	value leading to OOB access issue. Add check to avoid it.
		10
		11	Upstream-Status: Backported
		12
		13	Reported-by: Li Qiang <liqiang6-s@360.cn>
		14	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		15	Cc: qemu-stable@nongnu.org
		16	Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
		17	Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
		18	Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
		19	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		20	Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
		21	---
		22	hw/scsi/vmw_pvscsi.c \| 24 ++++++++++++++++++++----
		23	1 files changed, 20 insertions(+), 4 deletions(-)
		24
		25	diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
		26	index f67b5bf..2d7528d 100644
		27	--- a/hw/scsi/vmw_pvscsi.c
		28	+++ b/hw/scsi/vmw_pvscsi.c
		29	@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
		30	return log;
		31	}
		32
		33	-static void
		34	+static int
		35	pvscsi_ring_init_data(PVSCSIRingInfo m, PVSCSICmdDescSetupRings ri)
		36	{
		37	int i;
		38	@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo m, PVSCSICmdDescSetupRings ri)
		39	uint32_t req_ring_size, cmp_ring_size;
		40	m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
		41
		42	+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
		43	+ \|\| (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
		44	+ return -1;
		45	+ }
		46	req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
		47	cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
		48	txr_len_log2 = pvscsi_log2(req_ring_size - 1);
		49	@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo m, PVSCSICmdDescSetupRings ri)
		50
		51	/* Flush ring state page changes */
		52	smp_wmb();
		53	+
		54	+ return 0;
		55	}
		56
		57	-static void
		58	+static int
		59	pvscsi_ring_init_msg(PVSCSIRingInfo m, PVSCSICmdDescSetupMsgRing ri)
		60	{
		61	int i;
		62	uint32_t len_log2;
		63	uint32_t ring_size;
		64
		65	+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
		66	+ return -1;
		67	+ }
		68	ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
		69	len_log2 = pvscsi_log2(ring_size - 1);
		70
		71	@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo m, PVSCSICmdDescSetupMsgRing ri)
		72
		73	/* Flush ring state page changes */
		74	smp_wmb();
		75	+
		76	+ return 0;
		77	}
		78
		79	static void
		80	@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
		81	trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
		82
		83	pvscsi_dbg_dump_tx_rings_config(rc);
		84	- pvscsi_ring_init_data(&s->rings, rc);
		85	+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
		86	+ return PVSCSI_COMMAND_PROCESSING_FAILED;
		87	+ }
		88	+
		89	s->rings_info_valid = TRUE;
		90	return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
		91	}
		92	@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
		93	}
		94
		95	if (s->rings_info_valid) {
		96	- pvscsi_ring_init_msg(&s->rings, rc);
		97	+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
		98	+ return PVSCSI_COMMAND_PROCESSING_FAILED;
		99	+ }
		100	s->msg_ring_info_valid = TRUE;
		101	}
		102	return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
		103	--
		104	1.7.0.4
		105


diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 58902b1988..b965f6916c 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -27,6 +27,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
27	file://CVE-2016-4002.patch \	27	file://CVE-2016-4002.patch \
28	file://CVE-2016-5403.patch \	28	file://CVE-2016-5403.patch \
29	file://CVE-2016-4441.patch \	29	file://CVE-2016-4441.patch \
		30	file://CVE-2016-4952.patch \
30	"	31	"
31	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	32	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
32	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"	33	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"