* [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439
@ 2016-11-03 13:18 Adrian Dudau
2016-11-03 13:18 ` [krogoth][PATCH 2/2] qemu: Security fix CVE-2016-4952 Adrian Dudau
2016-11-03 20:27 ` [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Leonardo Sandoval
0 siblings, 2 replies; 3+ messages in thread
From: Adrian Dudau @ 2016-11-03 13:18 UTC (permalink / raw)
To: openembedded-core
affects qemu < 2.7.0
Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation
support is vulnerable to an OOB write access issue. The controller uses
16-byte FIFO buffer for command and data transfer. The OOB write occurs
while writing to this command buffer in routine get_cmd().
A privileged user inside guest could use this flaw to crash the Qemu
process resulting in DoS.
References:
----------
http://www.openwall.com/lists/oss-security/2016/05/19/4
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
.../recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 +
2 files changed, 79 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
new file mode 100644
index 0000000..3cbe394
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
@@ -0,0 +1,78 @@
+From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 19 May 2016 16:09:31 +0530
+Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer.
+Routine get_cmd() uses DMA to read scsi commands into this buffer.
+Add check to validate DMA length against buffer size to avoid any
+overrun.
+
+Fixes CVE-2016-4441.
+
+Upstream-Status: Backport
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
+---
+ hw/scsi/esp.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 01497e6..591c817 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
+ }
+ }
+
+-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+ {
+ uint32_t dmalen;
+ int target;
+@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+ dmalen = s->rregs[ESP_TCLO];
+ dmalen |= s->rregs[ESP_TCMID] << 8;
+ dmalen |= s->rregs[ESP_TCHI] << 16;
++ if (dmalen > buflen) {
++ return 0;
++ }
+ s->dma_memory_read(s->dma_opaque, buf, dmalen);
+ } else {
+ dmalen = s->ti_size;
+@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
+ s->dma_cb = handle_satn;
+ return;
+ }
+- len = get_cmd(s, buf);
++ len = get_cmd(s, buf, sizeof(buf));
+ if (len)
+ do_cmd(s, buf);
+ }
+@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
+ s->dma_cb = handle_s_without_atn;
+ return;
+ }
+- len = get_cmd(s, buf);
++ len = get_cmd(s, buf, sizeof(buf));
+ if (len) {
+ do_busid_cmd(s, buf, 0);
+ }
+@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
+ s->dma_cb = handle_satn_stop;
+ return;
+ }
+- s->cmdlen = get_cmd(s, s->cmdbuf);
++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
+ if (s->cmdlen) {
+ trace_esp_handle_satn_stop(s->cmdlen);
+ s->do_cmd = 1;
+--
+1.7.0.4
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index ed8d911..58902b1 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -26,6 +26,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://CVE-2016-6351_p2.patch \
file://CVE-2016-4002.patch \
file://CVE-2016-5403.patch \
+ file://CVE-2016-4441.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [krogoth][PATCH 2/2] qemu: Security fix CVE-2016-4952
2016-11-03 13:18 [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Adrian Dudau
@ 2016-11-03 13:18 ` Adrian Dudau
2016-11-03 20:27 ` [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Leonardo Sandoval
1 sibling, 0 replies; 3+ messages in thread
From: Adrian Dudau @ 2016-11-03 13:18 UTC (permalink / raw)
To: openembedded-core
affects qemu < 2.7.0
Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus
emulation support is vulnerable to an OOB r/w access issue. It could
occur while processing SCSI commands 'PVSCSI_CMD_SETUP_RINGS' or
'PVSCSI_CMD_SETUP_MSG_RING'.
A privileged user inside guest could use this flaw to crash the Qemu
process resulting in DoS.
References:
----------
http://www.openwall.com/lists/oss-security/2016/05/23/1
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
.../recipes-devtools/qemu/qemu/CVE-2016-4952.patch | 105 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 +
2 files changed, 106 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
new file mode 100644
index 0000000..52d2a1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
@@ -0,0 +1,105 @@
+From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 23 May 2016 16:18:05 +0530
+Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
+
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the ring buffer size to an arbitrary
+value leading to OOB access issue. Add check to avoid it.
+
+Upstream-Status: Backported
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
+Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
+---
+ hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
+ 1 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index f67b5bf..2d7528d 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
+ return log;
+ }
+
+-static void
++static int
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+ int i;
+@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ uint32_t req_ring_size, cmp_ring_size;
+ m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+
++ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
++ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
++ return -1;
++ }
+ req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+ cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+ txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+
+ /* Flush ring state page changes */
+ smp_wmb();
++
++ return 0;
+ }
+
+-static void
++static int
+ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ {
+ int i;
+ uint32_t len_log2;
+ uint32_t ring_size;
+
++ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++ return -1;
++ }
+ ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+ len_log2 = pvscsi_log2(ring_size - 1);
+
+@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+
+ /* Flush ring state page changes */
+ smp_wmb();
++
++ return 0;
+ }
+
+ static void
+@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+ trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+
+ pvscsi_dbg_dump_tx_rings_config(rc);
+- pvscsi_ring_init_data(&s->rings, rc);
++ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
++ return PVSCSI_COMMAND_PROCESSING_FAILED;
++ }
++
+ s->rings_info_valid = TRUE;
+ return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+ }
+@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
+ }
+
+ if (s->rings_info_valid) {
+- pvscsi_ring_init_msg(&s->rings, rc);
++ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
++ return PVSCSI_COMMAND_PROCESSING_FAILED;
++ }
+ s->msg_ring_info_valid = TRUE;
+ }
+ return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
+--
+1.7.0.4
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 58902b1..b965f69 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -27,6 +27,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://CVE-2016-4002.patch \
file://CVE-2016-5403.patch \
file://CVE-2016-4441.patch \
+ file://CVE-2016-4952.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439
2016-11-03 13:18 [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Adrian Dudau
2016-11-03 13:18 ` [krogoth][PATCH 2/2] qemu: Security fix CVE-2016-4952 Adrian Dudau
@ 2016-11-03 20:27 ` Leonardo Sandoval
1 sibling, 0 replies; 3+ messages in thread
From: Leonardo Sandoval @ 2016-11-03 20:27 UTC (permalink / raw)
To: Adrian Dudau, openembedded-core
Adrian,
On 11/03/2016 07:18 AM, Adrian Dudau wrote:
> affects qemu < 2.7.0
>
> Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation
> support is vulnerable to an OOB write access issue. The controller uses
> 16-byte FIFO buffer for command and data transfer. The OOB write occurs
> while writing to this command buffer in routine get_cmd().
>
> A privileged user inside guest could use this flaw to crash the Qemu
> process resulting in DoS.
>
> References:
> ----------
> http://www.openwall.com/lists/oss-security/2016/05/19/4
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441
>
> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
> ---
> .../recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 ++++++++++++++++++++++
> meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 +
> 2 files changed, 79 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
> new file mode 100644
> index 0000000..3cbe394
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
> @@ -0,0 +1,78 @@
> +From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
> +From: Prasad J Pandit <pjp@fedoraproject.org>
> +Date: Thu, 19 May 2016 16:09:31 +0530
> +Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
> +
> +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
> +FIFO buffer. It is used to handle command and data transfer.
> +Routine get_cmd() uses DMA to read scsi commands into this buffer.
> +Add check to validate DMA length against buffer size to avoid any
> +overrun.
> +
> +Fixes CVE-2016-4441.
> +
Correct or include the CVE tag on cve patch with format:'CVE: CVE-YYYY-XXXX'
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-03 20:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-03 13:18 [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Adrian Dudau
2016-11-03 13:18 ` [krogoth][PATCH 2/2] qemu: Security fix CVE-2016-4952 Adrian Dudau
2016-11-03 20:27 ` [krogoth][PATCH 1/2] qemu: Security fix CVE-2016-4439 Leonardo Sandoval
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.