Hello community, here is the log from the commit of package kvm for openSUSE:11.4 checked in at Mon Jul 11 16:49:39 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/kvm/kvm.changes 2011-05-23 20:05:10.000000000 +0200 +++ 11.4/kvm/kvm.changes 2011-07-08 18:53:28.000000000 +0200 @@ -1,0 +2,11 @@ +Fri Jul 8 16:46:13 UTC 2011 - [email protected] + +- validate virtqueue indirect descriptor against max size + (bnc#701161) + +------------------------------------------------------------------- +Wed Jul 6 19:14:24 UTC 2011 - [email protected] + +- fix possible out of bounds memory access (bnc#702823) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- kvm-qemu-preXX-validate-virtqueue.patch kvm-qemu-preXX-virtio-guard-against-negative-vq-notifies.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvm.spec ++++++ --- /var/tmp/diff_new_pack.PVNdsV/_old 2011-07-11 16:48:49.000000000 +0200 +++ /var/tmp/diff_new_pack.PVNdsV/_new 2011-07-11 16:48:49.000000000 +0200 @@ -79,7 +79,7 @@ Summary: Kernel-based Virtual Machine Url: http://kvm.qumranet.com/ Version: %{package_base_version}%{package_extra_version} -Release: 1.<RELEASE8> +Release: 1.<RELEASE10> Source0: qemu-%{name}-%{package_base_version}.tar.bz2 Source1: 60-kvm.rules Source2: qemu-ifup @@ -152,6 +152,8 @@ Patch140: kvm-qemu-preXX-severe-memory-leak-caused-by-broken-palett.patch Patch141: kvm-qemu-preXX-virtio-blk-fail-unaligned-requests.patch Patch142: kvm-qemu-preXX-vnc-tight-Fix-crash-after-2GB-of-output.patch +Patch143: kvm-qemu-preXX-virtio-guard-against-negative-vq-notifies.patch +Patch144: kvm-qemu-preXX-validate-virtqueue.patch Patch200: qemu-img-vmdk-scsi.patch Patch201: kvm-studio-slirp-nooutgoing.patch @@ -287,6 +289,8 @@ %patch140 -p1 %patch141 -p1 %patch142 -p1 +%patch143 -p1 +%patch144 -p1 # Studio addons %patch200 -p1 ++++++ kvm-qemu-preXX-validate-virtqueue.patch ++++++ EMBARGOED CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow It was found that virtio subsystem in qemu-kvm did not properly validate virtqueue in and out requests from the guest. A privileged guest user could use this flaw to cause buffer overflow, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. -- virtqueue_pop (and less importantly, virtqueue_avail_bytes) do not limit the size of an indirect descriptor entry, which allows a guest to specify an arbitrarily-long descriptor chain, which will overflow the fixed-size arrays in VirtQueueElement, leading to memory corruption. >From 8e16077bfcd2d06a98aec8348cc171402ed75b51 Mon Sep 17 00:00:00 2001 From: Nelson Elhage <[email protected]> Date: Thu, 19 May 2011 13:23:17 -0400 Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors. We were previously allowing arbitrarily-long descriptors, which could lead to a buffer overflow in the qemu-kvm process. --- hw/virtio.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/hw/virtio.c b/hw/virtio.c index 6e8814c..4935282 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -335,6 +335,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } do { @@ -405,6 +410,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } /* Collect all the descriptors */ -- 1.7.4.44.gf9e72 ++++++ kvm-qemu-preXX-virtio-guard-against-negative-vq-notifies.patch ++++++ >From 7157e2e23e89adcd436caeab31fdd6b47eded377 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi <[email protected]> Date: Sun, 8 May 2011 22:29:07 +0100 Subject: [PATCH] virtio: guard against negative vq notifies The virtio_queue_notify() function checks that the virtqueue number is less than the maximum number of virtqueues. A signed comparison is used but the virtqueue number could be negative if a buggy or malicious guest is run. This results in memory accesses outside of the virtqueue array. It is risky doing input validation in common code instead of at the guest<->host boundary. Note that virtio_queue_set_addr(), virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio functions do *not* validate the virtqueue number argument. Instead of fixing the comparison in virtio_queue_notify(), move the comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where we have a uint32_t value and can avoid ever calling into common virtio code if the virtqueue number is invalid. Signed-off-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> --- hw/syborg_virtio.c | 4 +++- hw/virtio-pci.c | 4 +++- hw/virtio.c | 4 +--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/hw/syborg_virtio.c b/hw/syborg_virtio.c index 2f3e6da..00c7be8 100644 --- a/hw/syborg_virtio.c +++ b/hw/syborg_virtio.c @@ -146,7 +146,9 @@ static void syborg_virtio_writel(void *opaque, target_phys_addr_t offset, vdev->queue_sel = value; break; case SYBORG_VIRTIO_QUEUE_NOTIFY: - virtio_queue_notify(vdev, value); + if (value < VIRTIO_PCI_QUEUE_MAX) { + virtio_queue_notify(vdev, value); + } break; case SYBORG_VIRTIO_STATUS: virtio_set_status(vdev, value & 0xFF); diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c index 270e2c7..b86c441 100644 --- a/hw/virtio-pci.c +++ b/hw/virtio-pci.c @@ -348,7 +348,9 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val) vdev->queue_sel = val; break; case VIRTIO_PCI_QUEUE_NOTIFY: - virtio_queue_notify(vdev, val); + if (val < VIRTIO_PCI_QUEUE_MAX) { + virtio_queue_notify(vdev, val); + } break; case VIRTIO_PCI_STATUS: if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) { diff --git a/hw/virtio.c b/hw/virtio.c index 6e8814c..a651860 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -585,9 +585,7 @@ void virtio_queue_notify_vq(VirtQueue *vq) void virtio_queue_notify(VirtIODevice *vdev, int n) { - if (n < VIRTIO_PCI_QUEUE_MAX) { - virtio_queue_notify_vq(&vdev->vq[n]); - } + virtio_queue_notify_vq(&vdev->vq[n]); } uint16_t virtio_queue_vector(VirtIODevice *vdev, int n) -- 1.6.0.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
