New version for CVE-2015-8619: hmp: fix sendkey out of bounds write (CVE-2015-8619)
And: CVE-2016-1568: ide: ahci: reset ncq object to unused on error --- .../CVE-2015-8619-hmp-sendkey-oob-fix.patch | 44 ++++++++++++++++++++++ ...-ahci-reset-ncq-object-to-unused-on-error.patch | 37 ++++++++++++++++++ debian/patches/series | 2 + 3 files changed, 83 insertions(+) create mode 100644 debian/patches/CVE-2015-8619-hmp-sendkey-oob-fix.patch create mode 100644 debian/patches/CVE-2016-1568-ide-ahci-reset-ncq-object-to-unused-on-error.patch diff --git a/debian/patches/CVE-2015-8619-hmp-sendkey-oob-fix.patch b/debian/patches/CVE-2015-8619-hmp-sendkey-oob-fix.patch new file mode 100644 index 0000000..78aea0c --- /dev/null +++ b/debian/patches/CVE-2015-8619-hmp-sendkey-oob-fix.patch @@ -0,0 +1,44 @@ +From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller <[email protected]> +Date: Mon, 11 Jan 2016 08:21:25 +0100 +Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) + +When processing 'sendkey' command, hmp_sendkey routine null +terminates the 'keyname_buf' array. This results in an OOB +write issue, if 'keyname_len' was to fall outside of +'keyname_buf' array. + +Now checking the length against the buffer size before using +it. + +Reported-by: Ling Liu <[email protected]> +Signed-off-by: Wolfgang Bumiller <[email protected]> +--- + hmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hmp.c b/hmp.c +index c2b2c16..0c7a04c 100644 +--- a/hmp.c ++++ b/hmp.c +@@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) + while (1) { + separator = strchr(keys, '-'); + keyname_len = separator ? separator - keys : strlen(keys); ++ if (keyname_len >= sizeof(keyname_buf)) ++ goto err_out; + pstrcpy(keyname_buf, sizeof(keyname_buf), keys); + + /* Be compatible with old interface, convert user inputted "<" */ +@@ -1800,7 +1802,7 @@ out: + return; + + err_out: +- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); ++ monitor_printf(mon, "invalid parameter: %s\n", keys); + goto out; + } + +-- +2.1.4 + diff --git a/debian/patches/CVE-2016-1568-ide-ahci-reset-ncq-object-to-unused-on-error.patch b/debian/patches/CVE-2016-1568-ide-ahci-reset-ncq-object-to-unused-on-error.patch new file mode 100644 index 0000000..e7d5ebc --- /dev/null +++ b/debian/patches/CVE-2016-1568-ide-ahci-reset-ncq-object-to-unused-on-error.patch @@ -0,0 +1,37 @@ +From b9a60d97fac671f31df599e7e48fd28fc203c0af Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <[email protected]> +Date: Sat, 9 Jan 2016 01:18:31 +0530 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, ACHI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +Reported-by: Qinghao Tang <[email protected]> +Signed-off-by: Prasad J Pandit <[email protected]> +Reviewed-by: John Snow <[email protected]> +Message-id: [email protected] +Signed-off-by: John Snow <[email protected]> +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index dd1912e..17f1cbd 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 87a00ab..c02c96c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -47,3 +47,5 @@ CVE-2015-8701-net-rocker-off-by-one.patch CVE-2015-8743-ne2000-ioport-bounds-check.patch CVE-2015-8744-vmxnet3-refine-l2-header-validation.patch CVE-2015-8745-vmxnet3-support-reading-imr-registers.patch +CVE-2015-8619-hmp-sendkey-oob-fix.patch +CVE-2016-1568-ide-ahci-reset-ncq-object-to-unused-on-error.patch -- 2.1.4 _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
