[pve-devel] [PATCH kvm] various CVE fixes
CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks
CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size
CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest object
---
...vga-correct-bitmap-and-pixmap-size-checks.patch | 45 ++
...pvscsi-limit-process-IO-loop-to-ring-size.patch | 38 ++
...-use-g_new0-to-allocate-MPTSASRequest-obj.patch | 35 +
debian/patches/series | 3 ++
4 files changed, 121 insertions(+)
create mode 100644
debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
create mode 100644
debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
create mode 100644
debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
diff --git
a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
new file mode 100644
index 000..732f679
--- /dev/null
+++
b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
@@ -0,0 +1,45 @@
+From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Thu, 8 Sep 2016 18:15:54 +0530
+Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang
+Reported-by: Li Qiang
+Signed-off-by: Prasad J Pandit
+Message-id: 1473338754-15430-1-git-send-email-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann
+---
+ hw/display/vmware_vga.c | 12 +++-
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ cursor.bpp = vmsvga_fifo_read(s);
+
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y,
cursor.bpp);
+-if (cursor.width > 256 ||
+-cursor.height > 256 ||
+-cursor.bpp > 32 ||
+-SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+-SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++if (cursor.width > 256
++|| cursor.height > 256
++|| cursor.bpp > 32
++|| SVGA_BITMAP_SIZE(x, y)
++> sizeof(cursor.mask) / sizeof(cursor.mask[0])
++|| SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++> sizeof(cursor.image) / sizeof(cursor.image[0])) {
+ goto badcmd;
+ }
+
+--
+2.1.4
+
diff --git
a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
new file mode 100644
index 000..05ab4a5
--- /dev/null
+++
b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
@@ -0,0 +1,38 @@
+From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit
+Date: Wed, 14 Sep 2016 15:09:12 +0530
+Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
+
+Vmware Paravirtual SCSI emulator while processing IO requests
+could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
+always returned positive value. Limit IO loop to the ring size.
+
+Cc: qemu-sta...@nongnu.org
+Reported-by: Li Qiang
+Signed-off-by: Prasad J Pandit
+Message-Id: <1473845952-30785-1-git-send-email-ppan...@redhat.com>
+Signed-off-by: Paolo Bonzini
+---
+ hw/scsi/vmw_pvscsi.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index babac5a..a5ce7de 100644
+--- a/hw/scsi/vmw_pvscsi.c
b/hw/scsi/vmw_pvscsi.c
+@@ -247,8 +247,11 @@ static hwaddr
+ pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
+ {
+ uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
++uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
++* PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+
+-if (ready_ptr != mgr->consumed_ptr) {
++if (ready_ptr != mgr->consumed_ptr
++&& ready_ptr - mgr->consumed_ptr < ring_size) {
+ uint32_t next_ready_ptr =
+ mgr->consumed_ptr++ & mgr->txr_len_mask;
+ uint32_t next_ready_page =
+--
+2.1.4
+
diff --git
a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
new file mode 100644
index 000..f1ba947
--- /dev/null
Re: [pve-devel] [PATCH kvm] various CVE fixes
applied, thanks! ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH kvm] various CVE fixes
CVE-2016-7116:
9pfs: forbid illegal path names
9pfs: forbid . and .. in file names
9pfs: handle walk of ".." in the root directory
CVE-2016-7155: scsi: check page count while initialising descriptor rings
CVE-2016-7156: scsi: pvscsi: avoid infinite loop while building SG list
CVE-2016-7157: scsi: mptconfig: fix an assert expression
---
.../0001-9pfs-forbid-illegal-path-names.patch | 178 +
.../0002-9pfs-forbid-.-and-.-in-file-names.patch | 159 ++
...fs-handle-walk-of-.-in-the-root-directory.patch | 126 +++
...page-count-while-initialising-descriptor-.patch | 83 ++
...-avoid-infinite-loop-while-building-SG-li.patch | 63
...7-scsi-mptconfig-fix-an-assert-expression.patch | 35
debian/patches/series | 6 +
7 files changed, 650 insertions(+)
create mode 100644
debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
create mode 100644
debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch
create mode 100644
debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch
create mode 100644
debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch
create mode 100644
debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
create mode 100644
debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch
diff --git a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
new file mode 100644
index 000..15d3119
--- /dev/null
+++ b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch
@@ -0,0 +1,178 @@
+From 21289fc663198d96ae2ca145a425f2e21ed4637a Mon Sep 17 00:00:00 2001
+From: Greg Kurz
+Date: Tue, 30 Aug 2016 19:11:05 +0200
+Subject: [PATCH 1/6] 9pfs: forbid illegal path names
+
+Empty path components don't make sense for most commands and may cause
+undefined behavior, depending on the backend.
+
+Also, the walk request described in the 9P spec [1] clearly shows that
+the client is supposed to send individual path components: the official
+linux client never sends portions of path containing the / character for
+example.
+
+Moreover, the 9P spec [2] also states that a system can decide to restrict
+the set of supported characters used in path components, with an explicit
+mention "to remove slashes from name components".
+
+This patch introduces a new name_is_illegal() helper that checks the
+names sent by the client are not empty and don't contain unwanted chars.
+Since 9pfs is only supported on linux hosts, only the / character is
+checked at the moment. When support for other hosts (AKA. win32) is added,
+other chars may need to be blacklisted as well.
+
+If a client sends an illegal path component, the request will fail and
+ENOENT is returned to the client.
+
+[1] http://man.cat-v.org/plan_9/5/walk
+[2] http://man.cat-v.org/plan_9/5/intro
+
+Suggested-by: Peter Maydell
+Signed-off-by: Greg Kurz
+Reviewed-by: Eric Blake
+Reviewed-by: Michael S. Tsirkin
+Signed-off-by: Peter Maydell
+---
+ hw/9pfs/9p.c | 56
+ 1 file changed, 56 insertions(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index f5e3012..53c466b 100644
+--- a/hw/9pfs/9p.c
b/hw/9pfs/9p.c
+@@ -1254,6 +1254,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t
nwnames, V9fsQID *qids)
+ return offset;
+ }
+
++static bool name_is_illegal(const char *name)
++{
++return !*name || strchr(name, '/') != NULL;
++}
++
+ static void v9fs_walk(void *opaque)
+ {
+ int name_idx;
+@@ -1287,6 +1292,10 @@ static void v9fs_walk(void *opaque)
+ if (err < 0) {
+ goto out_nofid;
+ }
++if (name_is_illegal(wnames[i].data)) {
++err = -ENOENT;
++goto out_nofid;
++}
+ offset += err;
+ }
+ } else if (nwnames > P9_MAXWELEM) {
+@@ -1481,6 +1490,11 @@ static void v9fs_lcreate(void *opaque)
+ }
+ trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid);
+
++if (name_is_illegal(name.data)) {
++err = -ENOENT;
++goto out_nofid;
++}
++
+ fidp = get_fid(pdu, dfid);
+ if (fidp == NULL) {
+ err = -ENOENT;
+@@ -2066,6 +2080,11 @@ static void v9fs_create(void *opaque)
+ }
+ trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode);
+
++if (name_is_illegal(name.data)) {
++err = -ENOENT;
++goto out_nofid;
++}
++
+ fidp = get_fid(pdu, fid);
+ if (fidp == NULL) {
+ err = -EINVAL;
+@@ -2231,6 +2250,11 @@ static void v9fs_symlink(void *opaque)
+ }
+ trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid);
+
++if (name_is_illegal(name.data)) {
++err = -ENOENT;
++goto out_nofid;
++}
++
+ dfidp =
