[pve-devel] [PATCH kvm] various CVE fixes
CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest object --- ...vga-correct-bitmap-and-pixmap-size-checks.patch | 45 ++ ...pvscsi-limit-process-IO-loop-to-ring-size.patch | 38 ++ ...-use-g_new0-to-allocate-MPTSASRequest-obj.patch | 35 + debian/patches/series | 3 ++ 4 files changed, 121 insertions(+) create mode 100644 debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch create mode 100644 debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch create mode 100644 debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch diff --git a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch new file mode 100644 index 000..732f679 --- /dev/null +++ b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch @@ -0,0 +1,45 @@ +From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 8 Sep 2016 18:15:54 +0530 +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 1473338754-15430-1-git-send-email-ppan...@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 12 +++- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e51a05e..6599cf0 100644 +--- a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +-if (cursor.width > 256 || +-cursor.height > 256 || +-cursor.bpp > 32 || +-SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +-SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++if (cursor.width > 256 ++|| cursor.height > 256 ++|| cursor.bpp > 32 ++|| SVGA_BITMAP_SIZE(x, y) ++> sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++|| SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++> sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch new file mode 100644 index 000..05ab4a5 --- /dev/null +++ b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch @@ -0,0 +1,38 @@ +From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 14 Sep 2016 15:09:12 +0530 +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size + +Vmware Paravirtual SCSI emulator while processing IO requests +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' +always returned positive value. Limit IO loop to the ring size. + +Cc: qemu-sta...@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473845952-30785-1-git-send-email-ppan...@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/vmw_pvscsi.c | 5 - + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index babac5a..a5ce7de 100644 +--- a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +@@ -247,8 +247,11 @@ static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING ++* PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + +-if (ready_ptr != mgr->consumed_ptr) { ++if (ready_ptr != mgr->consumed_ptr ++&& ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = + mgr->consumed_ptr++ & mgr->txr_len_mask; + uint32_t next_ready_page = +-- +2.1.4 + diff --git a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch new file mode 100644 index 000..f1ba947 --- /dev/null
Re: [pve-devel] [PATCH kvm] various CVE fixes
applied, thanks! ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH kvm] various CVE fixes
CVE-2016-7116: 9pfs: forbid illegal path names 9pfs: forbid . and .. in file names 9pfs: handle walk of ".." in the root directory CVE-2016-7155: scsi: check page count while initialising descriptor rings CVE-2016-7156: scsi: pvscsi: avoid infinite loop while building SG list CVE-2016-7157: scsi: mptconfig: fix an assert expression --- .../0001-9pfs-forbid-illegal-path-names.patch | 178 + .../0002-9pfs-forbid-.-and-.-in-file-names.patch | 159 ++ ...fs-handle-walk-of-.-in-the-root-directory.patch | 126 +++ ...page-count-while-initialising-descriptor-.patch | 83 ++ ...-avoid-infinite-loop-while-building-SG-li.patch | 63 ...7-scsi-mptconfig-fix-an-assert-expression.patch | 35 debian/patches/series | 6 + 7 files changed, 650 insertions(+) create mode 100644 debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch create mode 100644 debian/patches/extra/0002-9pfs-forbid-.-and-.-in-file-names.patch create mode 100644 debian/patches/extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch create mode 100644 debian/patches/extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch create mode 100644 debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch create mode 100644 debian/patches/extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch diff --git a/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch new file mode 100644 index 000..15d3119 --- /dev/null +++ b/debian/patches/extra/0001-9pfs-forbid-illegal-path-names.patch @@ -0,0 +1,178 @@ +From 21289fc663198d96ae2ca145a425f2e21ed4637a Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 30 Aug 2016 19:11:05 +0200 +Subject: [PATCH 1/6] 9pfs: forbid illegal path names + +Empty path components don't make sense for most commands and may cause +undefined behavior, depending on the backend. + +Also, the walk request described in the 9P spec [1] clearly shows that +the client is supposed to send individual path components: the official +linux client never sends portions of path containing the / character for +example. + +Moreover, the 9P spec [2] also states that a system can decide to restrict +the set of supported characters used in path components, with an explicit +mention "to remove slashes from name components". + +This patch introduces a new name_is_illegal() helper that checks the +names sent by the client are not empty and don't contain unwanted chars. +Since 9pfs is only supported on linux hosts, only the / character is +checked at the moment. When support for other hosts (AKA. win32) is added, +other chars may need to be blacklisted as well. + +If a client sends an illegal path component, the request will fail and +ENOENT is returned to the client. + +[1] http://man.cat-v.org/plan_9/5/walk +[2] http://man.cat-v.org/plan_9/5/intro + +Suggested-by: Peter Maydell +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Peter Maydell +--- + hw/9pfs/9p.c | 56 + 1 file changed, 56 insertions(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index f5e3012..53c466b 100644 +--- a/hw/9pfs/9p.c b/hw/9pfs/9p.c +@@ -1254,6 +1254,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t nwnames, V9fsQID *qids) + return offset; + } + ++static bool name_is_illegal(const char *name) ++{ ++return !*name || strchr(name, '/') != NULL; ++} ++ + static void v9fs_walk(void *opaque) + { + int name_idx; +@@ -1287,6 +1292,10 @@ static void v9fs_walk(void *opaque) + if (err < 0) { + goto out_nofid; + } ++if (name_is_illegal(wnames[i].data)) { ++err = -ENOENT; ++goto out_nofid; ++} + offset += err; + } + } else if (nwnames > P9_MAXWELEM) { +@@ -1481,6 +1490,11 @@ static void v9fs_lcreate(void *opaque) + } + trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid); + ++if (name_is_illegal(name.data)) { ++err = -ENOENT; ++goto out_nofid; ++} ++ + fidp = get_fid(pdu, dfid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2066,6 +2080,11 @@ static void v9fs_create(void *opaque) + } + trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode); + ++if (name_is_illegal(name.data)) { ++err = -ENOENT; ++goto out_nofid; ++} ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -EINVAL; +@@ -2231,6 +2250,11 @@ static void v9fs_symlink(void *opaque) + } + trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid); + ++if (name_is_illegal(name.data)) { ++err = -ENOENT; ++goto out_nofid; ++} ++ + dfidp =