applied On Mon, Sep 19, 2016 at 09:58:14AM +0200, Fabian Grünbichler wrote: > CVE-2016-7170: vmsvga: correct bitmap and pixmap size checks > CVE-2016-7421: scsi: pvscsi: limit process IO loop to ring size > CVE-2016-7423: scsi: mptsas: use g_new0 to allocate MPTSASRequest object > --- > ...vga-correct-bitmap-and-pixmap-size-checks.patch | 45 > ++++++++++++++++++++++ > ...pvscsi-limit-process-IO-loop-to-ring-size.patch | 38 ++++++++++++++++++ > ...-use-g_new0-to-allocate-MPTSASRequest-obj.patch | 35 +++++++++++++++++ > debian/patches/series | 3 ++ > 4 files changed, 121 insertions(+) > create mode 100644 > debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch > create mode 100644 > debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch > create mode 100644 > debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch > > diff --git > a/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch > > b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch > new file mode 100644 > index 0000000..732f679 > --- /dev/null > +++ > b/debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch > @@ -0,0 +1,45 @@ > +From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001 > +From: Prasad J Pandit <p...@fedoraproject.org> > +Date: Thu, 8 Sep 2016 18:15:54 +0530 > +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks > + > +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, > +the computed BITMAP and PIXMAP size are checked against the > +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. > +Correct these checks to avoid OOB memory access. > + > +Reported-by: Qinghao Tang <luodalon...@gmail.com> > +Reported-by: Li Qiang <liqiang...@360.cn> > +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > +Message-id: 1473338754-15430-1-git-send-email-ppan...@redhat.com > +Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > +--- > + hw/display/vmware_vga.c | 12 +++++++----- > + 1 file changed, 7 insertions(+), 5 deletions(-) > + > +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c > +index e51a05e..6599cf0 100644 > +--- a/hw/display/vmware_vga.c > ++++ b/hw/display/vmware_vga.c > +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) > + cursor.bpp = vmsvga_fifo_read(s); > + > + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, > cursor.bpp); > +- if (cursor.width > 256 || > +- cursor.height > 256 || > +- cursor.bpp > 32 || > +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || > +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { > ++ if (cursor.width > 256 > ++ || cursor.height > 256 > ++ || cursor.bpp > 32 > ++ || SVGA_BITMAP_SIZE(x, y) > ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) > ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { > + goto badcmd; > + } > + > +-- > +2.1.4 > + > diff --git > a/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch > > b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch > new file mode 100644 > index 0000000..05ab4a5 > --- /dev/null > +++ > b/debian/patches/extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch > @@ -0,0 +1,38 @@ > +From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001 > +From: Prasad J Pandit <p...@fedoraproject.org> > +Date: Wed, 14 Sep 2016 15:09:12 +0530 > +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size > + > +Vmware Paravirtual SCSI emulator while processing IO requests > +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' > +always returned positive value. Limit IO loop to the ring size. > + > +Cc: qemu-sta...@nongnu.org > +Reported-by: Li Qiang <liqiang...@360.cn> > +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > +Message-Id: <1473845952-30785-1-git-send-email-ppan...@redhat.com> > +Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > +--- > + hw/scsi/vmw_pvscsi.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c > +index babac5a..a5ce7de 100644 > +--- a/hw/scsi/vmw_pvscsi.c > ++++ b/hw/scsi/vmw_pvscsi.c > +@@ -247,8 +247,11 @@ static hwaddr > + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) > + { > + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); > ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING > ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; > + > +- if (ready_ptr != mgr->consumed_ptr) { > ++ if (ready_ptr != mgr->consumed_ptr > ++ && ready_ptr - mgr->consumed_ptr < ring_size) { > + uint32_t next_ready_ptr = > + mgr->consumed_ptr++ & mgr->txr_len_mask; > + uint32_t next_ready_page = > +-- > +2.1.4 > + > diff --git > a/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch > > b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch > new file mode 100644 > index 0000000..f1ba947 > --- /dev/null > +++ > b/debian/patches/extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch > @@ -0,0 +1,35 @@ > +From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001 > +From: Li Qiang <liqiang...@360.cn> > +Date: Mon, 12 Sep 2016 18:14:11 +0530 > +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object > + > +When processing IO request in mptsas, it uses g_new to allocate > +a 'req' object. If an error occurs before 'req->sreq' is > +allocated, It could lead to an OOB write in mptsas_free_request > +function. Use g_new0 to avoid it. > + > +Reported-by: Li Qiang <liqiang...@360.cn> > +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > +Message-Id: <1473684251-17476-1-git-send-email-ppan...@redhat.com> > +Cc: qemu-sta...@nongnu.org > +Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > +--- > + hw/scsi/mptsas.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c > +index 0e0a22f..eaae1bb 100644 > +--- a/hw/scsi/mptsas.c > ++++ b/hw/scsi/mptsas.c > +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, > + goto bad; > + } > + > +- req = g_new(MPTSASRequest, 1); > ++ req = g_new0(MPTSASRequest, 1); > + QTAILQ_INSERT_TAIL(&s->pending, req, next); > + req->scsi_io = *scsi_io; > + req->dev = s; > +-- > +2.1.4 > + > diff --git a/debian/patches/series b/debian/patches/series > index d1470ba..d6aab89 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -74,3 +74,6 @@ extra/0003-9pfs-handle-walk-of-.-in-the-root-directory.patch > > extra/CVE-2016-7155-scsi-check-page-count-while-initialising-descriptor-.patch > > extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch > extra/CVE-2016-7157-scsi-mptconfig-fix-an-assert-expression.patch > +extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch > +extra/CVE-2016-7421-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch > +extra/CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch > -- > 2.1.4 > > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel