From 00938fca622f1d43cb84abbe91398c4760fcc11b Mon Sep 17 00:00:00 2001 From: Michael Young Date: Feb 15 2017 22:43:13 +0000 Subject: memory leak when destroying guest without PT devices [XSA-207] (#1422492) update patches for XSA-208 after upstream revision (no functional change) --- diff --git a/xen.spec b/xen.spec index 2f2e9f8..423d08c 100644 --- a/xen.spec +++ b/xen.spec @@ -41,7 +41,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.7.1 -Release: 7%{?dist} +Release: 8%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -167,7 +167,8 @@ Patch114: qemu.trad.CVE-2016-9776.patch Patch115: qemu.git-12351a91da97b414eec8cdb09f1d9f41e535a401.patch Patch116: qemu.git-069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da.patch Patch117: xsa208-qemut.patch -Patch118: xsa208-qemuu.patch +Patch118: xsa208-qemuu-4.7.patch +Patch119: xsa207.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -409,6 +410,7 @@ manage Xen virtual machines. %patch110 -p1 %patch111 -p1 %patch112 -p1 +%patch119 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -927,6 +929,10 @@ rm -rf %{buildroot} %endif %changelog +* Wed Feb 15 2017 Michael Young - 4.7.1-8 +- memory leak when destroying guest without PT devices [XSA-207] (#1422492) +- update patches for XSA-208 after upstream revision (no functional change) + * Sun Feb 12 2017 Michael Young - 4.7.1-7 - Qemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] diff --git a/xsa207.patch b/xsa207.patch new file mode 100644 index 0000000..6fb86fc --- /dev/null +++ b/xsa207.patch @@ -0,0 +1,31 @@ +From: Oleksandr Tyshchenko +Subject: IOMMU: always call teardown callback + +There is a possible scenario when (d)->need_iommu remains unset +during guest domain execution. For example, when no devices +were assigned to it. Taking into account that teardown callback +is not called when (d)->need_iommu is unset we might have unreleased +resourses after destroying domain. + +So, always call teardown callback to roll back actions +that were performed in init callback. + +This is XSA-207. + +Signed-off-by: Oleksandr Tyshchenko +Reviewed-by: Jan Beulich +Tested-by: Jan Beulich +Tested-by: Julien Grall + +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain + if ( !iommu_enabled || !dom_iommu(d)->platform_ops ) + return; + +- if ( need_iommu(d) ) +- iommu_teardown(d); ++ iommu_teardown(d); + + arch_iommu_domain_destroy(d); + } diff --git a/xsa208-qemut.patch b/xsa208-qemut.patch index fa3bae0..5ea73c5 100644 --- a/xsa208-qemut.patch +++ b/xsa208-qemut.patch @@ -1,34 +1,43 @@ -From: Li Qiang +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. -Signed-off-by: Li Qiang -Message-id: address@hidden +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] [ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] -Cc: address@hidden -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini Signed-off-by: Ian Jackson --- - hw/display/cirrus_vga.c | 7 +++---- + hw/cirrus_vga.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c -index bdb092e..3bbe3d5 100644 +index e6c3893..364e22d 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c -@@ -307,10 +307,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, +@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, } if (pitch < 0) { int64_t min = addr @@ -42,3 +51,6 @@ index bdb092e..3bbe3d5 100644 return true; } } else { +-- +2.1.4 + diff --git a/xsa208-qemuu-4.7.patch b/xsa208-qemuu-4.7.patch new file mode 100644 index 0000000..256e97e --- /dev/null +++ b/xsa208-qemuu-4.7.patch @@ -0,0 +1,53 @@ +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 5198037..7bf3707 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + } + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/xsa208-qemuu.patch b/xsa208-qemuu.patch deleted file mode 100644 index 242bbaf..0000000 --- a/xsa208-qemuu.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Li Qiang - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -Signed-off-by: Li Qiang -Message-id: address@hidden - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] - -Cc: address@hidden -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092e..3bbe3d5 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - } - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max >= s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -1.8.3.1