From b82b233664273b62240eb76e3610e3d53a3cbce5 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Jun 14 2016 09:10:05 +0000
Subject: Qemu: scsi: esp: OOB r/w access while processing ESP_FIFO

	[CVE-2016-5338] (#1343323)
Qemu: scsi: megasas: information leakage in megasas_ctrl_get_info
	[CVE-2016-5337] (#1343909)

---

diff --git a/qemu.CVE-2016-5337.patch b/qemu.CVE-2016-5337.patch
new file mode 100644
index 0000000..0c67aeb
--- /dev/null
+++ b/qemu.CVE-2016-5337.patch
@@ -0,0 +1,37 @@
+------------------------------------------------------------------------
+*From*: 	Paolo Bonzini
+*Subject*: 	[Qemu-devel] [PULL 06/13] scsi: megasas: null terminate bios
+version buffer
+*Date*: 	Tue, 7 Jun 2016 19:08:34 +0200
+
+------------------------------------------------------------------------
+
+From: Prasad J Pandit <address@hidden>
+
+While reading information via 'megasas_ctrl_get_info' routine,
+a local bios version buffer isn't null terminated. Add the
+terminating null byte to avoid any OOB access.
+
+Reported-by: Li Qiang <address@hidden>
+Reviewed-by: Peter Maydell <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Signed-off-by: Paolo Bonzini <address@hidden>
+---
+ hw/scsi/megasas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c
+index cc66d36..a9ffc32 100644
+--- a/tools/qemu-xen/hw/scsi/megasas.c
++++ b/tools/qemu-xen/hw/scsi/megasas.c
+@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ 
+         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
+         memcpy(biosver, ptr + 0x41, 31);
++        biosver[31] = 0;
+         memcpy(info.image_component[1].name, "BIOS", 4);
+         memcpy(info.image_component[1].version, biosver,
+                strlen((const char *)biosver));
+-- 
+1.8.3.1
+
diff --git a/qemu.CVE-2016-5338.patch b/qemu.CVE-2016-5338.patch
new file mode 100644
index 0000000..636f593
--- /dev/null
+++ b/qemu.CVE-2016-5338.patch
@@ -0,0 +1,77 @@
+------------------------------------------------------------------------
+*From*: 	P J P
+*Subject*: 	[Qemu-devel] [PATCH v3] scsi: esp: check TI buffer index
+before read/write
+*Date*: 	Mon, 6 Jun 2016 22:04:43 +0530
+
+------------------------------------------------------------------------
+
+From: Prasad J Pandit <address@hidden>
+
+The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
+FIFO buffers. One is used to handle commands and other is for
+information transfer. Three control variables 'ti_rptr',
+'ti_wptr' and 'ti_size' are used to control r/w access to the
+information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
+
+'ti_rptr' is used as read index, where read occurs.
+'ti_wptr' is a write index, where write would occur.
+'ti_size' indicates total bytes to be read from the buffer.
+
+While reading/writing to this buffer, index could exceed its
+size. Add check to avoid OOB r/w access.
+
+Reported-by: Huawei PSIRT <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/esp.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+Update as per:
+  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html
+
+diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c
+index c2f6f8f..4b94bbc 100644
+--- a/tools/qemu-xen/hw/scsi/esp.c
++++ b/tools/qemu-xen/hw/scsi/esp.c
+@@ -403,19 +403,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
+     trace_esp_mem_readb(saddr, s->rregs[saddr]);
+     switch (saddr) {
+     case ESP_FIFO:
+-        if (s->ti_size > 0) {
++        if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
++            /* Data out.  */
++            qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
++            s->rregs[ESP_FIFO] = 0;
++            esp_raise_irq(s);
++        } else if (s->ti_rptr < s->ti_wptr) {
+             s->ti_size--;
+-            if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+-                /* Data out.  */
+-                qemu_log_mask(LOG_UNIMP,
+-                              "esp: PIO data read not implemented\n");
+-                s->rregs[ESP_FIFO] = 0;
+-            } else {
+-                s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+-            }
++            s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+             esp_raise_irq(s);
+         }
+-        if (s->ti_size == 0) {
++        if (s->ti_rptr == s->ti_wptr) {
+             s->ti_rptr = 0;
+             s->ti_wptr = 0;
+         }
+@@ -459,7 +457,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
+             } else {
+                 trace_esp_error_fifo_overrun();
+             }
+-        } else if (s->ti_size == TI_BUFSZ - 1) {
++        } else if (s->ti_wptr == TI_BUFSZ - 1) {
+             trace_esp_error_fifo_overrun();
+         } else {
+             s->ti_size++;
+-- 
+2.5.5
+
diff --git a/qemu.trad.CVE-2016-5338.patch b/qemu.trad.CVE-2016-5338.patch
new file mode 100644
index 0000000..be36dca
--- /dev/null
+++ b/qemu.trad.CVE-2016-5338.patch
@@ -0,0 +1,76 @@
+------------------------------------------------------------------------
+*From*: 	P J P
+*Subject*: 	[Qemu-devel] [PATCH v3] scsi: esp: check TI buffer index
+before read/write
+*Date*: 	Mon, 6 Jun 2016 22:04:43 +0530
+
+------------------------------------------------------------------------
+
+From: Prasad J Pandit <address@hidden>
+
+The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
+FIFO buffers. One is used to handle commands and other is for
+information transfer. Three control variables 'ti_rptr',
+'ti_wptr' and 'ti_size' are used to control r/w access to the
+information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
+
+'ti_rptr' is used as read index, where read occurs.
+'ti_wptr' is a write index, where write would occur.
+'ti_size' indicates total bytes to be read from the buffer.
+
+While reading/writing to this buffer, index could exceed its
+size. Add check to avoid OOB r/w access.
+
+Reported-by: Huawei PSIRT <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/esp.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+Update as per:
+  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html
+
+diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c
+index c2f6f8f..4b94bbc 100644
+--- a/tools/qemu-xen-traditional/hw/esp.c
++++ b/tools/qemu-xen-traditional/hw/esp.c
+@@ -403,18 +403,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
+     DPRINTF("read reg[%d]: 0x%2.2x\n", saddr, s->rregs[saddr]);
+     switch (saddr) {
+     case ESP_FIFO:
+-        if (s->ti_size > 0) {
++        if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
++            /* Data out.  */
++            ESP_ERROR("PIO data read not implemented\n");
++            s->rregs[ESP_FIFO] = 0;
++            esp_raise_irq(s);
++        } else if (s->ti_rptr < s->ti_wptr) {
+             s->ti_size--;
+-            if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+-                /* Data out.  */
+-                ESP_ERROR("PIO data read not implemented\n");
+-                s->rregs[ESP_FIFO] = 0;
+-            } else {
+-                s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+-            }
++            s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
+             esp_raise_irq(s);
+         }
+-        if (s->ti_size == 0) {
++        if (s->ti_rptr == s->ti_wptr) {
+             s->ti_rptr = 0;
+             s->ti_wptr = 0;
+         }
+@@ -459,7 +457,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
+             } else {
+                 ESP_ERROR("fifo overrun\n");
+             }
+-        } else if (s->ti_size == TI_BUFSZ - 1) {
++        } else if (s->ti_wptr == TI_BUFSZ - 1) {
+             ESP_ERROR("fifo overrun\n");
+         } else {
+             s->ti_size++;
+-- 
+2.5.5
+
diff --git a/xen.spec b/xen.spec
index a0937e3..41700a2 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -186,6 +186,9 @@ Patch120: qemu.CVE-2016-4454.3.patch
 Patch121: qemu.CVE-2016-4453.patch
 Patch122: qemu.CVE-2016-5238.patch
 Patch123: qemu.trad.CVE-2016-5238.patch
+Patch124: qemu.CVE-2016-5338.patch
+Patch125: qemu.trad.CVE-2016-5338.patch
+Patch126: qemu.CVE-2016-5337.patch
 
 
 
@@ -465,6 +468,9 @@ manage Xen virtual machines.
 %patch121 -p1
 %patch122 -p1
 %patch123 -p1
+%patch124 -p1
+%patch125 -p1
+%patch126 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -991,6 +997,12 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Jun 14 2016 Michael Young <m.a.young@durham.ac.uk> - 4.5.3-8
+- Qemu: scsi: esp: OOB r/w access while processing ESP_FIFO
+	[CVE-2016-5338] (#1343323)
+- Qemu: scsi: megasas: information leakage in megasas_ctrl_get_info
+	[CVE-2016-5337] (#1343909)
+
 * Sat Jun 04 2016 Michael Young <m.a.young@durham.ac.uk> - 4.5.3-7
 - fix for CVE-2016-2858 doesn't build with qemu-xen enabled
 - Unsanitised guest input in libxl device handling code