diff --git a/qemu.bug1389686.patch b/qemu.bug1389686.patch new file mode 100644 index 0000000..86bc5ec --- /dev/null +++ b/qemu.bug1389686.patch @@ -0,0 +1,89 @@ +From: Li Qiang + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz +Signed-off-by: Li Qiang +--- + +Changes since v2: +-make the solution of 'copied_len/len' in V9fsXattr type issue to a separate patch. +-add detailed changelog. + +Changes since v1: +-delete 'xattr_len'. + + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 file changed, 12 insertions(+), 20 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index e902eed..6df85b8 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -1642,18 +1642,15 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1982,23 +1979,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; +-- +1.8.3.1 + diff --git a/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch b/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch new file mode 100644 index 0000000..b570e40 --- /dev/null +++ b/qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch @@ -0,0 +1,68 @@ +From 05f43d44e4bc26611ce25fd7d726e483f73363ce Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 10 Oct 2016 12:46:22 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Needed to avoid we run in circles forever in case the guest builds +an endless loop with link trbs. + +Reported-by: Li Qiang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 726435c..ee4fa48 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; +-- +1.7.0.4 + diff --git a/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch b/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch new file mode 100644 index 0000000..aac2fa5 --- /dev/null +++ b/qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch @@ -0,0 +1,37 @@ +From 3592fe0c919cf27a81d8e9f9b4f269553418bb01 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 11:28:08 +0530 +Subject: [PATCH] char: serial: check divider value against baud base + +16550A UART device uses an oscillator to generate frequencies +(baud base), which decide communication speed. This speed could +be changed by dividing it by a divider. If the divider is +greater than the baud base, speed is set to zero, leading to a +divide by zero error. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/char/serial.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index 3442f47..eec72b7 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) + int speed, parity, data_bits, stop_bits, frame_size; + QEMUSerialSetParams ssp; + +- if (s->divider == 0) ++ if (s->divider == 0 || s->divider > s->baudbase) { + return; ++ } + + /* Start bit. */ + frame_size = 1; +-- +1.7.0.4 + diff --git a/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch new file mode 100644 index 0000000..d06c597 --- /dev/null +++ b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch @@ -0,0 +1,32 @@ +From 4c1586787ff43c9acd18a56c12d720e3e6be9f7c Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_link + +The v9fs_link() function keeps a reference on the source fid object. This +causes a memory leak since the reference never goes down to 0. This patch +fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index 66135cf..d43a552 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -2413,6 +2413,7 @@ static void coroutine_fn v9fs_link(void *opaque) + if (!err) { + err = offset; + } ++ put_fid(pdu, oldfidp); + out: + put_fid(pdu, dfidp); + out_nofid: +-- +1.7.0.4 + diff --git a/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch b/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch new file mode 100644 index 0000000..0cda3ac --- /dev/null +++ b/qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch @@ -0,0 +1,51 @@ +From 6be8f5e2626e102433e569d9cece2120baf0c879 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 24 Oct 2016 16:26:54 +0100 +Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator + +ARM A9MP processor has a peripheral timer with an auto-increment +register, which holds an increment step value. A user could set +this value to zero. When auto-increment control bit is enabled, +it leads to an infinite loop in 'a9_gtimer_update' while +updating comparator value. Remove this loop incrementing the +comparator value. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + hw/timer/a9gtimer.c | 14 +++++++------- + 1 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c +index 772f85f..ce1dc63 100644 +--- a/hw/timer/a9gtimer.c ++++ b/hw/timer/a9gtimer.c +@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync) + if ((s->control & R_CONTROL_TIMER_ENABLE) && + (gtb->control & R_CONTROL_COMP_ENABLE)) { + /* R2p0+, where the compare function is >= */ +- while (gtb->compare < update.new) { ++ if (gtb->compare < update.new) { + DB_PRINT("Compare event happened for CPU %d\n", i); + gtb->status = 1; +- if (gtb->control & R_CONTROL_AUTO_INCREMENT) { +- DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n", +- gtb->inc); +- gtb->compare += gtb->inc; +- } else { +- break; ++ if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) { ++ uint64_t inc = ++ QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc); ++ DB_PRINT("Auto incrementing timer compare by %" ++ PRId64 "\n", inc); ++ gtb->compare += inc; + } + } + cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1; +-- +1.7.0.4 + diff --git a/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch new file mode 100644 index 0000000..f217376 --- /dev/null +++ b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch @@ -0,0 +1,58 @@ +From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: allocate space for guest originated empty strings + +If a guest sends an empty string paramater to any 9P operation, the current +code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. + +This is unfortunate because it can cause NULL pointer dereference to happen +at various locations in the 9pfs code. And we don't want to check str->data +everywhere we pass it to strcmp() or any other function which expects a +dereferenceable pointer. + +This patch enforces the allocation of genuine C empty strings instead, so +callers don't have to bother. + +Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if +the returned string is empty. It now uses v9fs_string_size() since +name.data cannot be NULL anymore. + +Signed-off-by: Li Qiang +[groug, rewritten title and changelog, + fix empty string check in v9fs_xattrwalk()] +Signed-off-by: Greg Kurz +--- + fsdev/9p-iov-marshal.c | 2 +- + hw/9pfs/9p.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtio-9p-marshal.c b/fsdev/9p-iov-marshal.c +index 663cad5..1d16f8d 100644 +--- a/fsdev/virtio-9p-marshal.c ++++ b/fsdev/virtio-9p-marshal.c +@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/9p.c +index 119ee58..39a7e1d 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque) + goto out; + } + v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); +- if (name.data == NULL) { ++ if (!v9fs_string_size(&name)) { + /* + * listxattr request. Get the size first + */ +-- +1.7.0.4 + diff --git a/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch b/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch new file mode 100644 index 0000000..b8ecc87 --- /dev/null +++ b/qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch @@ -0,0 +1,34 @@ +From c7c35916692fe010fef25ac338443d3fe40be225 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 21 Oct 2016 17:39:29 +0530 +Subject: [PATCH] net: rtl8139: limit processing of ring descriptors + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rtl8139.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 3345bc6..f05e59c 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) + { + int txcount = 0; + +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } +-- +1.7.0.4 + diff --git a/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch new file mode 100644 index 0000000..2e17683 --- /dev/null +++ b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch @@ -0,0 +1,39 @@ +From e95c9a493a5a8d6f969e86c9f19f80ffe6587e19 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index 39a7e1d..ff94a62 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { +-- +1.7.0.4 + diff --git a/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch new file mode 100644 index 0000000..5518aae --- /dev/null +++ b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch @@ -0,0 +1,32 @@ +From eb687602853b4ae656e9236ee4222609f3a6887d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix information leak in xattr read + +9pfs uses g_malloc() to allocate the xattr memory space, if the guest +reads this memory before writing to it, this will leak host heap memory +to the guest. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index 26aa7d5..bf23b01 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -3282,7 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); + out_nofid: +-- +1.7.0.4 + diff --git a/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch new file mode 100644 index 0000000..f231197 --- /dev/null +++ b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch @@ -0,0 +1,33 @@ +From fdfcc9aeea1492f4b819a24c94dfb678145b1bf9 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_write + +If an error occurs when marshalling the transfer length to the guest, the +v9fs_write() function doesn't free an IO vector, thus leading to a memory +leak. This patch fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index d43a552..e88cf25 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque) + offset = 7; + err = pdu_marshal(pdu, offset, "d", total); + if (err < 0) { +- goto out; ++ goto out_qiov; + } + err += offset; + trace_v9fs_write_return(pdu->tag, pdu->id, total, err); +-- +1.7.0.4 + diff --git a/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch new file mode 100644 index 0000000..48b3d5a --- /dev/null +++ b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch @@ -0,0 +1,34 @@ +From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate + +The 'fs.xattr.value' field in V9fsFidState object doesn't consider the +situation that this field has been allocated previously. Every time, it +will be allocated directly. This leads to a host memory leak issue if +the client sends another Txattrcreate message with the same fid number +before the fid from the previous time got clunked. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, updated the changelog to indicate how the leak can occur] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +index bf23b01..66135cf 100644 +--- a/hw/9pfs/virtio-9p.c ++++ b/hw/9pfs/virtio-9p.c +@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); ++ g_free(xattr_fidp->fs.xattr.value); + xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); +-- +1.7.0.4 + diff --git a/qemu.trad.CVE-2016-8669.patch b/qemu.trad.CVE-2016-8669.patch new file mode 100644 index 0000000..05abe36 --- /dev/null +++ b/qemu.trad.CVE-2016-8669.patch @@ -0,0 +1,37 @@ +From 3592fe0c919cf27a81d8e9f9b4f269553418bb01 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 11:28:08 +0530 +Subject: [PATCH] char: serial: check divider value against baud base + +16550A UART device uses an oscillator to generate frequencies +(baud base), which decide communication speed. This speed could +be changed by dividing it by a divider. If the divider is +greater than the baud base, speed is set to zero, leading to a +divide by zero error. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/char/serial.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/hw/serial.c b/hw/serial.c +index 3442f47..eec72b7 100644 +--- a/hw/serial.c ++++ b/hw/serial.c +@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) + int speed, parity, data_bits, stop_bits, frame_size; + QEMUSerialSetParams ssp; + +- if (s->divider == 0) ++ if (s->divider == 0 || s->divider > s->baudbase) { + return; ++ } + + frame_size = 1; + if (s->lcr & 0x08) { +-- +1.7.0.4 + diff --git a/qemu.trad.CVE-2016-8910.patch b/qemu.trad.CVE-2016-8910.patch new file mode 100644 index 0000000..ddb67b1 --- /dev/null +++ b/qemu.trad.CVE-2016-8910.patch @@ -0,0 +1,29 @@ +From: Prasad J Pandit + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/rtl8139.c b/hw/rtl8139.c +index 3345bc6..f05e59c 100644 +--- a/hw/rtl8139.c ++++ b/hw/rtl8139.c +@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) + { + int txcount = 0; + +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } +-- +2.7.4 diff --git a/xen.spec b/xen.spec index 049e5a7..35b631e 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.6.3 -Release: 6%{?dist} +Release: 7%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -158,6 +158,19 @@ Patch179: qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch Patch180: qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch Patch181: qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch Patch182: xsa190-4.6.patch +Patch183: qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch +Patch184: qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch +Patch185: qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch +Patch186: qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch +Patch187: qemu.trad.CVE-2016-8669.patch +Patch188: qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch +Patch189: qemu.trad.CVE-2016-8910.patch +Patch190: qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch +Patch191: qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch +Patch192: qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch +Patch193: qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch +Patch194: qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch +Patch195: qemu.bug1389686.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -413,6 +426,8 @@ manage Xen virtual machines. pushd tools/qemu-xen-traditional %patch169 -p1 %patch173 -p1 +%patch187 -p1 +%patch189 -p1 popd # qemu-xen patches @@ -424,6 +439,17 @@ pushd tools/qemu-xen %patch179 -p1 %patch180 -p1 %patch181 -p1 +%patch183 -p1 +%patch184 -p1 +%patch185 -p1 +%patch186 -p1 +%patch188 -p1 +%patch190 -p1 +%patch191 -p1 +%patch192 -p1 +%patch193 -p1 +%patch194 -p1 +%patch195 -p1 popd # stubdom sources @@ -954,6 +980,23 @@ rm -rf %{buildroot} %endif %changelog +* Sun Oct 30 2016 Michael Young - 4.6.3-7 +- Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch + [CVE-2016-8576] (#1382323) +- Qemu: 9pfs: host memory leakage in v9fs_read [CVE-2016-8577] (#1383287) +- Qemu: 9pfs: allocate space for guest originated empty strings [CVE-2016-8578] + (#1383293) +- Qemu: char: divide by zero error in serial_update_parameters [CVE-2016-8669] + (#1384910) +- Qemu: net: rtl8139: infinite loop while transmit in C+ mode [CVE-2016-8910] + (#1388048) +- qemu-kvm: Infinite loop vulnerability in a9_gtimer_update() (#1388301) +- Qemu: 9pfs: information leakage via xattr (#1389644) +- Qemu: 9pfs: memory leakage when creating extended attribute (#1389552) +- Qemu: 9pfs: memory leakage in v9fs_link (#1389705) +- Qemu: 9pfs: memory leakage in v9fs_write (#1389714) +- Qemu: 9pfs: integer overflow leading to OOB access (#1389689) + * Tue Oct 04 2016 Michael Young - 4.6.3-6 - qemu-kvm: Directory traversal flaw in 9p virtio backend [CVE-2016-7116] (#1371400)