diff --git a/qemu.CVE-2016-4439.patch b/qemu.CVE-2016-4439.patch new file mode 100644 index 0000000..61060d4 --- /dev/null +++ b/qemu.CVE-2016-4439.patch @@ -0,0 +1,44 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length +before write(CVE-2016-4439) +*Date*: Thu, 19 May 2016 16:09:30 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit
+ +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c +index 8961be2..01497e6 100644 +--- a/tools/qemu-xen/hw/scsi/esp.c ++++ b/tools/qemu-xen/hw/scsi/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { +-- +2.5.5 + diff --git a/qemu.CVE-2016-4441.patch b/qemu.CVE-2016-4441.patch new file mode 100644 index 0000000..7f8c1fa --- /dev/null +++ b/qemu.CVE-2016-4441.patch @@ -0,0 +1,77 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 2/2] scsi: check dma length before +reading scsi command(CVE-2016-4441) +*Date*: Thu, 19 May 2016 16:09:31 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c +index 01497e6..591c817 100644 +--- a/tools/qemu-xen/hw/scsi/esp.c ++++ b/tools/qemu-xen/hw/scsi/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; +-- +2.5.5 + diff --git a/qemu.CVE-2016-5105.patch b/qemu.CVE-2016-5105.patch new file mode 100644 index 0000000..47f0d16 --- /dev/null +++ b/qemu.CVE-2016-5105.patch @@ -0,0 +1,40 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH v2] scsi: megasas: initialise local +configuration data buffer +*Date*: Wed, 25 May 2016 17:41:44 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +When reading MegaRAID SAS controller configuration via MegaRAID +Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read +uses an uninitialised local data buffer. Initialise this buffer +to avoid stack information leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Update as per + -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04402.html + +diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c +index dcbd3e1..bf642d4 100644 +--- a/tools/qemu-xen/hw/scsi/megasas.c ++++ b/tools/qemu-xen/hw/scsi/megasas.c +@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) + + static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + { +- uint8_t data[4096]; ++ uint8_t data[4096] = { 0 }; + struct mfi_config_data *info; + int num_pd_disks = 0, array_offset, ld_offset; + BusChild *kid; +-- +2.5.5 + diff --git a/qemu.CVE-2016-5106.patch b/qemu.CVE-2016-5106.patch new file mode 100644 index 0000000..baca1f1 --- /dev/null +++ b/qemu.CVE-2016-5106.patch @@ -0,0 +1,37 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/3] scsi: megasas: use appropriate +property buffer size +*Date*: Wed, 25 May 2016 16:01:29 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +When setting MegaRAID SAS controller properties via MegaRAID +Firmware Interface(MFI) commands, a user supplied size parameter +is used to set property value. Use appropriate size value to avoid +OOB access issues. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c +index a63a581..dcbd3e1 100644 +--- a/tools/qemu-xen/hw/scsi/megasas.c ++++ b/tools/qemu-xen/hw/scsi/megasas.c +@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); ++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +-- +2.5.5 + diff --git a/qemu.trad.CVE-2016-4439.patch b/qemu.trad.CVE-2016-4439.patch new file mode 100644 index 0000000..6816695 --- /dev/null +++ b/qemu.trad.CVE-2016-4439.patch @@ -0,0 +1,44 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length +before write(CVE-2016-4439) +*Date*: Thu, 19 May 2016 16:09:30 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c +index 8961be2..01497e6 100644 +--- a/tools/qemu-xen-traditional/hw/esp.c ++++ b/tools/qemu-xen-traditional/hw/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ ESP_ERROR("fifo overrun\n"); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + ESP_ERROR("fifo overrun\n"); + } else { +-- +2.5.5 + diff --git a/qemu.trad.CVE-2016-4441.patch b/qemu.trad.CVE-2016-4441.patch new file mode 100644 index 0000000..fab6a35 --- /dev/null +++ b/qemu.trad.CVE-2016-4441.patch @@ -0,0 +1,68 @@ +------------------------------------------------------------------------ +*From*: P J P +*Subject*: [Qemu-devel] [PATCH 2/2] scsi: check dma length before +reading scsi command(CVE-2016-4441) +*Date*: Thu, 19 May 2016 16:09:31 +0530 + +------------------------------------------------------------------------ + +From: Prasad J Pandit + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441 +Reported-by: Li Qiang + +Signed-off-by: Prasad J Pandit +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c +index 01497e6..591c817 100644 +--- a/tools/qemu-xen-traditional/hw/esp.c ++++ b/tools/qemu-xen-traditional/hw/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + target = s->wregs[ESP_WBUSID] & BUSID_DID; + if (s->dma) { + dmalen = s->rregs[ESP_TCLO] | (s->rregs[ESP_TCMID] << 8); ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + uint8_t buf[32]; + int len; + +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + + static void handle_satn_stop(ESPState *s) + { +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + DPRINTF("Set ATN & Stop: cmdlen %d\n", s->cmdlen); + s->do_cmd = 1; +-- +2.5.5 + diff --git a/xen.modules.tidy.patch b/xen.modules.tidy.patch deleted file mode 100644 index 35cf6f8..0000000 --- a/xen.modules.tidy.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- xen-4.6.1/tools/configure.orig 2016-05-14 19:41:52.823267045 +0100 -+++ xen-4.6.1/tools/configure 2016-05-14 19:54:54.847929632 +0100 -@@ -4125,15 +4125,8 @@ - xen-blkback - xen-netback - xen-pciback --evtchn --gntdev --netbk --blkbk --xen-scsibk --usbbk --pciback -+xen-scsiback - xen-acpi-processor --blktap2 - " - ;; - *) diff --git a/xen.spec b/xen.spec index acb38e4..8027f04 100644 --- a/xen.spec +++ b/xen.spec @@ -51,7 +51,7 @@ Summary: Xen is a virtual machine monitor Name: xen Version: 4.6.1 -Release: 9%{?dist} +Release: 10%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -150,8 +150,15 @@ Patch108: xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch Patch109: xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch Patch110: xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch Patch111: xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch -Patch112: xen.modules.tidy.patch Patch113: xsa176.patch +Patch114: xsa180-qemut.patch +Patch115: xsa180-qemuu.patch +Patch116: qemu.CVE-2016-4439.patch +Patch117: qemu.trad.CVE-2016-4439.patch +Patch118: qemu.CVE-2016-4441.patch +Patch119: qemu.trad.CVE-2016-4441.patch +Patch120: qemu.CVE-2016-5106.patch +Patch121: qemu.CVE-2016-5105.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -403,8 +410,15 @@ manage Xen virtual machines. %patch109 -p1 %patch110 -p1 %patch111 -p1 -%patch112 -p1 %patch113 -p1 +%patch114 -p1 +%patch115 -p1 +%patch116 -p1 +%patch117 -p1 +%patch118 -p1 +%patch119 -p1 +%patch120 -p1 +%patch121 -p1 # stubdom sources cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom @@ -426,7 +440,7 @@ mkdir -p dist/install/boot/efi/efi/fedora export XEN_VENDORVERSION="-%{release}" export CFLAGS="$RPM_OPT_FLAGS" make %{?_smp_mflags} %{?efi_flags} prefix=/usr dist-xen -./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-system-seabios=%{seabiosloc} --with-system-qemu=/usr/bin/qemu-system-i386 +./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-system-seabios=%{seabiosloc} --with-system-qemu=/usr/bin/qemu-system-i386 --with-linux-backend-modules="xen-evtchn xen-gntdev xen-gntalloc xen-blkback xen-netback xen-pciback xen-scsiback xen-acpi-processor" make %{?_smp_mflags} %{?ocaml_flags} prefix=/usr dist-tools make prefix=/usr dist-docs unset CFLAGS @@ -934,6 +948,18 @@ rm -rf %{buildroot} %endif %changelog +* Sat May 28 2016 Michael Young