From 464819d880188b90487dd79da080229a99b4bf40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=B6rster?= Date: Thu, 24 Mar 2016 10:50:47 +0100 Subject: [PATCH] [app-emulation/qemu] sync with tree --- .../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ++++ .../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ++++++++++++ .../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ++++++ .../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 +++++++ .../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 ++++++++++ .../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 +++++ .../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 +++++ .../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ++++ .../qemu-2.5.0-rng-stack-corrupt-0.patch | 98 ++++++++++ .../qemu-2.5.0-rng-stack-corrupt-1.patch | 135 +++++++++++++ .../qemu-2.5.0-rng-stack-corrupt-2.patch | 155 +++++++++++++++ .../qemu-2.5.0-rng-stack-corrupt-3.patch | 179 ++++++++++++++++++ .../qemu/files/qemu-2.5.0-sysmacros.patch | 15 ++ .../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 +++++ .../qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ++++++ ...u-2.5.0-r1.ebuild => qemu-2.5.0-r2.ebuild} | 18 +- 16 files changed, 1211 insertions(+), 1 deletion(-) create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch create mode 100644 app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch rename app-emulation/qemu/{qemu-2.5.0-r1.ebuild => qemu-2.5.0-r2.ebuild} (95%) diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch new file mode 100644 index 0000000..61a52ee --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch @@ -0,0 +1,35 @@ +From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Mon, 21 Dec 2015 15:13:13 +0530 +Subject: [PATCH] scsi: initialise info object with appropriate size + +While processing controller 'CTRL_GET_INFO' command, the routine +'megasas_ctrl_get_info' overflows the '&info' object size. Use its +appropriate size to null initialise it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-Id: +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index d7dc667..576f56c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + BusChild *kid; + int num_pd_disks = 0; + +- memset(&info, 0x0, cmd->iov_size); ++ memset(&info, 0x0, dcmd_size); + if (cmd->iov_size < dcmd_size) { + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, + dcmd_size); +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch new file mode 100644 index 0000000..be67336 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch @@ -0,0 +1,121 @@ +From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Wed, 13 Jan 2016 09:09:58 +0100 +Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) + +When processing 'sendkey' command, hmp_sendkey routine null +terminates the 'keyname_buf' array. This results in an OOB +write issue, if 'keyname_len' was to fall outside of +'keyname_buf' array. + +Since the keyname's length is known the keyname_buf can be +removed altogether by adding a length parameter to +index_from_key() and using it for the error output as well. + +Reported-by: Ling Liu +Signed-off-by: Wolfgang Bumiller +Message-Id: <20160113080958.GA18934@olga> +[Comparison with "<" dumbed down, test for junk after strtoul() +tweaked] +Signed-off-by: Markus Armbruster +--- + hmp.c | 18 ++++++++---------- + include/ui/console.h | 2 +- + ui/input-legacy.c | 5 +++-- + 3 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/hmp.c b/hmp.c +index 54f2620..9c571f5 100644 +--- a/hmp.c ++++ b/hmp.c +@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) + int has_hold_time = qdict_haskey(qdict, "hold-time"); + int hold_time = qdict_get_try_int(qdict, "hold-time", -1); + Error *err = NULL; +- char keyname_buf[16]; + char *separator; + int keyname_len; + + while (1) { + separator = strchr(keys, '-'); + keyname_len = separator ? separator - keys : strlen(keys); +- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); + + /* Be compatible with old interface, convert user inputted "<" */ +- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { +- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); ++ if (keys[0] == '<' && keyname_len == 1) { ++ keys = "less"; + keyname_len = 4; + } +- keyname_buf[keyname_len] = 0; + + keylist = g_malloc0(sizeof(*keylist)); + keylist->value = g_malloc0(sizeof(*keylist->value)); +@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) + } + tmp = keylist; + +- if (strstart(keyname_buf, "0x", NULL)) { ++ if (strstart(keys, "0x", NULL)) { + char *endp; +- int value = strtoul(keyname_buf, &endp, 0); +- if (*endp != '\0') { ++ int value = strtoul(keys, &endp, 0); ++ assert(endp <= keys + keyname_len); ++ if (endp != keys + keyname_len) { + goto err_out; + } + keylist->value->type = KEY_VALUE_KIND_NUMBER; + keylist->value->u.number = value; + } else { +- int idx = index_from_key(keyname_buf); ++ int idx = index_from_key(keys, keyname_len); + if (idx == Q_KEY_CODE_MAX) { + goto err_out; + } +@@ -1789,7 +1787,7 @@ out: + return; + + err_out: +- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); ++ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); + goto out; + } + +diff --git a/include/ui/console.h b/include/ui/console.h +index adac36d..116bc2b 100644 +--- a/include/ui/console.h ++++ b/include/ui/console.h +@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) + void curses_display_init(DisplayState *ds, int full_screen); + + /* input.c */ +-int index_from_key(const char *key); ++int index_from_key(const char *key, size_t key_length); + + /* gtk.c */ + void early_gtk_display_init(int opengl); +diff --git a/ui/input-legacy.c b/ui/input-legacy.c +index 35dfc27..3454055 100644 +--- a/ui/input-legacy.c ++++ b/ui/input-legacy.c +@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { + static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = + QTAILQ_HEAD_INITIALIZER(led_handlers); + +-int index_from_key(const char *key) ++int index_from_key(const char *key, size_t key_length) + { + int i; + + for (i = 0; QKeyCode_lookup[i] != NULL; i++) { +- if (!strcmp(key, QKeyCode_lookup[i])) { ++ if (!strncmp(key, QKeyCode_lookup[i], key_length) && ++ !QKeyCode_lookup[i][key_length]) { + break; + } + } +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch new file mode 100644 index 0000000..917fa2f --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch @@ -0,0 +1,58 @@ +From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 +From: "Gabriel L. Somlo" +Date: Thu, 5 Nov 2015 09:32:50 -0500 +Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When calculating a pointer to the currently selected fw_cfg item, the +following is used: + + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + +When s->cur_entry is FW_CFG_INVALID, we are calculating the address of +a non-existent element in s->entries[arch][...], which is undefined. + +This patch ensures the resulting entry pointer is set to NULL whenever +s->cur_entry is FW_CFG_INVALID. + +Reported-by: Laszlo Ersek +Reviewed-by: Laszlo Ersek +Signed-off-by: Gabriel Somlo +Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu +Cc: Marc MarĂ­ +Signed-off-by: Gabriel Somlo +Reviewed-by: Laszlo Ersek +Signed-off-by: Gerd Hoffmann +--- + hw/nvram/fw_cfg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c2d3a0a..046fa74 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) + static uint8_t fw_cfg_read(FWCfgState *s) + { + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + uint8_t ret; + + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) +@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); +- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; ++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; + + if (dma.control & FW_CFG_DMA_CTL_READ) { + read = 1; +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch new file mode 100644 index 0000000..23c2341 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch @@ -0,0 +1,65 @@ +From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Fri, 18 Dec 2015 11:35:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + + Hello, + +A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It +occurs while doing I/O port write operations via hmp interface. In that, +'current_cpu' remains null as it is not called from cpu_exec loop, which +results in the said issue. + +Below is a proposed (tested)patch to fix this issue; Does it look okay? + +=== +From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 18 Dec 2015 11:16:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + +When I/O port write operation is called from hmp interface, +'current_cpu' remains null, as it is not called from cpu_exec() +loop. This leads to a null pointer dereference in vapic_write +routine. Add check to avoid it. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +--- + hw/i386/kvmvapic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c6d34b2..f0922da 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) + static void vapic_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) + { +- CPUState *cs = current_cpu; +- X86CPU *cpu = X86_CPU(cs); +- CPUX86State *env = &cpu->env; +- hwaddr rom_paddr; + VAPICROMState *s = opaque; ++ X86CPU *cpu; ++ CPUX86State *env; ++ hwaddr rom_paddr; + +- cpu_synchronize_state(cs); ++ if (!current_cpu) { ++ return; ++ } ++ ++ cpu_synchronize_state(current_cpu); ++ cpu = X86_CPU(current_cpu); ++ env = &cpu->env; + + /* + * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch new file mode 100644 index 0000000..2922193 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch @@ -0,0 +1,98 @@ +From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 19 Jan 2016 14:17:20 +0100 +Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer + start + +The start_xmit() and e1000_receive_iov() functions implement DMA transfers +iterating over a set of descriptors that the guest's e1000 driver +prepares: + +- the TDLEN and RDLEN registers store the total size of the descriptor + area, + +- while the TDH and RDH registers store the offset (in whole tx / rx + descriptors) into the area where the transfer is supposed to start. + +Each time a descriptor is processed, the TDH and RDH register is bumped +(as appropriate for the transfer direction). + +QEMU already contains logic to deal with bogus transfers submitted by the +guest: + +- Normally, the transmit case wants to increase TDH from its initial value + to TDT. (TDT is allowed to be numerically smaller than the initial TDH + value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe + that QEMU currently has here is a check against reaching the original + TDH value again -- a complete wraparound, which should never happen. + +- In the receive case RDH is increased from its initial value until + "total_size" bytes have been received; preferably in a single step, or + in "s->rxbuf_size" byte steps, if the latter is smaller. However, null + RX descriptors are skipped without receiving data, while RDH is + incremented just the same. QEMU tries to prevent an infinite loop + (processing only null RX descriptors) by detecting whether RDH assumes + its original value during the loop. (Again, wrapping from RDLEN to 0 is + normal.) + +What both directions miss is that the guest could program TDLEN and RDLEN +so low, and the initial TDH and RDH so high, that these registers will +immediately be truncated to zero, and then never reassume their initial +values in the loop -- a full wraparound will never occur. + +The condition that expresses this is: + + xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) + +i.e., TDH or RDH start out after the last whole rx or tx descriptor that +fits into the TDLEN or RDLEN sized area. + +This condition could be checked before we enter the loops, but +pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for +bogus DMA addresses, so we just extend the existing failsafes with the +above condition. + +This is CVE-2016-1981. + +Cc: "Michael S. Tsirkin" +Cc: Petr Matousek +Cc: Stefano Stabellini +Cc: Prasad Pandit +Cc: Michael Roth +Cc: Jason Wang +Cc: qemu-stable@nongnu.org +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 +Signed-off-by: Laszlo Ersek +Reviewed-by: Jason Wang +Signed-off-by: Jason Wang +--- + hw/net/e1000.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 4eda7a3..0387fa0 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -909,7 +909,8 @@ start_xmit(E1000State *s) + * bogus values to TDT/TDLEN. + * there's nothing too intelligent we could do about this. + */ +- if (s->mac_reg[TDH] == tdh_start) { ++ if (s->mac_reg[TDH] == tdh_start || ++ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { + DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", + tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); + break; +@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) + if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) + s->mac_reg[RDH] = 0; + /* see comment in start_xmit; same here */ +- if (s->mac_reg[RDH] == rdh_start) { ++ if (s->mac_reg[RDH] == rdh_start || ++ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { + DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", + rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); + set_ics(s, 0, E1000_ICS_RXO); +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch new file mode 100644 index 0000000..0ab7b02 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch @@ -0,0 +1,43 @@ +From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 +From: John Snow +Date: Wed, 10 Feb 2016 13:29:40 -0500 +Subject: [PATCH] ahci: Do not unmap NULL addresses + +Definitely don't try to unmap a garbage address. + +Reported-by: Zuozhi fzz +Signed-off-by: John Snow +Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com +--- + hw/ide/ahci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 7e87b18..3a95dad 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) + + static void ahci_unmap_fis_address(AHCIDevice *ad) + { ++ if (ad->res_fis == NULL) { ++ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); ++ return; ++ } + dma_memory_unmap(ad->hba->as, ad->res_fis, 256, + DMA_DIRECTION_FROM_DEVICE, 256); + ad->res_fis = NULL; +@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) + + static void ahci_unmap_clb_address(AHCIDevice *ad) + { ++ if (ad->lst == NULL) { ++ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); ++ return; ++ } + dma_memory_unmap(ad->hba->as, ad->lst, 1024, + DMA_DIRECTION_FROM_DEVICE, 1024); + ad->lst = NULL; +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch new file mode 100644 index 0000000..d179c33 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch @@ -0,0 +1,46 @@ +From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 29 Jan 2016 18:30:34 +0530 +Subject: [PATCH] usb: ehci: add capability mmio write function + +USB Ehci emulation supports host controller capability registers. +But its mmio '.write' function was missing, which lead to a null +pointer dereference issue. Add a do nothing 'ehci_caps_write' +definition to avoid it; Do nothing because capability registers +are Read Only(RO). + +Reported-by: Zuozhi Fzz +Signed-off-by: Prasad J Pandit +Message-id: 1454072434-16045-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 1b50601..0f95d0d 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr, + return s->caps[addr]; + } + ++static void ehci_caps_write(void *ptr, hwaddr addr, ++ uint64_t val, unsigned size) ++{ ++} ++ + static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, + unsigned size) + { +@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque) + + static const MemoryRegionOps ehci_mmio_caps_ops = { + .read = ehci_caps_read, ++ .write = ehci_caps_write, + .valid.min_access_size = 1, + .valid.max_access_size = 4, + .impl.min_access_size = 1, +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch new file mode 100644 index 0000000..e7aa5ca --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch @@ -0,0 +1,35 @@ +From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 11 Feb 2016 16:31:20 +0530 +Subject: [PATCH] usb: check USB configuration descriptor object + +When processing remote NDIS control message packets, the USB Net +device emulator checks to see if the USB configuration descriptor +object is of RNDIS type(2). But it does not check if it is null, +which leads to a null dereference error. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c +index 985a629..5dc4538 100644 +--- a/hw/usb/dev-network.c ++++ b/hw/usb/dev-network.c +@@ -654,7 +654,8 @@ typedef struct USBNetState { + + static int is_rndis(USBNetState *s) + { +- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; ++ return s->dev.config ? ++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; + } + + static int ndis_query(USBNetState *s, uint32_t oid, +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch new file mode 100644 index 0000000..684f6ad --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch @@ -0,0 +1,98 @@ +From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:15 +0100 +Subject: [PATCH] rng: remove the unused request cancellation code + +rng_backend_cancel_requests had no callers and none of the code +deleted in this commit ever ran. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 12 ------------ + backends/rng.c | 9 --------- + include/sysemu/rng.h | 11 ----------- + 3 files changed, 32 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 2de5cd5..0b2976a 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s) + s->requests = NULL; + } + +-static void rng_egd_cancel_requests(RngBackend *b) +-{ +- RngEgd *s = RNG_EGD(b); +- +- /* We simply delete the list of pending requests. If there is data in the +- * queue waiting to be read, this is okay, because there will always be +- * more data than we requested originally +- */ +- rng_egd_free_requests(s); +-} +- + static void rng_egd_opened(RngBackend *b, Error **errp) + { + RngEgd *s = RNG_EGD(b); +@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data) + RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); + + rbc->request_entropy = rng_egd_request_entropy; +- rbc->cancel_requests = rng_egd_cancel_requests; + rbc->opened = rng_egd_opened; + } + +diff --git a/backends/rng.c b/backends/rng.c +index b7820ef..2f2f3ee 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, + } + } + +-void rng_backend_cancel_requests(RngBackend *s) +-{ +- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); +- +- if (k->cancel_requests) { +- k->cancel_requests(s); +- } +-} +- + static bool rng_backend_prop_get_opened(Object *obj, Error **errp) + { + RngBackend *s = RNG_BACKEND(obj); +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index 858be8c..87b3ebe 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -37,7 +37,6 @@ struct RngBackendClass + + void (*request_entropy)(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, void *opaque); +- void (*cancel_requests)(RngBackend *s); + + void (*opened)(RngBackend *s, Error **errp); + }; +@@ -68,14 +67,4 @@ struct RngBackend + void rng_backend_request_entropy(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque); +- +-/** +- * rng_backend_cancel_requests: +- * @s: the backend to cancel all pending requests in +- * +- * Cancels all pending requests submitted by @rng_backend_request_entropy. This +- * should be used by a device during reset or in preparation for live migration +- * to stop tracking any request. +- */ +-void rng_backend_cancel_requests(RngBackend *s); + #endif +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch new file mode 100644 index 0000000..44ba8a7 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch @@ -0,0 +1,135 @@ +From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:16 +0100 +Subject: [PATCH] rng: move request queue from RngEgd to RngBackend + +The 'requests' field now lives in the RngBackend parent class. +There are no functional changes in this commit. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 28 +++++++++------------------- + include/sysemu/rng.h | 11 +++++++++++ + 2 files changed, 20 insertions(+), 19 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 0b2976a..b061362 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -25,19 +25,8 @@ typedef struct RngEgd + + CharDriverState *chr; + char *chr_name; +- +- GSList *requests; + } RngEgd; + +-typedef struct RngRequest +-{ +- EntropyReceiveFunc *receive_entropy; +- uint8_t *data; +- void *opaque; +- size_t offset; +- size_t size; +-} RngRequest; +- + static void rng_egd_request_entropy(RngBackend *b, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque) +@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + size -= len; + } + +- s->requests = g_slist_append(s->requests, req); ++ s->parent.requests = g_slist_append(s->parent.requests, req); + } + + static void rng_egd_free_request(RngRequest *req) +@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque) + GSList *i; + int size = 0; + +- for (i = s->requests; i; i = i->next) { ++ for (i = s->parent.requests; i; i = i->next) { + RngRequest *req = i->data; + size += req->size - req->offset; + } +@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + RngEgd *s = RNG_EGD(opaque); + size_t buf_offset = 0; + +- while (size > 0 && s->requests) { +- RngRequest *req = s->requests->data; ++ while (size > 0 && s->parent.requests) { ++ RngRequest *req = s->parent.requests->data; + int len = MIN(size, req->size - req->offset); + + memcpy(req->data + req->offset, buf + buf_offset, len); +@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + size -= len; + + if (req->offset == req->size) { +- s->requests = g_slist_remove_link(s->requests, s->requests); ++ s->parent.requests = g_slist_remove_link(s->parent.requests, ++ s->parent.requests); + + req->receive_entropy(req->opaque, req->data, req->size); + +@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s) + { + GSList *i; + +- for (i = s->requests; i; i = i->next) { ++ for (i = s->parent.requests; i; i = i->next) { + rng_egd_free_request(i->data); + } + +- g_slist_free(s->requests); +- s->requests = NULL; ++ g_slist_free(s->parent.requests); ++ s->parent.requests = NULL; + } + + static void rng_egd_opened(RngBackend *b, Error **errp) +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index 87b3ebe..c744d82 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -24,6 +24,7 @@ + #define RNG_BACKEND_CLASS(klass) \ + OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) + ++typedef struct RngRequest RngRequest; + typedef struct RngBackendClass RngBackendClass; + typedef struct RngBackend RngBackend; + +@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque, + const void *data, + size_t size); + ++struct RngRequest ++{ ++ EntropyReceiveFunc *receive_entropy; ++ uint8_t *data; ++ void *opaque; ++ size_t offset; ++ size_t size; ++}; ++ + struct RngBackendClass + { + ObjectClass parent_class; +@@ -47,6 +57,7 @@ struct RngBackend + + /*< protected >*/ + bool opened; ++ GSList *requests; + }; + + /** +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch new file mode 100644 index 0000000..1cffcc5 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch @@ -0,0 +1,155 @@ +From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:17 +0100 +Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend + +RngBackend is now in charge of cleaning up the linked list on +instance finalization. It also exposes a function to finalize +individual RngRequest instances, called by its child classes. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 25 +------------------------ + backends/rng.c | 32 ++++++++++++++++++++++++++++++++ + include/sysemu/rng.h | 12 ++++++++++++ + 3 files changed, 45 insertions(+), 24 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index b061362..8f2bd16 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + s->parent.requests = g_slist_append(s->parent.requests, req); + } + +-static void rng_egd_free_request(RngRequest *req) +-{ +- g_free(req->data); +- g_free(req); +-} +- + static int rng_egd_chr_can_read(void *opaque) + { + RngEgd *s = RNG_EGD(opaque); +@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) + size -= len; + + if (req->offset == req->size) { +- s->parent.requests = g_slist_remove_link(s->parent.requests, +- s->parent.requests); +- + req->receive_entropy(req->opaque, req->data, req->size); + +- rng_egd_free_request(req); ++ rng_backend_finalize_request(&s->parent, req); + } + } + } + +-static void rng_egd_free_requests(RngEgd *s) +-{ +- GSList *i; +- +- for (i = s->parent.requests; i; i = i->next) { +- rng_egd_free_request(i->data); +- } +- +- g_slist_free(s->parent.requests); +- s->parent.requests = NULL; +-} +- + static void rng_egd_opened(RngBackend *b, Error **errp) + { + RngEgd *s = RNG_EGD(b); +@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj) + } + + g_free(s->chr_name); +- +- rng_egd_free_requests(s); + } + + static void rng_egd_class_init(ObjectClass *klass, void *data) +diff --git a/backends/rng.c b/backends/rng.c +index 2f2f3ee..014cb9d 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp) + s->opened = true; + } + ++static void rng_backend_free_request(RngRequest *req) ++{ ++ g_free(req->data); ++ g_free(req); ++} ++ ++static void rng_backend_free_requests(RngBackend *s) ++{ ++ GSList *i; ++ ++ for (i = s->requests; i; i = i->next) { ++ rng_backend_free_request(i->data); ++ } ++ ++ g_slist_free(s->requests); ++ s->requests = NULL; ++} ++ ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req) ++{ ++ s->requests = g_slist_remove(s->requests, req); ++ rng_backend_free_request(req); ++} ++ + static void rng_backend_init(Object *obj) + { + object_property_add_bool(obj, "opened", +@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj) + NULL); + } + ++static void rng_backend_finalize(Object *obj) ++{ ++ RngBackend *s = RNG_BACKEND(obj); ++ ++ rng_backend_free_requests(s); ++} ++ + static void rng_backend_class_init(ObjectClass *oc, void *data) + { + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); +@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = { + .parent = TYPE_OBJECT, + .instance_size = sizeof(RngBackend), + .instance_init = rng_backend_init, ++ .instance_finalize = rng_backend_finalize, + .class_size = sizeof(RngBackendClass), + .class_init = rng_backend_class_init, + .abstract = true, +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index c744d82..08a2eda 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -78,4 +79,15 @@ struct RngBackend + void rng_backend_request_entropy(RngBackend *s, size_t size, + EntropyReceiveFunc *receive_entropy, + void *opaque); ++ ++/** ++ * rng_backend_free_request: ++ * @s: the backend that created the request ++ * @req: the request to finalize ++ * ++ * Used by child rng backend classes to finalize requests once they've been ++ * processed. The request is removed from the list of active requests and ++ * deleted. ++ */ ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req); + #endif +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch new file mode 100644 index 0000000..ca9340a --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch @@ -0,0 +1,179 @@ +From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 3 Mar 2016 09:37:18 +0100 +Subject: [PATCH] rng: add request queue support to rng-random + +Requests are now created in the RngBackend parent class and the +code path is shared by both rng-egd and rng-random. + +This commit fixes the rng-random implementation which processed +only one request at a time and simply discarded all but the most +recent one. In the guest this manifested as delayed completion +of reads from virtio-rng, i.e. a read was completed only after +another read was issued. + +By switching rng-random to use the same request queue as rng-egd, +the unsafe stack-based allocation of the entropy buffer is +eliminated and replaced with g_malloc. + +Signed-off-by: Ladi Prosek +Reviewed-by: Amit Shah +Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> +Signed-off-by: Amit Shah +--- + backends/rng-egd.c | 16 ++-------------- + backends/rng-random.c | 43 +++++++++++++++++++------------------------ + backends/rng.c | 13 ++++++++++++- + include/sysemu/rng.h | 3 +-- + 4 files changed, 34 insertions(+), 41 deletions(-) + +diff --git a/backends/rng-egd.c b/backends/rng-egd.c +index 8f2bd16..30332ed 100644 +--- a/backends/rng-egd.c ++++ b/backends/rng-egd.c +@@ -27,20 +27,10 @@ typedef struct RngEgd + char *chr_name; + } RngEgd; + +-static void rng_egd_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) + { + RngEgd *s = RNG_EGD(b); +- RngRequest *req; +- +- req = g_malloc(sizeof(*req)); +- +- req->offset = 0; +- req->size = size; +- req->receive_entropy = receive_entropy; +- req->opaque = opaque; +- req->data = g_malloc(req->size); ++ size_t size = req->size; + + while (size > 0) { + uint8_t header[2]; +@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, + + size -= len; + } +- +- s->parent.requests = g_slist_append(s->parent.requests, req); + } + + static int rng_egd_chr_can_read(void *opaque) +diff --git a/backends/rng-random.c b/backends/rng-random.c +index 8cdad6a..a6cb385 100644 +--- a/backends/rng-random.c ++++ b/backends/rng-random.c +@@ -22,10 +22,6 @@ struct RndRandom + + int fd; + char *filename; +- +- EntropyReceiveFunc *receive_func; +- void *opaque; +- size_t size; + }; + + /** +@@ -38,36 +34,35 @@ struct RndRandom + static void entropy_available(void *opaque) + { + RndRandom *s = RNG_RANDOM(opaque); +- uint8_t buffer[s->size]; +- ssize_t len; + +- len = read(s->fd, buffer, s->size); +- if (len < 0 && errno == EAGAIN) { +- return; +- } +- g_assert(len != -1); ++ while (s->parent.requests != NULL) { ++ RngRequest *req = s->parent.requests->data; ++ ssize_t len; ++ ++ len = read(s->fd, req->data, req->size); ++ if (len < 0 && errno == EAGAIN) { ++ return; ++ } ++ g_assert(len != -1); + +- s->receive_func(s->opaque, buffer, len); +- s->receive_func = NULL; ++ req->receive_entropy(req->opaque, req->data, len); + ++ rng_backend_finalize_request(&s->parent, req); ++ } ++ ++ /* We've drained all requests, the fd handler can be reset. */ + qemu_set_fd_handler(s->fd, NULL, NULL, NULL); + } + +-static void rng_random_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_random_request_entropy(RngBackend *b, RngRequest *req) + { + RndRandom *s = RNG_RANDOM(b); + +- if (s->receive_func) { +- s->receive_func(s->opaque, NULL, 0); ++ if (s->parent.requests == NULL) { ++ /* If there are no pending requests yet, we need to ++ * install our fd handler. */ ++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } +- +- s->receive_func = receive_entropy; +- s->opaque = opaque; +- s->size = size; +- +- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } + + static void rng_random_opened(RngBackend *b, Error **errp) +diff --git a/backends/rng.c b/backends/rng.c +index 014cb9d..277a41b 100644 +--- a/backends/rng.c ++++ b/backends/rng.c +@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, + void *opaque) + { + RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); ++ RngRequest *req; + + if (k->request_entropy) { +- k->request_entropy(s, size, receive_entropy, opaque); ++ req = g_malloc(sizeof(*req)); ++ ++ req->offset = 0; ++ req->size = size; ++ req->receive_entropy = receive_entropy; ++ req->opaque = opaque; ++ req->data = g_malloc(req->size); ++ ++ k->request_entropy(s, req); ++ ++ s->requests = g_slist_append(s->requests, req); + } + } + +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h +index 08a2eda..4fffd68 100644 +--- a/include/sysemu/rng.h ++++ b/include/sysemu/rng.h +@@ -45,8 +45,7 @@ struct RngBackendClass + { + ObjectClass parent_class; + +- void (*request_entropy)(RngBackend *s, size_t size, +- EntropyReceiveFunc *receive_entropy, void *opaque); ++ void (*request_entropy)(RngBackend *s, RngRequest *req); + + void (*opened)(RngBackend *s, Error **errp); + }; +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch new file mode 100644 index 0000000..f2e766d --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch @@ -0,0 +1,15 @@ +Linux C libs are moving away from implicit header pollution with sys/types.h + +--- a/include/qemu/osdep.h ++++ b/include/qemu/osdep.h +@@ -78,6 +78,10 @@ extern int daemon(int, int); + #include + #include + ++#ifdef __linux__ ++#include ++#endif ++ + #ifdef __OpenBSD__ + #include + #endif diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch new file mode 100644 index 0000000..2ddca3e --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch @@ -0,0 +1,52 @@ +From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 20 Jan 2016 01:26:46 +0530 +Subject: [PATCH] usb: check page select value while processing iTD + +While processing isochronous transfer descriptors(iTD), the page +select(PG) field value could lead to an OOB read access. Add +check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index ab00268..93601d9 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, + if (itd->transact[i] & ITD_XACT_ACTIVE) { + pg = get_field(itd->transact[i], ITD_XACT_PGSEL); + off = itd->transact[i] & ITD_XACT_OFFSET_MASK; +- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); +- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); + len = get_field(itd->transact[i], ITD_XACT_LENGTH); + + if (len > max * mult) { + len = max * mult; + } +- +- if (len > BUFF_SIZE) { ++ if (len > BUFF_SIZE || pg > 6) { + return -1; + } + ++ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); + qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); + if (off + len > 4096) { + /* transfer crosses page border */ ++ if (pg == 6) { ++ return -1; /* avoid page pg + 1 */ ++ } ++ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); + uint32_t len2 = off + len - 4096; + uint32_t len1 = len - len2; + qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch new file mode 100644 index 0000000..da643fd --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch @@ -0,0 +1,59 @@ +From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 17 Feb 2016 00:23:41 +0530 +Subject: [PATCH] usb: check RNDIS buffer offsets & length + +When processing remote NDIS control message packets, +the USB Net device emulator uses a fixed length(4096) data buffer. +The incoming informationBufferOffset & Length combination could +overflow and cross that range. Check control message buffer +offsets and length to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c +index 5dc4538..c6abd38 100644 +--- a/hw/usb/dev-network.c ++++ b/hw/usb/dev-network.c +@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + infobuflen = ndis_query(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen, infobuf, +@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + ret = ndis_set(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen); +@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) + if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { + uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); + uint32_t size = le32_to_cpu(msg->DataLength); +- if (offs + size <= len) ++ if (offs < len && size < len && offs + size <= len) { + qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); ++ } + } + s->out_ptr -= len; + memmove(s->out_buf, &s->out_buf[len], s->out_ptr); +-- +2.7.4 + diff --git a/app-emulation/qemu/qemu-2.5.0-r1.ebuild b/app-emulation/qemu/qemu-2.5.0-r2.ebuild similarity index 95% rename from app-emulation/qemu/qemu-2.5.0-r1.ebuild rename to app-emulation/qemu/qemu-2.5.0-r2.ebuild index f4cbfe4..e13d9df 100644 --- a/app-emulation/qemu/qemu-2.5.0-r1.ebuild +++ b/app-emulation/qemu/qemu-2.5.0-r2.ebuild @@ -124,7 +124,11 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} media-libs/libsdl2[static-libs(+)] ) ) - seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) + seccomp? ( + arm? ( >=sys-libs/libseccomp-2.2.3[static-libs(+)] ) + arm64? ( >=sys-libs/libseccomp-2.2.3[static-libs(+)] ) + >=sys-libs/libseccomp-2.1.0[static-libs(+)] + ) smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) snappy? ( app-arch/snappy[static-libs(+)] ) spice? ( @@ -320,6 +324,18 @@ src_prepare() { epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110 epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988 epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566 + epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118 + epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300 + epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560 + epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082 + epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412 + epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454 + epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280 + epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314 + epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902 + epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492 + epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420 + epatch "${FILESDIR}"/${P}-sysmacros.patch # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY