gnu: qemu: Fix CVE-2017-{5667,5898,5931}.
* gnu/packages/patches/qemu-CVE-2017-5667.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch, gnu/packages/patches/qemu-CVE-2017-5931.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. gnu/packages/qemu.scm (qemu)[source]: Use them.
This commit is contained in:
parent
2c20bf62db
commit
37acc8a07b
@ -870,7 +870,10 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/qemu-CVE-2017-5552.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5578.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5579.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5667.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5856.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5898.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-5931.patch \
|
||||
%D%/packages/patches/qt4-ldflags.patch \
|
||||
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
||||
%D%/packages/patches/rapicorn-isnan.patch \
|
||||
|
46
gnu/packages/patches/qemu-CVE-2017-5667.patch
Normal file
46
gnu/packages/patches/qemu-CVE-2017-5667.patch
Normal file
@ -0,0 +1,46 @@
|
||||
Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
|
||||
|
||||
http://seclists.org/oss-sec/2017/q1/243
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
|
||||
|
||||
From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Feb 2017 18:29:59 +0000
|
||||
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
|
||||
|
||||
While doing multi block SDMA transfer in routine
|
||||
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
|
||||
index 'begin' and data length 's->data_count' could end up to be same.
|
||||
This could lead to an OOB access issue. Correct transfer data length
|
||||
to avoid it.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Message-id: 20170130064736.9236-1-ppandit@redhat.com
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
---
|
||||
hw/sd/sdhci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 01fbf228be..5bd5ab6319 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
boundary_count -= block_size - begin;
|
||||
}
|
||||
dma_memory_read(&address_space_memory, s->sdmasysad,
|
||||
- &s->fifo_buffer[begin], s->data_count);
|
||||
+ &s->fifo_buffer[begin], s->data_count - begin);
|
||||
s->sdmasysad += s->data_count - begin;
|
||||
if (s->data_count == block_size) {
|
||||
for (n = 0; n < block_size; n++) {
|
||||
--
|
||||
2.11.1
|
||||
|
44
gnu/packages/patches/qemu-CVE-2017-5898.patch
Normal file
44
gnu/packages/patches/qemu-CVE-2017-5898.patch
Normal file
@ -0,0 +1,44 @@
|
||||
Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
|
||||
|
||||
http://seclists.org/oss-sec/2017/q1/328
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
|
||||
|
||||
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||||
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||||
|
||||
CCID device emulator uses Application Protocol Data Units(APDU)
|
||||
to exchange command and responses to and from the host.
|
||||
The length in these units couldn't be greater than 65536. Add
|
||||
check to ensure the same. It'd also avoid potential integer
|
||||
overflow in emulated_apdu_from_guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/usb/dev-smartcard-reader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||||
index 89e11b68c4..1325ea1659 100644
|
||||
--- a/hw/usb/dev-smartcard-reader.c
|
||||
+++ b/hw/usb/dev-smartcard-reader.c
|
||||
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||||
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||||
recv->hdr.bSeq, len);
|
||||
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||||
- if (s->card) {
|
||||
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||||
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||||
} else {
|
||||
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
||||
--
|
||||
2.11.1
|
||||
|
55
gnu/packages/patches/qemu-CVE-2017-5931.patch
Normal file
55
gnu/packages/patches/qemu-CVE-2017-5931.patch
Normal file
@ -0,0 +1,55 @@
|
||||
Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
|
||||
|
||||
http://seclists.org/oss-sec/2017/q1/337
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
|
||||
|
||||
From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
|
||||
From: Gonglei <arei.gonglei@huawei.com>
|
||||
Date: Tue, 3 Jan 2017 14:50:03 +0800
|
||||
Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
|
||||
|
||||
Because the 'size_t' type is 4 bytes in 32-bit platform, which
|
||||
is the same with 'int'. It's easy to make 'max_len' to zero when
|
||||
integer overflow and then cause heap overflow if 'max_len' is zero.
|
||||
|
||||
Using uint_64 instead of size_t to avoid the integer overflow.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
|
||||
Tested-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
---
|
||||
hw/virtio/virtio-crypto.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
|
||||
index 2f2467e859..c23e1ad458 100644
|
||||
--- a/hw/virtio/virtio-crypto.c
|
||||
+++ b/hw/virtio/virtio-crypto.c
|
||||
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
|
||||
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
|
||||
|
||||
- size_t max_len, curr_size = 0;
|
||||
+ uint64_t max_len, curr_size = 0;
|
||||
size_t s;
|
||||
|
||||
/* Plain cipher */
|
||||
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||
if (unlikely(max_len > vcrypto->conf.max_size)) {
|
||||
virtio_error(vdev, "virtio-crypto too big length");
|
||||
return NULL;
|
||||
--
|
||||
2.11.1
|
||||
|
@ -84,7 +84,10 @@ (define-public qemu
|
||||
"qemu-CVE-2017-5552.patch"
|
||||
"qemu-CVE-2017-5578.patch"
|
||||
"qemu-CVE-2017-5579.patch"
|
||||
"qemu-CVE-2017-5856.patch"))))
|
||||
"qemu-CVE-2017-5667.patch"
|
||||
"qemu-CVE-2017-5856.patch"
|
||||
"qemu-CVE-2017-5898.patch"
|
||||
"qemu-CVE-2017-5931.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(;; Running tests in parallel can occasionally lead to failures, like:
|
||||
|
Loading…
Reference in New Issue
Block a user