gnu: qemu: Fix CVE-2017-{5667,5898,5931}.

* gnu/packages/patches/qemu-CVE-2017-5667.patch,
gnu/packages/patches/qemu-CVE-2017-5898.patch,
gnu/packages/patches/qemu-CVE-2017-5931.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
gnu/packages/qemu.scm (qemu)[source]: Use them.
This commit is contained in:
Leo Famulari 2017-02-12 09:20:08 -05:00
parent 2c20bf62db
commit 37acc8a07b
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
5 changed files with 152 additions and 1 deletions

View File

@ -870,7 +870,10 @@ dist_patch_DATA = \
%D%/packages/patches/qemu-CVE-2017-5552.patch \
%D%/packages/patches/qemu-CVE-2017-5578.patch \
%D%/packages/patches/qemu-CVE-2017-5579.patch \
%D%/packages/patches/qemu-CVE-2017-5667.patch \
%D%/packages/patches/qemu-CVE-2017-5856.patch \
%D%/packages/patches/qemu-CVE-2017-5898.patch \
%D%/packages/patches/qemu-CVE-2017-5931.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \

View File

@ -0,0 +1,46 @@
Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
http://seclists.org/oss-sec/2017/q1/243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
Patch copied from upstream source repository:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Feb 2017 18:29:59 +0000
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
While doing multi block SDMA transfer in routine
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
index 'begin' and data length 's->data_count' could end up to be same.
This could lead to an OOB access issue. Correct transfer data length
to avoid it.
Cc: qemu-stable@nongnu.org
Reported-by: Jiang Xin <jiangxin1@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20170130064736.9236-1-ppandit@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/sd/sdhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 01fbf228be..5bd5ab6319 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
boundary_count -= block_size - begin;
}
dma_memory_read(&address_space_memory, s->sdmasysad,
- &s->fifo_buffer[begin], s->data_count);
+ &s->fifo_buffer[begin], s->data_count - begin);
s->sdmasysad += s->data_count - begin;
if (s->data_count == block_size) {
for (n = 0; n < block_size; n++) {
--
2.11.1

View File

@ -0,0 +1,44 @@
Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
http://seclists.org/oss-sec/2017/q1/328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
Patch copied from upstream source repository:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 3 Feb 2017 00:52:28 +0530
Subject: [PATCH] usb: ccid: check ccid apdu length
CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170202192228.10847-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/dev-smartcard-reader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 89e11b68c4..1325ea1659 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
recv->hdr.bSeq, len);
ccid_add_pending_answer(s, (CCID_Header *)recv);
- if (s->card) {
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
ccid_card_apdu_from_guest(s->card, recv->abData, len);
} else {
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
--
2.11.1

View File

@ -0,0 +1,55 @@
Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
http://seclists.org/oss-sec/2017/q1/337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
Patch copied from upstream source repository:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
From: Gonglei <arei.gonglei@huawei.com>
Date: Tue, 3 Jan 2017 14:50:03 +0800
Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.
Using uint_64 instead of size_t to avoid the integer overflow.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio-crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 2f2467e859..c23e1ad458 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- size_t max_len, curr_size = 0;
+ uint64_t max_len, curr_size = 0;
size_t s;
/* Plain cipher */
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
return NULL;
}
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
if (unlikely(max_len > vcrypto->conf.max_size)) {
virtio_error(vdev, "virtio-crypto too big length");
return NULL;
--
2.11.1

View File

@ -84,7 +84,10 @@ (define-public qemu
"qemu-CVE-2017-5552.patch"
"qemu-CVE-2017-5578.patch"
"qemu-CVE-2017-5579.patch"
"qemu-CVE-2017-5856.patch"))))
"qemu-CVE-2017-5667.patch"
"qemu-CVE-2017-5856.patch"
"qemu-CVE-2017-5898.patch"
"qemu-CVE-2017-5931.patch"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like: