From 49ac6dbb0ae8386fd7da5d751107ba7a6aab44ad Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 16 Mar 2017 14:58:13 -0400 Subject: gnu: qemu: Fix CVE-2017-{2620,2630}. * gnu/packages/patches/qemu-CVE-2017-2620.patch, gnu/packages/patches/qemu-CVE-2017-2630.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/qemu.scm (qemu)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 ++++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 +++++++++ gnu/packages/qemu.scm | 2 + 4 files changed, 185 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch diff --git a/gnu/local.mk b/gnu/local.mk index c1a15e94ff..2cc5d546b3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -877,6 +877,8 @@ dist_patch_DATA = \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ %D%/packages/patches/qemu-CVE-2016-10155.patch \ %D%/packages/patches/qemu-CVE-2017-2615.patch \ + %D%/packages/patches/qemu-CVE-2017-2620.patch \ + %D%/packages/patches/qemu-CVE-2017-2630.patch \ %D%/packages/patches/qemu-CVE-2017-5525.patch \ %D%/packages/patches/qemu-CVE-2017-5526.patch \ %D%/packages/patches/qemu-CVE-2017-5552.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch new file mode 100644 index 0000000000..d3111827b7 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2620.patch @@ -0,0 +1,134 @@ +Fix CVE-2017-2620: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html + +Both patches copied from upstream source repository: + +Fixes CVE-2017-2620: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 + +The CVE-2017-2620 bug-fix depends on this earlier patch: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061 + +From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 8 Feb 2017 11:18:36 +0100 +Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + (CVE-2017-2620) + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 1deb52070a..b9e7cb1df1 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.12.0 + +From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Mon, 9 Jan 2017 13:35:20 -0700 +Subject: [PATCH] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index bdb092ee9d..379910db2d 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.12.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch new file mode 100644 index 0000000000..b154d171f1 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2630.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-2630: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85 + +From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 7 Mar 2017 09:16:27 -0600 +Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Comparison symbol is misused. It may lead to memory corruption. +Introduced in commit 7d3123e. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com> +[eblake: add CVE details, update conditional] +Signed-off-by: Eric Blake +Reviewed-by: Marc-André Lureau +Message-Id: <20170307151627.27212-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini +--- + nbd/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nbd/client.c b/nbd/client.c +index 5c9dee37fa..3dc2564cd0 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) + char small[1024]; + char *buffer; + +- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); ++ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size)); + while (size > 0) { + ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); + +-- +2.12.0 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 3aa4128be0..07ab871fae 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -79,6 +79,8 @@ "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) (patches (search-patches "qemu-CVE-2016-10155.patch" "qemu-CVE-2017-2615.patch" + "qemu-CVE-2017-2620.patch" + "qemu-CVE-2017-2630.patch" "qemu-CVE-2017-5525.patch" "qemu-CVE-2017-5526.patch" "qemu-CVE-2017-5552.patch" -- cgit v1.2.3