Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Frysinger (vapier)" <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.0.0-usb-post-load-checks.patch qemu-2.0.0-qcow-check-max-sizes.patch qemu-2.0.0-CVE-2014-0223.patch qemu-2.0.0-CVE-2014-0222.patch qemu-2.0.0-CVE-2013-4541.patch
Date: Sat, 31 May 2014 16:03:57
Message-Id: 20140531160353.F11322004E@flycatcher.gentoo.org
1 vapier 14/05/31 16:03:53
2
3 Added: qemu-2.0.0-usb-post-load-checks.patch
4 qemu-2.0.0-qcow-check-max-sizes.patch
5 qemu-2.0.0-CVE-2014-0223.patch
6 qemu-2.0.0-CVE-2014-0222.patch
7 qemu-2.0.0-CVE-2013-4541.patch
8 Log:
9 Add fixes from upstream for various CVEs #510208 #510234.
10
11 (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
12
13 Revision Changes Path
14 1.1 app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch
15
16 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&view=markup
17 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&content-type=text/plain
18
19 Index: qemu-2.0.0-usb-post-load-checks.patch
20 ===================================================================
21 https://bugs.gentoo.org/510208
22
23 From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001
24 From: "Michael S. Tsirkin" <mst@××××××.com>
25 Date: Tue, 13 May 2014 12:33:16 +0300
26 Subject: [PATCH] usb: fix up post load checks
27
28 Correct post load checks:
29 1. dev->setup_len == sizeof(dev->data_buf)
30 seems fine, no need to fail migration
31 2. When state is DATA, passing index > len
32 will cause memcpy with negative length,
33 resulting in heap overflow
34
35 First of the issues was reported by dgilbert.
36
37 Reported-by: "Dr. David Alan Gilbert" <dgilbert@××××××.com>
38 Signed-off-by: Michael S. Tsirkin <mst@××××××.com>
39 Signed-off-by: Juan Quintela <quintela@××××××.com>
40 ---
41 hw/usb/bus.c | 4 ++--
42 1 file changed, 2 insertions(+), 2 deletions(-)
43
44 diff --git a/hw/usb/bus.c b/hw/usb/bus.c
45 index 699aa10..927a47b 100644
46 --- a/hw/usb/bus.c
47 +++ b/hw/usb/bus.c
48 @@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
49 }
50 if (dev->setup_index < 0 ||
51 dev->setup_len < 0 ||
52 - dev->setup_index >= sizeof(dev->data_buf) ||
53 - dev->setup_len >= sizeof(dev->data_buf)) {
54 + dev->setup_index > dev->setup_len ||
55 + dev->setup_len > sizeof(dev->data_buf)) {
56 return -EINVAL;
57 }
58 return 0;
59 --
60 1.9.3
61
62
63
64
65 1.1 app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch
66
67 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&view=markup
68 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&content-type=text/plain
69
70 Index: qemu-2.0.0-qcow-check-max-sizes.patch
71 ===================================================================
72 From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001
73 From: Kevin Wolf <kwolf@××××××.com>
74 Date: Wed, 7 May 2014 17:30:30 +0200
75 Subject: [PATCH] qcow1: Check maximum cluster size
76
77 Huge values for header.cluster_bits cause unbounded allocations (e.g.
78 for s->cluster_cache) and crash qemu this way. Less huge values may
79 survive those allocations, but can cause integer overflows later on.
80
81 The only cluster sizes that qemu can create are 4k (for standalone
82 images) and 512 (for images with backing files), so we can limit it
83 to 64k.
84
85 Cc: qemu-stable@××××××.org
86 Signed-off-by: Kevin Wolf <kwolf@××××××.com>
87 Reviewed-by: Benoit Canet <benoit@×××××××.net>
88 ---
89 block/qcow.c | 10 ++++++--
90 tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
91 tests/qemu-iotests/092.out | 13 ++++++++++
92 tests/qemu-iotests/group | 1 +
93 4 files changed, 85 insertions(+), 2 deletions(-)
94 create mode 100755 tests/qemu-iotests/092
95 create mode 100644 tests/qemu-iotests/092.out
96
97 diff --git a/block/qcow.c b/block/qcow.c
98 index 3684794..e60df23 100644
99 --- a/block/qcow.c
100 +++ b/block/qcow.c
101 @@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
102 goto fail;
103 }
104
105 - if (header.size <= 1 || header.cluster_bits < 9) {
106 - error_setg(errp, "invalid value in qcow header");
107 + if (header.size <= 1) {
108 + error_setg(errp, "Image size is too small (must be at least 2 bytes)");
109 ret = -EINVAL;
110 goto fail;
111 }
112 + if (header.cluster_bits < 9 || header.cluster_bits > 16) {
113 + error_setg(errp, "Cluster size must be between 512 and 64k");
114 + ret = -EINVAL;
115 + goto fail;
116 + }
117 +
118 if (header.crypt_method > QCOW_CRYPT_AES) {
119 error_setg(errp, "invalid encryption method in qcow header");
120 ret = -EINVAL;
121 --
122 1.9.3
123
124
125
126
127 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch
128
129 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&view=markup
130 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&content-type=text/plain
131
132 Index: qemu-2.0.0-CVE-2014-0223.patch
133 ===================================================================
134 From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001
135 From: Kevin Wolf <kwolf@××××××.com>
136 Date: Thu, 8 May 2014 13:08:20 +0200
137 Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223)
138
139 A huge image size could cause s->l1_size to overflow. Make sure that
140 images never require a L1 table larger than what fits in s->l1_size.
141
142 This cannot only cause unbounded allocations, but also the allocation of
143 a too small L1 table, resulting in out-of-bounds array accesses (both
144 reads and writes).
145
146 Cc: qemu-stable@××××××.org
147 Signed-off-by: Kevin Wolf <kwolf@××××××.com>
148 ---
149 block/qcow.c | 16 ++++++++++++++--
150 tests/qemu-iotests/092 | 9 +++++++++
151 tests/qemu-iotests/092.out | 7 +++++++
152 3 files changed, 30 insertions(+), 2 deletions(-)
153
154 diff --git a/block/qcow.c b/block/qcow.c
155 index e8038e5..3566c05 100644
156 --- a/block/qcow.c
157 +++ b/block/qcow.c
158 @@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
159 int cluster_sectors;
160 int l2_bits;
161 int l2_size;
162 - int l1_size;
163 + unsigned int l1_size;
164 uint64_t cluster_offset_mask;
165 uint64_t l1_table_offset;
166 uint64_t *l1_table;
167 @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
168
169 /* read the level 1 table */
170 shift = s->cluster_bits + s->l2_bits;
171 - s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
172 + if (header.size > UINT64_MAX - (1LL << shift)) {
173 + error_setg(errp, "Image too large");
174 + ret = -EINVAL;
175 + goto fail;
176 + } else {
177 + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
178 + if (l1_size > INT_MAX / sizeof(uint64_t)) {
179 + error_setg(errp, "Image too large");
180 + ret = -EINVAL;
181 + goto fail;
182 + }
183 + s->l1_size = l1_size;
184 + }
185
186 s->l1_table_offset = header.l1_table_offset;
187 s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
188 --
189 1.9.3
190
191
192
193
194 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch
195
196 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&view=markup
197 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&content-type=text/plain
198
199 Index: qemu-2.0.0-CVE-2014-0222.patch
200 ===================================================================
201 From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001
202 From: Kevin Wolf <kwolf@××××××.com>
203 Date: Thu, 15 May 2014 16:10:11 +0200
204 Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222)
205
206 Too large L2 table sizes cause unbounded allocations. Images actually
207 created by qemu-img only have 512 byte or 4k L2 tables.
208
209 To keep things consistent with cluster sizes, allow ranges between 512
210 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
211 working, but L2 table sizes smaller than a cluster don't make a lot of
212 sense).
213
214 This also means that the number of bytes on the virtual disk that are
215 described by the same L2 table is limited to at most 8k * 64k or 2^29,
216 preventively avoiding any integer overflows.
217
218 Cc: qemu-stable@××××××.org
219 Signed-off-by: Kevin Wolf <kwolf@××××××.com>
220 Reviewed-by: Benoit Canet <benoit@×××××××.net>
221 ---
222 block/qcow.c | 8 ++++++++
223 tests/qemu-iotests/092 | 15 +++++++++++++++
224 tests/qemu-iotests/092.out | 11 +++++++++++
225 3 files changed, 34 insertions(+)
226
227 diff --git a/block/qcow.c b/block/qcow.c
228 index e60df23..e8038e5 100644
229 --- a/block/qcow.c
230 +++ b/block/qcow.c
231 @@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
232 goto fail;
233 }
234
235 + /* l2_bits specifies number of entries; storing a uint64_t in each entry,
236 + * so bytes = num_entries << 3. */
237 + if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
238 + error_setg(errp, "L2 table size must be between 512 and 64k");
239 + ret = -EINVAL;
240 + goto fail;
241 + }
242 +
243 if (header.crypt_method > QCOW_CRYPT_AES) {
244 error_setg(errp, "invalid encryption method in qcow header");
245 ret = -EINVAL;
246 --
247 1.9.3
248
249
250
251
252 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch
253
254 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&view=markup
255 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&content-type=text/plain
256
257 Index: qemu-2.0.0-CVE-2013-4541.patch
258 ===================================================================
259 From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001
260 From: "Michael S. Tsirkin" <mst@××××××.com>
261 Date: Thu, 3 Apr 2014 19:52:25 +0300
262 Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
263
264 CVE-2013-4541
265
266 s->setup_len and s->setup_index are fed into usb_packet_copy as
267 size/offset into s->data_buf, it's possible for invalid state to exploit
268 this to load arbitrary data.
269
270 setup_len and setup_index should be checked to make sure
271 they are not negative.
272
273 Cc: Gerd Hoffmann <kraxel@××××××.com>
274 Signed-off-by: Michael S. Tsirkin <mst@××××××.com>
275 Reviewed-by: Gerd Hoffmann <kraxel@××××××.com>
276 Signed-off-by: Juan Quintela <quintela@××××××.com>
277 ---
278 hw/usb/bus.c | 4 +++-
279 1 file changed, 3 insertions(+), 1 deletion(-)
280
281 diff --git a/hw/usb/bus.c b/hw/usb/bus.c
282 index fe70429..e48b19f 100644
283 --- a/hw/usb/bus.c
284 +++ b/hw/usb/bus.c
285 @@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
286 } else {
287 dev->attached = 1;
288 }
289 - if (dev->setup_index >= sizeof(dev->data_buf) ||
290 + if (dev->setup_index < 0 ||
291 + dev->setup_len < 0 ||
292 + dev->setup_index >= sizeof(dev->data_buf) ||
293 dev->setup_len >= sizeof(dev->data_buf)) {
294 return -EINVAL;
295 }
296 --
297 1.9.3
Report Message
Find on MARC Find on Google Groups