1 |
vapier 14/05/31 16:03:53 |
2 |
|
3 |
Added: qemu-2.0.0-usb-post-load-checks.patch |
4 |
qemu-2.0.0-qcow-check-max-sizes.patch |
5 |
qemu-2.0.0-CVE-2014-0223.patch |
6 |
qemu-2.0.0-CVE-2014-0222.patch |
7 |
qemu-2.0.0-CVE-2013-4541.patch |
8 |
Log: |
9 |
Add fixes from upstream for various CVEs #510208 #510234. |
10 |
|
11 |
(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key D2E96200) |
12 |
|
13 |
Revision Changes Path |
14 |
1.1 app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch |
15 |
|
16 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&view=markup |
17 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&content-type=text/plain |
18 |
|
19 |
Index: qemu-2.0.0-usb-post-load-checks.patch |
20 |
=================================================================== |
21 |
https://bugs.gentoo.org/510208 |
22 |
|
23 |
From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001 |
24 |
From: "Michael S. Tsirkin" <mst@××××××.com> |
25 |
Date: Tue, 13 May 2014 12:33:16 +0300 |
26 |
Subject: [PATCH] usb: fix up post load checks |
27 |
|
28 |
Correct post load checks: |
29 |
1. dev->setup_len == sizeof(dev->data_buf) |
30 |
seems fine, no need to fail migration |
31 |
2. When state is DATA, passing index > len |
32 |
will cause memcpy with negative length, |
33 |
resulting in heap overflow |
34 |
|
35 |
First of the issues was reported by dgilbert. |
36 |
|
37 |
Reported-by: "Dr. David Alan Gilbert" <dgilbert@××××××.com> |
38 |
Signed-off-by: Michael S. Tsirkin <mst@××××××.com> |
39 |
Signed-off-by: Juan Quintela <quintela@××××××.com> |
40 |
--- |
41 |
hw/usb/bus.c | 4 ++-- |
42 |
1 file changed, 2 insertions(+), 2 deletions(-) |
43 |
|
44 |
diff --git a/hw/usb/bus.c b/hw/usb/bus.c |
45 |
index 699aa10..927a47b 100644 |
46 |
--- a/hw/usb/bus.c |
47 |
+++ b/hw/usb/bus.c |
48 |
@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id) |
49 |
} |
50 |
if (dev->setup_index < 0 || |
51 |
dev->setup_len < 0 || |
52 |
- dev->setup_index >= sizeof(dev->data_buf) || |
53 |
- dev->setup_len >= sizeof(dev->data_buf)) { |
54 |
+ dev->setup_index > dev->setup_len || |
55 |
+ dev->setup_len > sizeof(dev->data_buf)) { |
56 |
return -EINVAL; |
57 |
} |
58 |
return 0; |
59 |
-- |
60 |
1.9.3 |
61 |
|
62 |
|
63 |
|
64 |
|
65 |
1.1 app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch |
66 |
|
67 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&view=markup |
68 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&content-type=text/plain |
69 |
|
70 |
Index: qemu-2.0.0-qcow-check-max-sizes.patch |
71 |
=================================================================== |
72 |
From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001 |
73 |
From: Kevin Wolf <kwolf@××××××.com> |
74 |
Date: Wed, 7 May 2014 17:30:30 +0200 |
75 |
Subject: [PATCH] qcow1: Check maximum cluster size |
76 |
|
77 |
Huge values for header.cluster_bits cause unbounded allocations (e.g. |
78 |
for s->cluster_cache) and crash qemu this way. Less huge values may |
79 |
survive those allocations, but can cause integer overflows later on. |
80 |
|
81 |
The only cluster sizes that qemu can create are 4k (for standalone |
82 |
images) and 512 (for images with backing files), so we can limit it |
83 |
to 64k. |
84 |
|
85 |
Cc: qemu-stable@××××××.org |
86 |
Signed-off-by: Kevin Wolf <kwolf@××××××.com> |
87 |
Reviewed-by: Benoit Canet <benoit@×××××××.net> |
88 |
--- |
89 |
block/qcow.c | 10 ++++++-- |
90 |
tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++ |
91 |
tests/qemu-iotests/092.out | 13 ++++++++++ |
92 |
tests/qemu-iotests/group | 1 + |
93 |
4 files changed, 85 insertions(+), 2 deletions(-) |
94 |
create mode 100755 tests/qemu-iotests/092 |
95 |
create mode 100644 tests/qemu-iotests/092.out |
96 |
|
97 |
diff --git a/block/qcow.c b/block/qcow.c |
98 |
index 3684794..e60df23 100644 |
99 |
--- a/block/qcow.c |
100 |
+++ b/block/qcow.c |
101 |
@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, |
102 |
goto fail; |
103 |
} |
104 |
|
105 |
- if (header.size <= 1 || header.cluster_bits < 9) { |
106 |
- error_setg(errp, "invalid value in qcow header"); |
107 |
+ if (header.size <= 1) { |
108 |
+ error_setg(errp, "Image size is too small (must be at least 2 bytes)"); |
109 |
ret = -EINVAL; |
110 |
goto fail; |
111 |
} |
112 |
+ if (header.cluster_bits < 9 || header.cluster_bits > 16) { |
113 |
+ error_setg(errp, "Cluster size must be between 512 and 64k"); |
114 |
+ ret = -EINVAL; |
115 |
+ goto fail; |
116 |
+ } |
117 |
+ |
118 |
if (header.crypt_method > QCOW_CRYPT_AES) { |
119 |
error_setg(errp, "invalid encryption method in qcow header"); |
120 |
ret = -EINVAL; |
121 |
-- |
122 |
1.9.3 |
123 |
|
124 |
|
125 |
|
126 |
|
127 |
1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch |
128 |
|
129 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&view=markup |
130 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&content-type=text/plain |
131 |
|
132 |
Index: qemu-2.0.0-CVE-2014-0223.patch |
133 |
=================================================================== |
134 |
From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001 |
135 |
From: Kevin Wolf <kwolf@××××××.com> |
136 |
Date: Thu, 8 May 2014 13:08:20 +0200 |
137 |
Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223) |
138 |
|
139 |
A huge image size could cause s->l1_size to overflow. Make sure that |
140 |
images never require a L1 table larger than what fits in s->l1_size. |
141 |
|
142 |
This cannot only cause unbounded allocations, but also the allocation of |
143 |
a too small L1 table, resulting in out-of-bounds array accesses (both |
144 |
reads and writes). |
145 |
|
146 |
Cc: qemu-stable@××××××.org |
147 |
Signed-off-by: Kevin Wolf <kwolf@××××××.com> |
148 |
--- |
149 |
block/qcow.c | 16 ++++++++++++++-- |
150 |
tests/qemu-iotests/092 | 9 +++++++++ |
151 |
tests/qemu-iotests/092.out | 7 +++++++ |
152 |
3 files changed, 30 insertions(+), 2 deletions(-) |
153 |
|
154 |
diff --git a/block/qcow.c b/block/qcow.c |
155 |
index e8038e5..3566c05 100644 |
156 |
--- a/block/qcow.c |
157 |
+++ b/block/qcow.c |
158 |
@@ -61,7 +61,7 @@ typedef struct BDRVQcowState { |
159 |
int cluster_sectors; |
160 |
int l2_bits; |
161 |
int l2_size; |
162 |
- int l1_size; |
163 |
+ unsigned int l1_size; |
164 |
uint64_t cluster_offset_mask; |
165 |
uint64_t l1_table_offset; |
166 |
uint64_t *l1_table; |
167 |
@@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, |
168 |
|
169 |
/* read the level 1 table */ |
170 |
shift = s->cluster_bits + s->l2_bits; |
171 |
- s->l1_size = (header.size + (1LL << shift) - 1) >> shift; |
172 |
+ if (header.size > UINT64_MAX - (1LL << shift)) { |
173 |
+ error_setg(errp, "Image too large"); |
174 |
+ ret = -EINVAL; |
175 |
+ goto fail; |
176 |
+ } else { |
177 |
+ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; |
178 |
+ if (l1_size > INT_MAX / sizeof(uint64_t)) { |
179 |
+ error_setg(errp, "Image too large"); |
180 |
+ ret = -EINVAL; |
181 |
+ goto fail; |
182 |
+ } |
183 |
+ s->l1_size = l1_size; |
184 |
+ } |
185 |
|
186 |
s->l1_table_offset = header.l1_table_offset; |
187 |
s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); |
188 |
-- |
189 |
1.9.3 |
190 |
|
191 |
|
192 |
|
193 |
|
194 |
1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch |
195 |
|
196 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&view=markup |
197 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&content-type=text/plain |
198 |
|
199 |
Index: qemu-2.0.0-CVE-2014-0222.patch |
200 |
=================================================================== |
201 |
From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001 |
202 |
From: Kevin Wolf <kwolf@××××××.com> |
203 |
Date: Thu, 15 May 2014 16:10:11 +0200 |
204 |
Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222) |
205 |
|
206 |
Too large L2 table sizes cause unbounded allocations. Images actually |
207 |
created by qemu-img only have 512 byte or 4k L2 tables. |
208 |
|
209 |
To keep things consistent with cluster sizes, allow ranges between 512 |
210 |
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically |
211 |
working, but L2 table sizes smaller than a cluster don't make a lot of |
212 |
sense). |
213 |
|
214 |
This also means that the number of bytes on the virtual disk that are |
215 |
described by the same L2 table is limited to at most 8k * 64k or 2^29, |
216 |
preventively avoiding any integer overflows. |
217 |
|
218 |
Cc: qemu-stable@××××××.org |
219 |
Signed-off-by: Kevin Wolf <kwolf@××××××.com> |
220 |
Reviewed-by: Benoit Canet <benoit@×××××××.net> |
221 |
--- |
222 |
block/qcow.c | 8 ++++++++ |
223 |
tests/qemu-iotests/092 | 15 +++++++++++++++ |
224 |
tests/qemu-iotests/092.out | 11 +++++++++++ |
225 |
3 files changed, 34 insertions(+) |
226 |
|
227 |
diff --git a/block/qcow.c b/block/qcow.c |
228 |
index e60df23..e8038e5 100644 |
229 |
--- a/block/qcow.c |
230 |
+++ b/block/qcow.c |
231 |
@@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, |
232 |
goto fail; |
233 |
} |
234 |
|
235 |
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry, |
236 |
+ * so bytes = num_entries << 3. */ |
237 |
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { |
238 |
+ error_setg(errp, "L2 table size must be between 512 and 64k"); |
239 |
+ ret = -EINVAL; |
240 |
+ goto fail; |
241 |
+ } |
242 |
+ |
243 |
if (header.crypt_method > QCOW_CRYPT_AES) { |
244 |
error_setg(errp, "invalid encryption method in qcow header"); |
245 |
ret = -EINVAL; |
246 |
-- |
247 |
1.9.3 |
248 |
|
249 |
|
250 |
|
251 |
|
252 |
1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch |
253 |
|
254 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&view=markup |
255 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&content-type=text/plain |
256 |
|
257 |
Index: qemu-2.0.0-CVE-2013-4541.patch |
258 |
=================================================================== |
259 |
From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001 |
260 |
From: "Michael S. Tsirkin" <mst@××××××.com> |
261 |
Date: Thu, 3 Apr 2014 19:52:25 +0300 |
262 |
Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load |
263 |
|
264 |
CVE-2013-4541 |
265 |
|
266 |
s->setup_len and s->setup_index are fed into usb_packet_copy as |
267 |
size/offset into s->data_buf, it's possible for invalid state to exploit |
268 |
this to load arbitrary data. |
269 |
|
270 |
setup_len and setup_index should be checked to make sure |
271 |
they are not negative. |
272 |
|
273 |
Cc: Gerd Hoffmann <kraxel@××××××.com> |
274 |
Signed-off-by: Michael S. Tsirkin <mst@××××××.com> |
275 |
Reviewed-by: Gerd Hoffmann <kraxel@××××××.com> |
276 |
Signed-off-by: Juan Quintela <quintela@××××××.com> |
277 |
--- |
278 |
hw/usb/bus.c | 4 +++- |
279 |
1 file changed, 3 insertions(+), 1 deletion(-) |
280 |
|
281 |
diff --git a/hw/usb/bus.c b/hw/usb/bus.c |
282 |
index fe70429..e48b19f 100644 |
283 |
--- a/hw/usb/bus.c |
284 |
+++ b/hw/usb/bus.c |
285 |
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) |
286 |
} else { |
287 |
dev->attached = 1; |
288 |
} |
289 |
- if (dev->setup_index >= sizeof(dev->data_buf) || |
290 |
+ if (dev->setup_index < 0 || |
291 |
+ dev->setup_len < 0 || |
292 |
+ dev->setup_index >= sizeof(dev->data_buf) || |
293 |
dev->setup_len >= sizeof(dev->data_buf)) { |
294 |
return -EINVAL; |
295 |
} |
296 |
-- |
297 |
1.9.3 |