guix-devel/gnu/packages/patches/qemu-CVE-2015-8619.patch

From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 13 Jan 2016 09:09:58 +0100
Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.

Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>

(cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196)
---
 hmp.c                | 18 ++++++++----------
 include/ui/console.h |  2 +-
 ui/input-legacy.c    |  5 +++--
 3 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/hmp.c b/hmp.c
index 2140605..1904203 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1734,21 +1734,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
     int has_hold_time = qdict_haskey(qdict, "hold-time");
     int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
     Error *err = NULL;
-    char keyname_buf[16];
     char *separator;
     int keyname_len;
 
     while (1) {
         separator = strchr(keys, '-');
         keyname_len = separator ? separator - keys : strlen(keys);
-        pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
 
         /* Be compatible with old interface, convert user inputted "<" */
-        if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
-            pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+        if (keys[0] == '<' && keyname_len == 1) {
+            keys = "less";
             keyname_len = 4;
         }
-        keyname_buf[keyname_len] = 0;
 
         keylist = g_malloc0(sizeof(*keylist));
         keylist->value = g_malloc0(sizeof(*keylist->value));
@@ -1761,16 +1758,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
         }
         tmp = keylist;
 
-        if (strstart(keyname_buf, "0x", NULL)) {
+        if (strstart(keys, "0x", NULL)) {
             char *endp;
-            int value = strtoul(keyname_buf, &endp, 0);
-            if (*endp != '\0') {
+            int value = strtoul(keys, &endp, 0);
+            assert(endp <= keys + keyname_len);
+            if (endp != keys + keyname_len) {
                 goto err_out;
             }
             keylist->value->type = KEY_VALUE_KIND_NUMBER;
             keylist->value->u.number = value;
         } else {
-            int idx = index_from_key(keyname_buf);
+            int idx = index_from_key(keys, keyname_len);
             if (idx == Q_KEY_CODE_MAX) {
                 goto err_out;
             }
@@ -1792,7 +1790,7 @@ out:
     return;
 
 err_out:
-    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+    monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
     goto out;
 }
 
diff --git a/include/ui/console.h b/include/ui/console.h
index c249db4..5739bdd 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -433,7 +433,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
 void curses_display_init(DisplayState *ds, int full_screen);
 
 /* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);
 
 /* gtk.c */
 void early_gtk_display_init(int opengl);
diff --git a/ui/input-legacy.c b/ui/input-legacy.c
index e0a39f0..3f28bbc 100644
--- a/ui/input-legacy.c
+++ b/ui/input-legacy.c
@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
 static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
     QTAILQ_HEAD_INITIALIZER(led_handlers);
 
-int index_from_key(const char *key)
+int index_from_key(const char *key, size_t key_length)
 {
     int i;
 
     for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
-        if (!strcmp(key, QKeyCode_lookup[i])) {
+        if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
+            !QKeyCode_lookup[i][key_length]) {
             break;
         }
     }
gnu: qemu: Add fixes for CVE-2015-8619, CVE-2016-1981, CVE-2016-2197. * gnu/packages/patches/qemu-CVE-2015-8619.patch, gnu/packages/patches/qemu-CVE-2016-1981.patch, gnu/packages/patches/qemu-CVE-2016-2197.patch, gnu/packages/patches/qemu-usb-ehci-oob-read.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/qemu.scm (qemu)[source]: Add patches. 2016-02-22 16:17:48 +01:00			`From: Wolfgang Bumiller <w.bumiller@proxmox.com>`
			`Date: Wed, 13 Jan 2016 09:09:58 +0100`
			`Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)`

			`When processing 'sendkey' command, hmp_sendkey routine null`
			`terminates the 'keyname_buf' array. This results in an OOB`
			`write issue, if 'keyname_len' was to fall outside of`
			`'keyname_buf' array.`

			`Since the keyname's length is known the keyname_buf can be`
			`removed altogether by adding a length parameter to`
			`index_from_key() and using it for the error output as well.`

			`Reported-by: Ling Liu <liuling-it@360.cn>`
			`Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>`
			`Message-Id: <20160113080958.GA18934@olga>`
			`[Comparison with "<" dumbed down, test for junk after strtoul()`
			`tweaked]`
			`Signed-off-by: Markus Armbruster <armbru@redhat.com>`

			`(cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196)`
			`---`
			`hmp.c \| 18 ++++++++----------`
			`include/ui/console.h \| 2 +-`
			`ui/input-legacy.c \| 5 +++--`
			`3 files changed, 12 insertions(+), 13 deletions(-)`

			`diff --git a/hmp.c b/hmp.c`
			`index 2140605..1904203 100644`
			`--- a/hmp.c`
			`+++ b/hmp.c`
			`@@ -1734,21 +1734,18 @@ void hmp_sendkey(Monitor mon, const QDict qdict)`
			`int has_hold_time = qdict_haskey(qdict, "hold-time");`
			`int hold_time = qdict_get_try_int(qdict, "hold-time", -1);`
			`Error *err = NULL;`
			`- char keyname_buf[16];`
			`char *separator;`
			`int keyname_len;`

			`while (1) {`
			`separator = strchr(keys, '-');`
			`keyname_len = separator ? separator - keys : strlen(keys);`
			`- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);`

			`/* Be compatible with old interface, convert user inputted "<" */`
			`- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {`
			`- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");`
			`+ if (keys[0] == '<' && keyname_len == 1) {`
			`+ keys = "less";`
			`keyname_len = 4;`
			`}`
			`- keyname_buf[keyname_len] = 0;`

			`keylist = g_malloc0(sizeof(*keylist));`
			`keylist->value = g_malloc0(sizeof(*keylist->value));`
			`@@ -1761,16 +1758,17 @@ void hmp_sendkey(Monitor mon, const QDict qdict)`
			`}`
			`tmp = keylist;`

			`- if (strstart(keyname_buf, "0x", NULL)) {`
			`+ if (strstart(keys, "0x", NULL)) {`
			`char *endp;`
			`- int value = strtoul(keyname_buf, &endp, 0);`
			`- if (*endp != '\0') {`
			`+ int value = strtoul(keys, &endp, 0);`
			`+ assert(endp <= keys + keyname_len);`
			`+ if (endp != keys + keyname_len) {`
			`goto err_out;`
			`}`
			`keylist->value->type = KEY_VALUE_KIND_NUMBER;`
			`keylist->value->u.number = value;`
			`} else {`
			`- int idx = index_from_key(keyname_buf);`
			`+ int idx = index_from_key(keys, keyname_len);`
			`if (idx == Q_KEY_CODE_MAX) {`
			`goto err_out;`
			`}`
			`@@ -1792,7 +1790,7 @@ out:`
			`return;`

			`err_out:`
			`- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);`
			`+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);`
			`goto out;`
			`}`

			`diff --git a/include/ui/console.h b/include/ui/console.h`
			`index c249db4..5739bdd 100644`
			`--- a/include/ui/console.h`
			`+++ b/include/ui/console.h`
			`@@ -433,7 +433,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)`
			`void curses_display_init(DisplayState *ds, int full_screen);`

			`/* input.c */`
			`-int index_from_key(const char *key);`
			`+int index_from_key(const char *key, size_t key_length);`

			`/* gtk.c */`
			`void early_gtk_display_init(int opengl);`
			`diff --git a/ui/input-legacy.c b/ui/input-legacy.c`
			`index e0a39f0..3f28bbc 100644`
			`--- a/ui/input-legacy.c`
			`+++ b/ui/input-legacy.c`
			`@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {`
			`static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =`
			`QTAILQ_HEAD_INITIALIZER(led_handlers);`

			`-int index_from_key(const char *key)`
			`+int index_from_key(const char *key, size_t key_length)`
			`{`
			`int i;`

			`for (i = 0; QKeyCode_lookup[i] != NULL; i++) {`
			`- if (!strcmp(key, QKeyCode_lookup[i])) {`
			`+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&`
			`+ !QKeyCode_lookup[i][key_length]) {`
			`break;`
			`}`
			`}`