From 37acc8a07b37b7cd500496dec4d4737a389a2f7a Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 12 Feb 2017 09:20:08 -0500 Subject: [PATCH] gnu: qemu: Fix CVE-2017-{5667,5898,5931}. * gnu/packages/patches/qemu-CVE-2017-5667.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch, gnu/packages/patches/qemu-CVE-2017-5931.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. gnu/packages/qemu.scm (qemu)[source]: Use them. --- gnu/local.mk | 3 + gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 ++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 +++++++++++++++ gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 +++++++++++++++++++ gnu/packages/qemu.scm | 5 +- 5 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2017-5667.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-5931.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2a054ea64b..7fc7af6e15 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -870,7 +870,10 @@ dist_patch_DATA = \ %D%/packages/patches/qemu-CVE-2017-5552.patch \ %D%/packages/patches/qemu-CVE-2017-5578.patch \ %D%/packages/patches/qemu-CVE-2017-5579.patch \ + %D%/packages/patches/qemu-CVE-2017-5667.patch \ %D%/packages/patches/qemu-CVE-2017-5856.patch \ + %D%/packages/patches/qemu-CVE-2017-5898.patch \ + %D%/packages/patches/qemu-CVE-2017-5931.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch new file mode 100644 index 0000000000..5adea0d278 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5667.patch @@ -0,0 +1,46 @@ +Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer): + +http://seclists.org/oss-sec/2017/q1/243 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9 + +From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 7 Feb 2017 18:29:59 +0000 +Subject: [PATCH] sd: sdhci: check data length during dma_memory_read + +While doing multi block SDMA transfer in routine +'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting +index 'begin' and data length 's->data_count' could end up to be same. +This could lead to an OOB access issue. Correct transfer data length +to avoid it. + +Cc: qemu-stable@nongnu.org +Reported-by: Jiang Xin +Signed-off-by: Prasad J Pandit +Reviewed-by: Peter Maydell +Message-id: 20170130064736.9236-1-ppandit@redhat.com +Signed-off-by: Peter Maydell +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 01fbf228be..5bd5ab6319 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + boundary_count -= block_size - begin; + } + dma_memory_read(&address_space_memory, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count); ++ &s->fifo_buffer[begin], s->data_count - begin); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + for (n = 0; n < block_size; n++) { +-- +2.11.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch new file mode 100644 index 0000000000..5a94bb1ae4 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch @@ -0,0 +1,44 @@ +Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest): + +http://seclists.org/oss-sec/2017/q1/328 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a + +From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 3 Feb 2017 00:52:28 +0530 +Subject: [PATCH] usb: ccid: check ccid apdu length + +CCID device emulator uses Application Protocol Data Units(APDU) +to exchange command and responses to and from the host. +The length in these units couldn't be greater than 65536. Add +check to ensure the same. It'd also avoid potential integer +overflow in emulated_apdu_from_guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 20170202192228.10847-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-smartcard-reader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 89e11b68c4..1325ea1659 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) + DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, + recv->hdr.bSeq, len); + ccid_add_pending_answer(s, (CCID_Header *)recv); +- if (s->card) { ++ if (s->card && len <= BULK_OUT_DATA_SIZE) { + ccid_card_apdu_from_guest(s->card, recv->abData, len); + } else { + DPRINTF(s, D_WARN, "warning: discarded apdu\n"); +-- +2.11.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch new file mode 100644 index 0000000000..08910e5fac --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5931.patch @@ -0,0 +1,55 @@ +Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests): + +http://seclists.org/oss-sec/2017/q1/337 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 + +From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 +From: Gonglei +Date: Tue, 3 Jan 2017 14:50:03 +0800 +Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow + +Because the 'size_t' type is 4 bytes in 32-bit platform, which +is the same with 'int'. It's easy to make 'max_len' to zero when +integer overflow and then cause heap overflow if 'max_len' is zero. + +Using uint_64 instead of size_t to avoid the integer overflow. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Gonglei +Tested-by: Li Qiang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/virtio/virtio-crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 2f2467e859..c23e1ad458 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + uint32_t hash_start_src_offset = 0, len_to_hash = 0; + uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; + +- size_t max_len, curr_size = 0; ++ uint64_t max_len, curr_size = 0; + size_t s; + + /* Plain cipher */ +@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + +- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; ++ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); + return NULL; +-- +2.11.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index b4920cfc25..9afcd83049 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -84,7 +84,10 @@ "qemu-CVE-2017-5552.patch" "qemu-CVE-2017-5578.patch" "qemu-CVE-2017-5579.patch" - "qemu-CVE-2017-5856.patch")))) + "qemu-CVE-2017-5667.patch" + "qemu-CVE-2017-5856.patch" + "qemu-CVE-2017-5898.patch" + "qemu-CVE-2017-5931.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: