From c53dfb5728809be8df78f801e94a6d63971a1abf Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 29 Nov 2017 09:58:28 +0100 Subject: [PATCH] bump version to 2.9.1-3 --- Makefile | 2 +- debian/changelog | 17 +++ ...arget-i386-disable-LINT0-after-reset.patch | 4 +- ...io-serial-fix-segfault-on-disconnect.patch | 4 +- ...ys-store-SCSIRequest-into-MegasasCmd.patch | 4 +- ...k-len-against-dhcp-options-array-end.patch | 4 +- ...-IDE-Do-not-flush-empty-CDROM-drives.patch | 4 +- ...map-add-bitmap_copy_and_clear_atomic.patch | 4 +- ...rt-getting-and-using-a-dirty-bitmap-.patch | 4 +- ...-add-vga_scanline_invalidated-helper.patch | 4 +- ...vga-make-display-updates-thread-safe.patch | 4 +- ...ix-display-update-region-calculation.patch | 4 +- ...update-region-calculation-split-scre.patch | 4 +- ...-pointers-to-vga_draw_line-functions.patch | 4 +- ...date-multiboot-header-address-values.patch | 4 +- ...descriptor-counting-in-virtqueue_pop.patch | 8 +- ...017-15119-Reject-options-larger-than.patch | 31 ++++++ ...ation-Update-memory-map-in-post_load.patch | 32 ++++++ .../0017-vga-drop-line_offset-variable.patch | 52 +++++++++ ...a-handle-cirrus-vbe-mode-wraparounds.patch | 103 ++++++++++++++++++ .../extra/0019-vga-add-ram_addr_t-cast.patch | 30 +++++ ...fix-region-checks-in-wraparound-case.patch | 32 ++++++ ...tput-buffer-size-from-websocket-GSou.patch | 55 ++++++++++ ..._malloc0-to-allocate-space-for-xattr.patch | 43 ++++++++ ...-access-in-mode4and5-write-functions.patch | 58 ++++++++++ debian/patches/series | 9 ++ 26 files changed, 494 insertions(+), 30 deletions(-) create mode 100644 debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch create mode 100644 debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch create mode 100644 debian/patches/extra/0017-vga-drop-line_offset-variable.patch create mode 100644 debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch create mode 100644 debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch create mode 100644 debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch create mode 100644 debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch create mode 100644 debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch create mode 100644 debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch diff --git a/Makefile b/Makefile index a49fc2d..e6b5897 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # also update debian/changelog KVMVER=2.9.1 -KVMPKGREL=2 +KVMPKGREL=3 KVMPACKAGE = pve-qemu-kvm KVMSRC = qemu diff --git a/debian/changelog b/debian/changelog index b3625fd..c5967bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +pve-qemu-kvm (2.9.1-3) stable; urgency=medium + + * fix CVE-2017-15119: reject large nbd option requests + + * fix CVE-2017-13672: vga: handle cirrus vbe mode wraparounds + + * fix CVE-2017-15268: websocket issue with slow VNC clients + + * fix CVE-2017-15289: cirrus: OOB access issue in mode4and5 write functions + + * fix CVE-2017-15038: 9p: virtfs: information disclosure when reading + extended attributes + + * various other vga stable fixes + + -- Proxmox Support Team Wed, 29 Nov 2017 09:56:39 +0100 + pve-qemu-kvm (2.9.1-2) stable; urgency=medium * fix #1107: fix an issue where virtio devices would error on valid commands diff --git a/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch b/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch index 031f5db..abe6034 100644 --- a/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch +++ b/debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch @@ -1,7 +1,7 @@ -From b143eba39dd462833093ee1c9660bb157e72ce54 Mon Sep 17 00:00:00 2001 +From c2835302a557437ef22944902da17686247edd35 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 4 Jul 2016 15:02:26 +0200 -Subject: [PATCH 01/13] Revert "target-i386: disable LINT0 after reset" +Subject: [PATCH 01/23] Revert "target-i386: disable LINT0 after reset" This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb. --- diff --git a/debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch b/debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch index 5e43d2b..3f0db76 100644 --- a/debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch +++ b/debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch @@ -1,7 +1,7 @@ -From aec6bba73f7d7692de2c4196ee80e4d753b45604 Mon Sep 17 00:00:00 2001 +From 7ea086a97a09774c9ac8f0df236a0acb01dfc1ef Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Fri, 2 Jun 2017 10:54:24 +0100 -Subject: [PATCH 02/13] virtio-serial: fix segfault on disconnect +Subject: [PATCH 02/23] virtio-serial: fix segfault on disconnect Since commit d4c19cdeeb2f1e474bc426a6da261f1d7346eb5b ("virtio-serial: add missing virtio_detach_element() call") the following commands may diff --git a/debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch b/debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch index 103eb93..2f0eb41 100644 --- a/debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch +++ b/debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch @@ -1,7 +1,7 @@ -From 3884a6e250302f5f3d002ed03c20fb9678ea85e7 Mon Sep 17 00:00:00 2001 +From 8a6382046bb0a71f1deb7b7ca3954662353f3f65 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 1 Jun 2017 17:26:14 +0200 -Subject: [PATCH 03/13] megasas: always store SCSIRequest* into MegasasCmd +Subject: [PATCH 03/23] megasas: always store SCSIRequest* into MegasasCmd This ensures that the request is unref'ed properly, and avoids a segmentation fault in the new qtest testcase that is added. diff --git a/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch b/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch index bf86029..2af6141 100644 --- a/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch +++ b/debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch @@ -1,7 +1,7 @@ -From 918e23903f5712274830bb20e2d5603bf5794af7 Mon Sep 17 00:00:00 2001 +From 76d3fb511849efb8bcd8690cd008a46408fac6dd Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Mon, 17 Jul 2017 17:33:26 +0530 -Subject: [PATCH 04/13] slirp: check len against dhcp options array end +Subject: [PATCH 04/23] slirp: check len against dhcp options array end While parsing dhcp options string in 'dhcp_decode', if an options' length 'len' appeared towards the end of 'bp_vend' array, ensuing diff --git a/debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch b/debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch index 0ddb7d5..808336f 100644 --- a/debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch +++ b/debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch @@ -1,7 +1,7 @@ -From f635d03bc56b8d56589f8f962f893de1e8126c06 Mon Sep 17 00:00:00 2001 +From 1c0ba3702859ca6affc1a3f9cad3d35ccc4773ed Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Wed, 9 Aug 2017 17:02:11 +0100 -Subject: [PATCH 05/13] IDE: Do not flush empty CDROM drives +Subject: [PATCH 05/23] IDE: Do not flush empty CDROM drives The block backend changed in a way that flushing empty CDROM drives now crashes. Amend IDE to avoid doing so until the root problem can be diff --git a/debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch b/debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch index 58cbd3d..b211f24 100644 --- a/debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch +++ b/debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch @@ -1,7 +1,7 @@ -From 9d6486413e60b1d973f7ec2ac006fc9b8e210ddd Mon Sep 17 00:00:00 2001 +From 14a318bd04ab27f0f8f5dbe5aba53a817f85e016 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 21 Apr 2017 11:16:24 +0200 -Subject: [PATCH 06/13] bitmap: add bitmap_copy_and_clear_atomic +Subject: [PATCH 06/23] bitmap: add bitmap_copy_and_clear_atomic Signed-off-by: Gerd Hoffmann Message-id: 20170421091632.30900-2-kraxel@redhat.com diff --git a/debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch b/debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch index 6c9716c..d6298a8 100644 --- a/debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch +++ b/debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch @@ -1,7 +1,7 @@ -From a89da93a2d3ffd3ba9516da89ecfbb0dd5fd51ad Mon Sep 17 00:00:00 2001 +From 2628973e5f8a50f3b308395fa8a33b8f4fdc9024 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 21 Apr 2017 11:16:25 +0200 -Subject: [PATCH 07/13] memory: add support getting and using a dirty bitmap +Subject: [PATCH 07/23] memory: add support getting and using a dirty bitmap copy. This patch adds support for getting and using a local copy of the dirty diff --git a/debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch b/debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch index 75af4de..98c5a66 100644 --- a/debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch +++ b/debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch @@ -1,7 +1,7 @@ -From cef8fb2b8ea711b6686032f86b1caf1815786aaa Mon Sep 17 00:00:00 2001 +From 248536e4a93b254fc38aa369f76e828c9ce9b45e Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 21 Apr 2017 11:16:26 +0200 -Subject: [PATCH 08/13] vga: add vga_scanline_invalidated helper +Subject: [PATCH 08/23] vga: add vga_scanline_invalidated helper Add vga_scanline_invalidated helper to check whenever a scanline was invalidated. Add a sanity check to fix OOB read access for display diff --git a/debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch b/debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch index 4a150e1..920bfc2 100644 --- a/debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch +++ b/debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch @@ -1,7 +1,7 @@ -From f7f03687246e62d8efed10ee5ce8c571fc3debc4 Mon Sep 17 00:00:00 2001 +From 54b1106d9a24dadae42c4f4c25b4fa2560183f5b Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 21 Apr 2017 11:16:27 +0200 -Subject: [PATCH 09/13] vga: make display updates thread safe. +Subject: [PATCH 09/23] vga: make display updates thread safe. The vga code clears the dirty bits *after* reading the framebuffer memory. So if the guest framebuffer updates hits the race window diff --git a/debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch b/debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch index db31baa..5c0f5eb 100644 --- a/debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch +++ b/debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch @@ -1,7 +1,7 @@ -From 616f285a074869fd79bc26509a0bd50e6e04e39d Mon Sep 17 00:00:00 2001 +From acd029e2a9b9ea93997fcb19c6cd71d6dd6c9cb6 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 9 May 2017 12:48:39 +0200 -Subject: [PATCH 10/13] vga: fix display update region calculation +Subject: [PATCH 10/23] vga: fix display update region calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch b/debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch index cafe680..f445eec 100644 --- a/debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch +++ b/debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch @@ -1,7 +1,7 @@ -From c93a020a1c6a37398d124f063af23d6acb3eb5cb Mon Sep 17 00:00:00 2001 +From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 1 Sep 2017 14:57:38 +0200 -Subject: [PATCH 11/13] vga: fix display update region calculation (split +Subject: [PATCH 11/23] vga: fix display update region calculation (split screen) vga display update mis-calculated the region for the dirty bitmap diff --git a/debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch b/debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch index fa40670..d8de930 100644 --- a/debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch +++ b/debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch @@ -1,7 +1,7 @@ -From 15c2b7e06a85dd78c7d45b3703639735eee09c01 Mon Sep 17 00:00:00 2001 +From 51b08381408f248b1149c0177a90f61f703b8432 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 1 Sep 2017 14:57:39 +0200 -Subject: [PATCH 12/13] vga: stop passing pointers to vga_draw_line* functions +Subject: [PATCH 12/23] vga: stop passing pointers to vga_draw_line* functions Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to diff --git a/debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch b/debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch index 156c8fd..4930d34 100644 --- a/debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch +++ b/debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch @@ -1,7 +1,7 @@ -From fff4299fb7be857e93ff5c6ea0f871c62d159c1d Mon Sep 17 00:00:00 2001 +From 158e47c5a3ebe4b67d35b7c1e8fecad258e735db Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Thu, 7 Sep 2017 12:02:56 +0530 -Subject: [PATCH 13/13] multiboot: validate multiboot header address values +Subject: [PATCH 13/23] multiboot: validate multiboot header address values While loading kernel via multiboot-v1 image, (flags & 0x00010000) indicates that multiboot header contains valid addresses to load diff --git a/debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch b/debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch index 15c5afe..ba7d352 100644 --- a/debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch +++ b/debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch @@ -1,7 +1,7 @@ -From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001 +From 5cd576814744853a855ab64400e2d8d9c0b7bb0e Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller -Date: Tue, 19 Sep 2017 14:20:28 +0200 -Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop +Date: Wed, 20 Sep 2017 08:09:33 +0200 +Subject: [PATCH 14/23] virtio: fix descriptor counting in virtqueue_pop While changing the s/g list allocation, commit 3b3b0628 also changed the descriptor counting to count iovec entries @@ -15,6 +15,8 @@ Reported-by: Hans Middelhoek Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/ Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements") Signed-off-by: Wolfgang Bumiller +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin --- hw/virtio/virtio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch b/debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch new file mode 100644 index 0000000..05eda0e --- /dev/null +++ b/debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch @@ -0,0 +1,31 @@ +From 93b7498c9e8adcd51c70f8df88b9228658b43595 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Wed, 29 Nov 2017 09:39:55 +0100 +Subject: [PATCH 15/23] nbd/server: CVE-2017-15119 Reject options larger than + 32M + +Backported-from: fdad35ef6c58 +--- + nbd/server.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nbd/server.c b/nbd/server.c +index a98bb21a0a..4d6da8ac06 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client) + } + length = be32_to_cpu(length); + ++ if (length > NBD_MAX_BUFFER_SIZE) { ++ LOG("len (%" PRIu32" ) is larger than max len (%u)", ++ length, NBD_MAX_BUFFER_SIZE); ++ return -EINVAL; ++ } ++ + TRACE("Checking option 0x%" PRIx32, clientflags); + if (client->tlscreds && + client->ioc == (QIOChannel *)client->sioc) { +-- +2.11.0 + diff --git a/debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch b/debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch new file mode 100644 index 0000000..88fdbad --- /dev/null +++ b/debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch @@ -0,0 +1,32 @@ +From 8b2be8e3f9c1ca9f78b1c87ead13f54fbd98198a Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Fri, 4 Aug 2017 12:33:29 +0100 +Subject: [PATCH 16/23] vga/migration: Update memory map in post_load + +After migration the chain4 alias mapping added by 80763888 (in 2011) +might be missing, since there's no call to vga_update_memory_access +in the post_load after the registers are updated. Add it back. + +Signed-off-by: Dr. David Alan Gilbert +Reviewed-by: Juan Quintela +Message-id: 20170804113329.13609-1-dgilbert@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/vga.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 13e4a5d55d..a99d831e04 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -2050,6 +2050,7 @@ static int vga_common_post_load(void *opaque, int version_id) + /* force refresh */ + s->graphic_mode = -1; + vbe_update_vgaregs(s); ++ vga_update_memory_access(s); + return 0; + } + +-- +2.11.0 + diff --git a/debian/patches/extra/0017-vga-drop-line_offset-variable.patch b/debian/patches/extra/0017-vga-drop-line_offset-variable.patch new file mode 100644 index 0000000..d3ac294 --- /dev/null +++ b/debian/patches/extra/0017-vga-drop-line_offset-variable.patch @@ -0,0 +1,52 @@ +From 3a1728b97f64e3ed4efc827bce7ff917ea5b6dd1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 10 Oct 2017 16:13:21 +0200 +Subject: [PATCH 17/23] vga: drop line_offset variable + +Signed-off-by: Gerd Hoffmann +--- + hw/display/vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index a99d831e04..77af807a51 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1464,7 +1464,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + { + DisplaySurface *surface = qemu_console_surface(s->con); + int y1, y, update, linesize, y_start, double_scan, mask, depth; +- int width, height, shift_control, line_offset, bwidth, bits; ++ int width, height, shift_control, bwidth, bits; + ram_addr_t page0, page1; + DirtyBitmapSnapshot *snap = NULL; + int disp_width, multi_scan, multi_run; +@@ -1614,7 +1614,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + s->cursor_invalidate(s); + } + +- line_offset = s->line_offset; + #if 0 + printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", + width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], +@@ -1629,7 +1628,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + if (!full_update) { + ram_addr_t region_start = addr1; +- ram_addr_t region_end = addr1 + line_offset * height; ++ ram_addr_t region_end = addr1 + s->line_offset * height; + vga_sync_dirty_bitmap(s); + if (s->line_compare < height) { + /* split screen mode */ +@@ -1681,7 +1680,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + if (!multi_run) { + mask = (s->cr[VGA_CRTC_MODE] & 3) ^ 3; + if ((y1 & mask) == mask) +- addr1 += line_offset; ++ addr1 += s->line_offset; + y1++; + multi_run = multi_scan; + } else { +-- +2.11.0 + diff --git a/debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch b/debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch new file mode 100644 index 0000000..2792925 --- /dev/null +++ b/debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch @@ -0,0 +1,103 @@ +From b63830cd6f59a87ef9bdb4f466ce8f4bd2ff5315 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 10 Oct 2017 16:13:22 +0200 +Subject: [PATCH 18/23] vga: handle cirrus vbe mode wraparounds. + +Commit "3d90c62548 vga: stop passing pointers to vga_draw_line* +functions" is incomplete. It doesn't handle the case that the vga +rendering code tries to create a shared surface, i.e. a pixman image +backed by vga video memory. That can not work in case the guest display +wraps from end of video memory to the start. So force shadowing in that +case. Also adjust the snapshot region calculation. + +Can trigger with cirrus only, when programming vbe modes using the bochs +api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds +can't happen. + +Fixes: CVE-2017-13672 +Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681 +Cc: P J P +Reported-by: David Buchanan +Signed-off-by: Gerd Hoffmann +Message-id: 20171010141323.14049-3-kraxel@redhat.com +--- + hw/display/vga.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 77af807a51..7bdbf7441e 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1465,13 +1465,13 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + DisplaySurface *surface = qemu_console_surface(s->con); + int y1, y, update, linesize, y_start, double_scan, mask, depth; + int width, height, shift_control, bwidth, bits; +- ram_addr_t page0, page1; ++ ram_addr_t page0, page1, region_start, region_end; + DirtyBitmapSnapshot *snap = NULL; + int disp_width, multi_scan, multi_run; + uint8_t *d; + uint32_t v, addr1, addr; + vga_draw_line_func *vga_draw_line = NULL; +- bool share_surface; ++ bool share_surface, force_shadow = false; + pixman_format_code_t format; + #ifdef HOST_WORDS_BIGENDIAN + bool byteswap = !s->big_endian_fb; +@@ -1484,6 +1484,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + s->get_resolution(s, &width, &height); + disp_width = width; + ++ region_start = (s->start_addr * 4); ++ region_end = region_start + s->line_offset * height; ++ if (region_end > s->vbe_size) { ++ /* wraps around (can happen with cirrus vbe modes) */ ++ region_start = 0; ++ region_end = s->vbe_size; ++ force_shadow = true; ++ } ++ + shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; + double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); + if (shift_control != 1) { +@@ -1523,7 +1532,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + format = qemu_default_pixman_format(depth, !byteswap); + if (format) { + share_surface = dpy_gfx_check_format(s->con, format) +- && !s->force_shadow; ++ && !s->force_shadow && !force_shadow; + } else { + share_surface = false; + } +@@ -1627,8 +1636,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + y1 = 0; + + if (!full_update) { +- ram_addr_t region_start = addr1; +- ram_addr_t region_end = addr1 + s->line_offset * height; + vga_sync_dirty_bitmap(s); + if (s->line_compare < height) { + /* split screen mode */ +@@ -1651,10 +1658,17 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + addr = (addr & ~0x8000) | ((y1 & 2) << 14); + } + update = full_update; +- page0 = addr; +- page1 = addr + bwidth - 1; ++ page0 = addr & s->vbe_size_mask; ++ page1 = (addr + bwidth - 1) & s->vbe_size_mask; + if (full_update) { + update = 1; ++ } else if (page1 < page0) { ++ /* scanline wraps from end of video memory to the start */ ++ assert(force_shadow); ++ update = memory_region_snapshot_get_dirty(&s->vram, snap, ++ page0, 0); ++ update |= memory_region_snapshot_get_dirty(&s->vram, snap, ++ page1, 0); + } else { + update = memory_region_snapshot_get_dirty(&s->vram, snap, + page0, page1 - page0); +-- +2.11.0 + diff --git a/debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch b/debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch new file mode 100644 index 0000000..85f800b --- /dev/null +++ b/debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch @@ -0,0 +1,30 @@ +From 918868b77c7a04d3e2aa7bbc7f9255dafe75f709 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 10 Oct 2017 16:13:23 +0200 +Subject: [PATCH 19/23] vga: add ram_addr_t cast + +Reported by Coverity. + +Fixes: CID 1381409 +Signed-off-by: Gerd Hoffmann +Message-id: 20171010141323.14049-4-kraxel@redhat.com +--- + hw/display/vga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 7bdbf7441e..63ba404ef2 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1485,7 +1485,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + disp_width = width; + + region_start = (s->start_addr * 4); +- region_end = region_start + s->line_offset * height; ++ region_end = region_start + (ram_addr_t)s->line_offset * height; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; +-- +2.11.0 + diff --git a/debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch b/debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch new file mode 100644 index 0000000..c1e1e99 --- /dev/null +++ b/debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch @@ -0,0 +1,32 @@ +From 3c51ccd7bb43dd763a1ff3112b8a0cd7e145ca4f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 Oct 2017 11:28:30 +0100 +Subject: [PATCH 20/23] vga: fix region checks in wraparound case + +Cc: "Dr. David Alan Gilbert" +Signed-off-by: Gerd Hoffmann +Reviewed-by: Dr. David Alan Gilbert +Message-id: 20171030102830.4469-1-kraxel@redhat.com +--- + hw/display/vga.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 63ba404ef2..a58d8bcd67 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1666,9 +1666,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + /* scanline wraps from end of video memory to the start */ + assert(force_shadow); + update = memory_region_snapshot_get_dirty(&s->vram, snap, +- page0, 0); ++ page0, s->vbe_size - page0); + update |= memory_region_snapshot_get_dirty(&s->vram, snap, +- page1, 0); ++ 0, page1); + } else { + update = memory_region_snapshot_get_dirty(&s->vram, snap, + page0, page1 - page0); +-- +2.11.0 + diff --git a/debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch b/debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch new file mode 100644 index 0000000..5520544 --- /dev/null +++ b/debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch @@ -0,0 +1,55 @@ +From 89a1271a7687018cdbf2b7f92cf3d50d079e100e Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Mon, 9 Oct 2017 14:43:42 +0100 +Subject: [PATCH 21/23] io: monitor encoutput buffer size from websocket + GSource + +The websocket GSource is monitoring the size of the rawoutput +buffer to determine if the channel can accepts more writes. +The rawoutput buffer, however, is merely a temporary staging +buffer before data is copied into the encoutput buffer. Thus +its size will always be zero when the GSource runs. + +This flaw causes the encoutput buffer to grow without bound +if the other end of the underlying data channel doesn't +read data being sent. This can be seen with VNC if a client +is on a slow WAN link and the guest OS is sending many screen +updates. A malicious VNC client can act like it is on a slow +link by playing a video in the guest and then reading data +very slowly, causing QEMU host memory to expand arbitrarily. + +This issue is assigned CVE-2017-15268, publically reported in + + https://bugs.launchpad.net/qemu/+bug/1718964 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +--- + io/channel-websock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io/channel-websock.c b/io/channel-websock.c +index 8fabadea2f..882bbb4cbc 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -26,7 +26,7 @@ + #include "trace.h" + + +-/* Max amount to allow in rawinput/rawoutput buffers */ ++/* Max amount to allow in rawinput/encoutput buffers */ + #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 + + #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 +@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source, + if (wsource->wioc->rawinput.offset) { + cond |= G_IO_IN; + } +- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { ++ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + cond |= G_IO_OUT; + } + +-- +2.11.0 + diff --git a/debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch b/debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch new file mode 100644 index 0000000..6f8b99d --- /dev/null +++ b/debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch @@ -0,0 +1,43 @@ +From 184640d2552895d967214e90e23e005d6657b145 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 16 Oct 2017 14:21:59 +0200 +Subject: [PATCH 22/23] 9pfs: use g_malloc0 to allocate space for xattr + +9p back-end first queries the size of an extended attribute, +allocates space for it via g_malloc() and then retrieves its +value into allocated buffer. Race between querying attribute +size and retrieving its could lead to memory bytes disclosure. +Use g_malloc0() to avoid it. + +Reported-by: Tuomas Tynkkynen +Signed-off-by: Prasad J Pandit +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index c80ba67389..aaf9935ef4 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, + xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, + &name, xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +-- +2.11.0 + diff --git a/debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch b/debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch new file mode 100644 index 0000000..d2bad88 --- /dev/null +++ b/debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch @@ -0,0 +1,58 @@ +From b162e22e5f0c1081efeec646999616ce1a7e3875 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 11 Oct 2017 10:43:14 +0200 +Subject: [PATCH 23/23] cirrus: fix oob access in mode4and5 write functions + +Move dst calculation into the loop, so we apply the mask on each +interation and will not overflow vga memory. + +Cc: Prasad J Pandit +Reported-by: Niu Guoxiang +Signed-off-by: Gerd Hoffmann +Message-id: 20171011084314.21752-1-kraxel@redhat.com +--- + hw/display/cirrus_vga.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index afc290ab91..077a8cb74f 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, + unsigned val = mem_value; + uint8_t *dst; + +- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); + for (x = 0; x < 8; x++) { ++ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask); + if (val & 0x80) { + *dst = s->cirrus_shadow_gr1; + } else if (mode == 5) { + *dst = s->cirrus_shadow_gr0; + } + val <<= 1; +- dst++; + } + memory_region_set_dirty(&s->vga.vram, offset, 8); + } +@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, + unsigned val = mem_value; + uint8_t *dst; + +- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); + for (x = 0; x < 8; x++) { ++ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1); + if (val & 0x80) { + *dst = s->cirrus_shadow_gr1; + *(dst + 1) = s->vga.gr[0x11]; +@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, + *(dst + 1) = s->vga.gr[0x10]; + } + val <<= 1; +- dst += 2; + } + memory_region_set_dirty(&s->vga.vram, offset, 16); + } +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index b4c21c8..8befbea 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -40,3 +40,12 @@ extra/0011-vga-fix-display-update-region-calculation-split-scre.patch extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch extra/0013-multiboot-validate-multiboot-header-address-values.patch extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch +extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch +extra/0016-vga-migration-Update-memory-map-in-post_load.patch +extra/0017-vga-drop-line_offset-variable.patch +extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch +extra/0019-vga-add-ram_addr_t-cast.patch +extra/0020-vga-fix-region-checks-in-wraparound-case.patch +extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch +extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch +extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch