guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: qemu: Fix CVE-2017-{15038,15268,15289}.

From: Leo Famulari
Subject: 01/01: gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Date: Fri, 10 Nov 2017 12:16:49 -0500 (EST) 
lfam pushed a commit to branch master
in repository guix.

commit adf7e69cab6180ef75360a1c0731c93f4bff2b18
Author: Leo Famulari <address@hidden>
Date:   Wed Nov 8 21:04:33 2017 -0500

    gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
    
    * gnu/packages/patches/qemu-CVE-2017-15038.patch,
    gnu/packages/patches/qemu-CVE-2017-15268.patch,
    gnu/packages/patches/qemu-CVE-2017-15289.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/virtualization.scm (qemu)[source]: Use them.
---
 gnu/local.mk                                   |  3 ++
 gnu/packages/patches/qemu-CVE-2017-15038.patch | 51 ++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-15268.patch | 62 ++++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-15289.patch | 66 ++++++++++++++++++++++++++
 gnu/packages/virtualization.scm                |  3 ++
 5 files changed, 185 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index ecee15b..69411ec 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1015,6 +1015,9 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
   %D%/packages/patches/python2-subprocess32-disable-input-test.patch   \
   %D%/packages/patches/python2-unittest2-remove-argparse.patch \
+  %D%/packages/patches/qemu-CVE-2017-15038.patch               \
+  %D%/packages/patches/qemu-CVE-2017-15268.patch               \
+  %D%/packages/patches/qemu-CVE-2017-15289.patch               \
   %D%/packages/patches/qt4-ldflags.patch                       \
   %D%/packages/patches/qtscript-disable-tests.patch            \
   %D%/packages/patches/quagga-reproducible-build.patch          \
diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch 
b/gnu/packages/patches/qemu-CVE-2017-15038.patch
new file mode 100644
index 0000000..4791a18
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15038.patch
@@ -0,0 +1,51 @@
+Fix CVE-2017-15038:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6
+
+From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Mon, 16 Oct 2017 14:21:59 +0200
+Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
+
+9p back-end first queries the size of an extended attribute,
+allocates space for it via g_malloc() and then retrieves its
+value into allocated buffer. Race between querying attribute
+size and retrieving its could lead to memory bytes disclosure.
+Use g_malloc0() to avoid it.
+
+Reported-by: Tuomas Tynkkynen <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Signed-off-by: Greg Kurz <address@hidden>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 23ac7bb532..f8bbac251d 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
+                                      xattr_fidp->fs.xattr.value,
+                                      xattr_fidp->fs.xattr.len);
+@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
+                                     &name, xattr_fidp->fs.xattr.value,
+                                     xattr_fidp->fs.xattr.len);
+-- 
+2.15.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-15268.patch 
b/gnu/packages/patches/qemu-CVE-2017-15268.patch
new file mode 100644
index 0000000..8238c30
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15268.patch
@@ -0,0 +1,62 @@
+Fix CVE-2017-15268:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493
+
+From a7b20a8efa28e5f22c26c06cd06c2f12bc863493 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <address@hidden>
+Date: Mon, 9 Oct 2017 14:43:42 +0100
+Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
+
+The websocket GSource is monitoring the size of the rawoutput
+buffer to determine if the channel can accepts more writes.
+The rawoutput buffer, however, is merely a temporary staging
+buffer before data is copied into the encoutput buffer. Thus
+its size will always be zero when the GSource runs.
+
+This flaw causes the encoutput buffer to grow without bound
+if the other end of the underlying data channel doesn't
+read data being sent. This can be seen with VNC if a client
+is on a slow WAN link and the guest OS is sending many screen
+updates. A malicious VNC client can act like it is on a slow
+link by playing a video in the guest and then reading data
+very slowly, causing QEMU host memory to expand arbitrarily.
+
+This issue is assigned CVE-2017-15268, publically reported in
+
+  https://bugs.launchpad.net/qemu/+bug/1718964
+
+Reviewed-by: Eric Blake <address@hidden>
+Signed-off-by: Daniel P. Berrange <address@hidden>
+---
+ io/channel-websock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index d1d471f86e..04bcc059cd 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -28,7 +28,7 @@
+ #include <time.h>
+ 
+ 
+-/* Max amount to allow in rawinput/rawoutput buffers */
++/* Max amount to allow in rawinput/encoutput buffers */
+ #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
+ 
+ #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
+@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
+     if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
+         cond |= G_IO_IN;
+     }
+-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
++    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+         cond |= G_IO_OUT;
+     }
+ 
+-- 
+2.15.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-15289.patch 
b/gnu/packages/patches/qemu-CVE-2017-15289.patch
new file mode 100644
index 0000000..d4b536a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-15289.patch
@@ -0,0 +1,66 @@
+Fix CVE-2017-15289:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=eb38e1bc3740725ca29a535351de94107ec58d51
 
+
+From eb38e1bc3740725ca29a535351de94107ec58d51 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <address@hidden>
+Date: Wed, 11 Oct 2017 10:43:14 +0200
+Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions
+
+Move dst calculation into the loop, so we apply the mask on each
+interation and will not overflow vga memory.
+
+Cc: Prasad J Pandit <address@hidden>
+Reported-by: Niu Guoxiang <address@hidden>
+Signed-off-by: Gerd Hoffmann <address@hidden>
+Message-id: address@hidden
+---
+ hw/display/cirrus_vga.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index b4d579857a..bc32bf1e39 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -2038,15 +2038,14 @@ static void 
cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
++        dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
+       if (val & 0x80) {
+           *dst = s->cirrus_shadow_gr1;
+       } else if (mode == 5) {
+           *dst = s->cirrus_shadow_gr0;
+       }
+       val <<= 1;
+-      dst++;
+     }
+     memory_region_set_dirty(&s->vga.vram, offset, 8);
+ }
+@@ -2060,8 +2059,8 @@ static void 
cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
++        dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
+       if (val & 0x80) {
+           *dst = s->cirrus_shadow_gr1;
+           *(dst + 1) = s->vga.gr[0x11];
+@@ -2070,7 +2069,6 @@ static void 
cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+           *(dst + 1) = s->vga.gr[0x10];
+       }
+       val <<= 1;
+-      dst += 2;
+     }
+     memory_region_set_dirty(&s->vga.vram, offset, 16);
+ }
+-- 
+2.15.0
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 14b1dfb..be0a68d 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -82,6 +82,9 @@
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-";
                                  version ".tar.xz"))
+             (patches (search-patches "qemu-CVE-2017-15038.patch"
+                                      "qemu-CVE-2017-15268.patch"
+                                      "qemu-CVE-2017-15289.patch"))
              (sha256
               (base32
                "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]