[Qemu-devel] several security backports to the qemu-xen stable trees

[Stefano Stabellini]

Hi all,

I am writing to let you know that have pushed a long series of backports
to qemu-xen 4.2, 4.3, 4.4 and 4.5 stable staging trees. See below.

All the backports are security fixes of outstanding CVEs affecting QEMU.
As QEMU only provides backports to very recent stable releases, I had to
come up with some of the backports myself -- it is not impossible that I
introduced a few failures.  Please test and report any issues you might
find. Make sure you have QEMU_UPSTREAM_REVISION set to master in
Config.mk to build the lastest qemu-xen changes from the Xen build
system.

I have backported only fixes for issues that are relevant on a Xen
system. Although I also tried to cover things that can be triggered via
device_model_args (custom arguments for QEMU that would otherwise never
be used by libxl), I do not guarantee to have covered all of them. I
didn't backport fixes for emulated hardware we do not compile (e.g.
stellaris_enet) or we do not use (e.g. Q35).


The QEMU security team kindly agreed on letting me know about future
CVEs going forward -- I'll be able to provide timely backports from now
on.  I guarantee to provide backports for security issues that can be
triggered on a Xen system with the standard set of arguments passed by
libxl (no device_model_args) using QEMU as device model or provider of
Xen backends in userspace.

Please note that QEMU security issues are handled by the QEMU Security
team following the process described here: http://wiki.qemu.org/SecurityProcess

For people using QEMU stable trees with Xen, please be aware that QEMU
stable-2.0 and older are missing some of the backports below.  I
recommend switching to a new QEMU stable tree or to qemu-xen.


The full list of backports follow.


= qemu-xen 4.5 =
0b8fb1e cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
f491518 cirrus: fix blit region check
99aa8a7 vnc: sanitize bits_per_pixel from the client
94d09f2 pcihp: fix possible array out of bounds
07fcd79 vmware-vga: CVE-2014-3689: turn off hw accel
979e4ea slirp: udp: fix NULL pointer dereference because of uninitialized socket
5c34028 spice: make sure we don't overflow ssd->buf
7154fba vbe: rework sanity checks
bedbc31 usb: fix up post load checks
c2757fe virtio-pci: fix MSI memory region use after free

= qemu-xen 4.4 =
d173a0c dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
8b03ba5 dmg: prevent chunk buffer overflow (CVE-2014-0145)
f2edd51 bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
b054785 qcow1: Validate image size (CVE-2014-0223)
7e6a078 qcow1: Validate L2 table size (CVE-2014-0222)
79eb552 qcow2: Don't rely on free_cluster_index in alloc_refcount_block() 
(CVE-2014-0147)
a796a26 qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
b9b190d qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() 
(CVE-2014-0145)
d792187 cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
e12ce81 cirrus: fix blit region check
f67b16a vnc: sanitize bits_per_pixel from the client
9708234 vmstate_xhci_event: fix unterminated field list
a288888 vmware-vga: CVE-2014-3689: turn off hw accel
f087884 slirp: udp: fix NULL pointer dereference because of uninitialized socket
2b4231f spice: make sure we don't overflow ssd->buf
3a8ef4b vbe: rework sanity checks
d0737b7 usb: fix up post load checks
29236c2 ide: Correct improper smart self test counter reset in ide core.
a86ea88 virtio: validate config_len on load
755a427 virtio-net: fix guest-triggerable buffer overrun
e86cc06 vhdx: Bounds checking for block_size and logical_sector_size 
(CVE-2014-0148)
d961961 virtio: avoid buffer overrun on incoming migration
ba607aa vmxnet3: validate queues configuration read on migration
8cc99ff vmxnet3: validate interrupt indices read on migration
7d34b5b vmxnet3: validate queues configuration coming from guest
ede728f vmxnet3: validate interrupt indices coming from guest
1b29677 virtio-scsi: fix buffer overrun on invalid state load
1a228d0 usb: sanity check setup_index+setup_len in post_load
5202189 virtio: validate num_sg when mapping
458864c hpet: fix buffer overrun on invalid state load
ae05660 ahci: fix buffer overrun on invalid state load
dee7bab virtio: out-of-bounds buffer write on invalid state load
651a486 virtio-net: out-of-bounds buffer write on invalid state load
90d1a97 virtio-net: out-of-bounds buffer write on load
ec86632 virtio-net: fix buffer overflow on invalid state load

= qemu-xen 4.3 =
ab689a8 dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
1e005e1 dmg: prevent chunk buffer overflow (CVE-2014-0145)
2b2db1e bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
62692e1 qcow1: Validate image size (CVE-2014-0223)
2247bc8 qcow1: Validate L2 table size (CVE-2014-0222)
982dc22 qcow2: Don't rely on free_cluster_index in alloc_refcount_block() 
(CVE-2014-0147)
8c58457 qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
9af4ce8 qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() 
(CVE-2014-0145)
a6396e4 cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
41bb09c cirrus: fix blit region check
080b7f3 vnc: sanitize bits_per_pixel from the client
d36794a vmware-vga: CVE-2014-3689: turn off hw accel
17f77d7 slirp: udp: fix NULL pointer dereference because of uninitialized socket
79c312d spice: make sure we don't overflow ssd->buf
dcf4304 vbe: rework sanity checks
059183b usb: fix up post load checks
503bf65 ide: Correct improper smart self test counter reset in ide core.
ccecdd2 virtio: validate config_len on load
e377201 virtio-net: fix guest-triggerable buffer overrun
ac8befd virtio: avoid buffer overrun on incoming migration
300645d virtio-scsi: fix buffer overrun on invalid state load
8e78990 usb: sanity check setup_index+setup_len in post_load
43e42a4 virtio: validate num_sg when mapping
857f258 hpet: fix buffer overrun on invalid state load
9b3d3a8 scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
2ee7534 virtio: out-of-bounds buffer write on invalid state load
767d23f virtio-net: out-of-bounds buffer write on load
335e012 virtio-net: fix buffer overflow on invalid state load
81aefc3 block/curl: only restrict protocols with libcurl>=7.19.4
1a8d18e block/curl: disable extra protocols to prevent CVE-2013-0249

= qemu-xen 4.2 =
e49807b dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
4535b0a dmg: prevent chunk buffer overflow (CVE-2014-0145)
3b96d66 bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
8820cc3 qcow1: Validate image size (CVE-2014-0223)
0d21719 qcow1: Validate L2 table size (CVE-2014-0222)
df2adab qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
e962bea cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
008fdf4 cirrus: fix blit region check
3757104 vnc: sanitize bits_per_pixel from the client
0cfe152 vmware-vga: CVE-2014-3689: turn off hw accel
a4e40c9 slirp: udp: fix NULL pointer dereference because of uninitialized socket
19cba3e spice: make sure we don't overflow ssd->buf
372e797 vbe: rework sanity checks
f593f25 ide: Correct improper smart self test counter reset in ide core.
8911317 virtio: validate config_len on load
8c9231f virtio-net: fix guest-triggerable buffer overrun
501d7f8 virtio: avoid buffer overrun on incoming migration
f25df98 virtio: validate num_sg when mapping
d05d97d hpet: fix buffer overrun on invalid state load
b1a5844 scsi: Allocate SCSITargetReq r->buf dynamically [CVE-2013-4344]
2c25446 virtio: out-of-bounds buffer write on invalid state load
67a4e8e virtio-net: out-of-bounds buffer write on load
f8d1290 virtio-net: fix buffer overflow on invalid state load
3dfdb53 block/curl: only restrict protocols with libcurl>=7.19.4
c2e7bd6 block/curl: disable extra protocols to prevent CVE-2013-0249
1390287 block: prevent snapshot mode $TMPDIR symlink attack
c84338f virtio-blk: refuse SG_IO requests with scsi=off


Thanks,

Stefano