vitalif
/
pve-qemu
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump version to 2.9.1-3

master
Wolfgang Bumiller 2017-11-29 09:58:28 +01:00
parent 5b379b84ff
commit c53dfb5728
26 changed files with 494 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -1,6 +1,6 @@
# also update debian/changelog
KVMVER=2.9.1
KVMPKGREL=2
KVMPKGREL=3
KVMPACKAGE = pve-qemu-kvm
KVMSRC = qemu

17
debian/changelog vendored
View File

@ -1,3 +1,20 @@
pve-qemu-kvm (2.9.1-3) stable; urgency=medium
* fix CVE-2017-15119: reject large nbd option requests
* fix CVE-2017-13672: vga: handle cirrus vbe mode wraparounds
* fix CVE-2017-15268: websocket issue with slow VNC clients
* fix CVE-2017-15289: cirrus: OOB access issue in mode4and5 write functions
* fix CVE-2017-15038: 9p: virtfs: information disclosure when reading
extended attributes
* various other vga stable fixes
-- Proxmox Support Team <support@proxmox.com> Wed, 29 Nov 2017 09:56:39 +0100
pve-qemu-kvm (2.9.1-2) stable; urgency=medium
* fix #1107: fix an issue where virtio devices would error on valid commands

4
debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch vendored
View File

@ -1,7 +1,7 @@
From b143eba39dd462833093ee1c9660bb157e72ce54 Mon Sep 17 00:00:00 2001
From c2835302a557437ef22944902da17686247edd35 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 4 Jul 2016 15:02:26 +0200
Subject: [PATCH 01/13] Revert "target-i386: disable LINT0 after reset"
Subject: [PATCH 01/23] Revert "target-i386: disable LINT0 after reset"
This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
---

4
debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch vendored
View File

@ -1,7 +1,7 @@
From aec6bba73f7d7692de2c4196ee80e4d753b45604 Mon Sep 17 00:00:00 2001
From 7ea086a97a09774c9ac8f0df236a0acb01dfc1ef Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Fri, 2 Jun 2017 10:54:24 +0100
Subject: [PATCH 02/13] virtio-serial: fix segfault on disconnect
Subject: [PATCH 02/23] virtio-serial: fix segfault on disconnect
Since commit d4c19cdeeb2f1e474bc426a6da261f1d7346eb5b ("virtio-serial:
add missing virtio_detach_element() call") the following commands may

4
debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch vendored
View File

@ -1,7 +1,7 @@
From 3884a6e250302f5f3d002ed03c20fb9678ea85e7 Mon Sep 17 00:00:00 2001
From 8a6382046bb0a71f1deb7b7ca3954662353f3f65 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 1 Jun 2017 17:26:14 +0200
Subject: [PATCH 03/13] megasas: always store SCSIRequest* into MegasasCmd
Subject: [PATCH 03/23] megasas: always store SCSIRequest* into MegasasCmd
This ensures that the request is unref'ed properly, and avoids a
segmentation fault in the new qtest testcase that is added.

4
debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch vendored
View File

@ -1,7 +1,7 @@
From 918e23903f5712274830bb20e2d5603bf5794af7 Mon Sep 17 00:00:00 2001
From 76d3fb511849efb8bcd8690cd008a46408fac6dd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 17 Jul 2017 17:33:26 +0530
Subject: [PATCH 04/13] slirp: check len against dhcp options array end
Subject: [PATCH 04/23] slirp: check len against dhcp options array end
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing

4
debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch vendored
View File

@ -1,7 +1,7 @@
From f635d03bc56b8d56589f8f962f893de1e8126c06 Mon Sep 17 00:00:00 2001
From 1c0ba3702859ca6affc1a3f9cad3d35ccc4773ed Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 9 Aug 2017 17:02:11 +0100
Subject: [PATCH 05/13] IDE: Do not flush empty CDROM drives
Subject: [PATCH 05/23] IDE: Do not flush empty CDROM drives
The block backend changed in a way that flushing empty CDROM drives now
crashes. Amend IDE to avoid doing so until the root problem can be

4
debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch vendored
View File

@ -1,7 +1,7 @@
From 9d6486413e60b1d973f7ec2ac006fc9b8e210ddd Mon Sep 17 00:00:00 2001
From 14a318bd04ab27f0f8f5dbe5aba53a817f85e016 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:24 +0200
Subject: [PATCH 06/13] bitmap: add bitmap_copy_and_clear_atomic
Subject: [PATCH 06/23] bitmap: add bitmap_copy_and_clear_atomic
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-2-kraxel@redhat.com

4
debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch vendored
View File

@ -1,7 +1,7 @@
From a89da93a2d3ffd3ba9516da89ecfbb0dd5fd51ad Mon Sep 17 00:00:00 2001
From 2628973e5f8a50f3b308395fa8a33b8f4fdc9024 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:25 +0200
Subject: [PATCH 07/13] memory: add support getting and using a dirty bitmap
Subject: [PATCH 07/23] memory: add support getting and using a dirty bitmap
copy.
This patch adds support for getting and using a local copy of the dirty

4
debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch vendored
View File

@ -1,7 +1,7 @@
From cef8fb2b8ea711b6686032f86b1caf1815786aaa Mon Sep 17 00:00:00 2001
From 248536e4a93b254fc38aa369f76e828c9ce9b45e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:26 +0200
Subject: [PATCH 08/13] vga: add vga_scanline_invalidated helper
Subject: [PATCH 08/23] vga: add vga_scanline_invalidated helper
Add vga_scanline_invalidated helper to check whenever a scanline was
invalidated. Add a sanity check to fix OOB read access for display

4
debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch vendored
View File

@ -1,7 +1,7 @@
From f7f03687246e62d8efed10ee5ce8c571fc3debc4 Mon Sep 17 00:00:00 2001
From 54b1106d9a24dadae42c4f4c25b4fa2560183f5b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:27 +0200
Subject: [PATCH 09/13] vga: make display updates thread safe.
Subject: [PATCH 09/23] vga: make display updates thread safe.
The vga code clears the dirty bits *after* reading the framebuffer
memory. So if the guest framebuffer updates hits the race window

4
debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch vendored
View File

@ -1,7 +1,7 @@
From 616f285a074869fd79bc26509a0bd50e6e04e39d Mon Sep 17 00:00:00 2001
From acd029e2a9b9ea93997fcb19c6cd71d6dd6c9cb6 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 May 2017 12:48:39 +0200
Subject: [PATCH 10/13] vga: fix display update region calculation
Subject: [PATCH 10/23] vga: fix display update region calculation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch vendored
View File

@ -1,7 +1,7 @@
From c93a020a1c6a37398d124f063af23d6acb3eb5cb Mon Sep 17 00:00:00 2001
From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:38 +0200
Subject: [PATCH 11/13] vga: fix display update region calculation (split
Subject: [PATCH 11/23] vga: fix display update region calculation (split
screen)
vga display update mis-calculated the region for the dirty bitmap

4
debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch vendored
View File

@ -1,7 +1,7 @@
From 15c2b7e06a85dd78c7d45b3703639735eee09c01 Mon Sep 17 00:00:00 2001
From 51b08381408f248b1149c0177a90f61f703b8432 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:39 +0200
Subject: [PATCH 12/13] vga: stop passing pointers to vga_draw_line* functions
Subject: [PATCH 12/23] vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to

4
debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch vendored
View File

@ -1,7 +1,7 @@
From fff4299fb7be857e93ff5c6ea0f871c62d159c1d Mon Sep 17 00:00:00 2001
From 158e47c5a3ebe4b67d35b7c1e8fecad258e735db Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Sep 2017 12:02:56 +0530
Subject: [PATCH 13/13] multiboot: validate multiboot header address values
Subject: [PATCH 13/23] multiboot: validate multiboot header address values
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load

8
debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch vendored
View File

@ -1,7 +1,7 @@
From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001
From 5cd576814744853a855ab64400e2d8d9c0b7bb0e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 19 Sep 2017 14:20:28 +0200
Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop
Date: Wed, 20 Sep 2017 08:09:33 +0200
Subject: [PATCH 14/23] virtio: fix descriptor counting in virtqueue_pop
While changing the s/g list allocation, commit 3b3b0628
also changed the descriptor counting to count iovec entries
@ -15,6 +15,8 @@ Reported-by: Hans Middelhoek <h.middelhoek@ospito.nl>
Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/
Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

31
debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From 93b7498c9e8adcd51c70f8df88b9228658b43595 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 29 Nov 2017 09:39:55 +0100
Subject: [PATCH 15/23] nbd/server: CVE-2017-15119 Reject options larger than
32M
Backported-from: fdad35ef6c58
---
nbd/server.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/nbd/server.c b/nbd/server.c
index a98bb21a0a..4d6da8ac06 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
}
length = be32_to_cpu(length);
+ if (length > NBD_MAX_BUFFER_SIZE) {
+ LOG("len (%" PRIu32" ) is larger than max len (%u)",
+ length, NBD_MAX_BUFFER_SIZE);
+ return -EINVAL;
+ }
+
TRACE("Checking option 0x%" PRIx32, clientflags);
if (client->tlscreds &&
client->ioc == (QIOChannel *)client->sioc) {
--
2.11.0

32
debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From 8b2be8e3f9c1ca9f78b1c87ead13f54fbd98198a Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Date: Fri, 4 Aug 2017 12:33:29 +0100
Subject: [PATCH 16/23] vga/migration: Update memory map in post_load
After migration the chain4 alias mapping added by 80763888 (in 2011)
might be missing, since there's no call to vga_update_memory_access
in the post_load after the registers are updated. Add it back.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-id: 20170804113329.13609-1-dgilbert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/vga.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 13e4a5d55d..a99d831e04 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2050,6 +2050,7 @@ static int vga_common_post_load(void *opaque, int version_id)
/* force refresh */
s->graphic_mode = -1;
vbe_update_vgaregs(s);
+ vga_update_memory_access(s);
return 0;
}
--
2.11.0

52
debian/patches/extra/0017-vga-drop-line_offset-variable.patch vendored Normal file
View File

@ -0,0 +1,52 @@
From 3a1728b97f64e3ed4efc827bce7ff917ea5b6dd1 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 10 Oct 2017 16:13:21 +0200
Subject: [PATCH 17/23] vga: drop line_offset variable
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index a99d831e04..77af807a51 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1464,7 +1464,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
{
DisplaySurface *surface = qemu_console_surface(s->con);
int y1, y, update, linesize, y_start, double_scan, mask, depth;
- int width, height, shift_control, line_offset, bwidth, bits;
+ int width, height, shift_control, bwidth, bits;
ram_addr_t page0, page1;
DirtyBitmapSnapshot *snap = NULL;
int disp_width, multi_scan, multi_run;
@@ -1614,7 +1614,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
s->cursor_invalidate(s);
}
- line_offset = s->line_offset;
#if 0
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
@@ -1629,7 +1628,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (!full_update) {
ram_addr_t region_start = addr1;
- ram_addr_t region_end = addr1 + line_offset * height;
+ ram_addr_t region_end = addr1 + s->line_offset * height;
vga_sync_dirty_bitmap(s);
if (s->line_compare < height) {
/* split screen mode */
@@ -1681,7 +1680,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (!multi_run) {
mask = (s->cr[VGA_CRTC_MODE] & 3) ^ 3;
if ((y1 & mask) == mask)
- addr1 += line_offset;
+ addr1 += s->line_offset;
y1++;
multi_run = multi_scan;
} else {
--
2.11.0

103
debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch vendored Normal file
View File

@ -0,0 +1,103 @@
From b63830cd6f59a87ef9bdb4f466ce8f4bd2ff5315 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 10 Oct 2017 16:13:22 +0200
Subject: [PATCH 18/23] vga: handle cirrus vbe mode wraparounds.
Commit "3d90c62548 vga: stop passing pointers to vga_draw_line*
functions" is incomplete. It doesn't handle the case that the vga
rendering code tries to create a shared surface, i.e. a pixman image
backed by vga video memory. That can not work in case the guest display
wraps from end of video memory to the start. So force shadowing in that
case. Also adjust the snapshot region calculation.
Can trigger with cirrus only, when programming vbe modes using the bochs
api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds
can't happen.
Fixes: CVE-2017-13672
Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171010141323.14049-3-kraxel@redhat.com
---
hw/display/vga.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 77af807a51..7bdbf7441e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1465,13 +1465,13 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
DisplaySurface *surface = qemu_console_surface(s->con);
int y1, y, update, linesize, y_start, double_scan, mask, depth;
int width, height, shift_control, bwidth, bits;
- ram_addr_t page0, page1;
+ ram_addr_t page0, page1, region_start, region_end;
DirtyBitmapSnapshot *snap = NULL;
int disp_width, multi_scan, multi_run;
uint8_t *d;
uint32_t v, addr1, addr;
vga_draw_line_func *vga_draw_line = NULL;
- bool share_surface;
+ bool share_surface, force_shadow = false;
pixman_format_code_t format;
#ifdef HOST_WORDS_BIGENDIAN
bool byteswap = !s->big_endian_fb;
@@ -1484,6 +1484,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
s->get_resolution(s, &width, &height);
disp_width = width;
+ region_start = (s->start_addr * 4);
+ region_end = region_start + s->line_offset * height;
+ if (region_end > s->vbe_size) {
+ /* wraps around (can happen with cirrus vbe modes) */
+ region_start = 0;
+ region_end = s->vbe_size;
+ force_shadow = true;
+ }
+
shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;
double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7);
if (shift_control != 1) {
@@ -1523,7 +1532,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
format = qemu_default_pixman_format(depth, !byteswap);
if (format) {
share_surface = dpy_gfx_check_format(s->con, format)
- && !s->force_shadow;
+ && !s->force_shadow && !force_shadow;
} else {
share_surface = false;
}
@@ -1627,8 +1636,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
y1 = 0;
if (!full_update) {
- ram_addr_t region_start = addr1;
- ram_addr_t region_end = addr1 + s->line_offset * height;
vga_sync_dirty_bitmap(s);
if (s->line_compare < height) {
/* split screen mode */
@@ -1651,10 +1658,17 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
addr = (addr & ~0x8000) | ((y1 & 2) << 14);
}
update = full_update;
- page0 = addr;
- page1 = addr + bwidth - 1;
+ page0 = addr & s->vbe_size_mask;
+ page1 = (addr + bwidth - 1) & s->vbe_size_mask;
if (full_update) {
update = 1;
+ } else if (page1 < page0) {
+ /* scanline wraps from end of video memory to the start */
+ assert(force_shadow);
+ update = memory_region_snapshot_get_dirty(&s->vram, snap,
+ page0, 0);
+ update |= memory_region_snapshot_get_dirty(&s->vram, snap,
+ page1, 0);
} else {
update = memory_region_snapshot_get_dirty(&s->vram, snap,
page0, page1 - page0);
--
2.11.0

30
debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From 918868b77c7a04d3e2aa7bbc7f9255dafe75f709 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 10 Oct 2017 16:13:23 +0200
Subject: [PATCH 19/23] vga: add ram_addr_t cast
Reported by Coverity.
Fixes: CID 1381409
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171010141323.14049-4-kraxel@redhat.com
---
hw/display/vga.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 7bdbf7441e..63ba404ef2 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1485,7 +1485,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
disp_width = width;
region_start = (s->start_addr * 4);
- region_end = region_start + s->line_offset * height;
+ region_end = region_start + (ram_addr_t)s->line_offset * height;
if (region_end > s->vbe_size) {
/* wraps around (can happen with cirrus vbe modes) */
region_start = 0;
--
2.11.0

32
debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From 3c51ccd7bb43dd763a1ff3112b8a0cd7e145ca4f Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 30 Oct 2017 11:28:30 +0100
Subject: [PATCH 20/23] vga: fix region checks in wraparound case
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20171030102830.4469-1-kraxel@redhat.com
---
hw/display/vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 63ba404ef2..a58d8bcd67 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1666,9 +1666,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
/* scanline wraps from end of video memory to the start */
assert(force_shadow);
update = memory_region_snapshot_get_dirty(&s->vram, snap,
- page0, 0);
+ page0, s->vbe_size - page0);
update |= memory_region_snapshot_get_dirty(&s->vram, snap,
- page1, 0);
+ 0, page1);
} else {
update = memory_region_snapshot_get_dirty(&s->vram, snap,
page0, page1 - page0);
--
2.11.0

55
debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch vendored Normal file
View File

@ -0,0 +1,55 @@
From 89a1271a7687018cdbf2b7f92cf3d50d079e100e Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 9 Oct 2017 14:43:42 +0100
Subject: [PATCH 21/23] io: monitor encoutput buffer size from websocket
GSource
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
io/channel-websock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/io/channel-websock.c b/io/channel-websock.c
index 8fabadea2f..882bbb4cbc 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
#include "trace.h"
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}
--
2.11.0

43
debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch vendored Normal file
View File

@ -0,0 +1,43 @@
From 184640d2552895d967214e90e23e005d6657b145 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 16 Oct 2017 14:21:59 +0200
Subject: [PATCH 22/23] 9pfs: use g_malloc0 to allocate space for xattr
9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index c80ba67389..aaf9935ef4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
--
2.11.0

58
debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch vendored Normal file
View File

@ -0,0 +1,58 @@
From b162e22e5f0c1081efeec646999616ce1a7e3875 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 11 Oct 2017 10:43:14 +0200
Subject: [PATCH 23/23] cirrus: fix oob access in mode4and5 write functions
Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171011084314.21752-1-kraxel@redhat.com
---
hw/display/cirrus_vga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index afc290ab91..077a8cb74f 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
} else if (mode == 5) {
*dst = s->cirrus_shadow_gr0;
}
val <<= 1;
- dst++;
}
memory_region_set_dirty(&s->vga.vram, offset, 8);
}
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
*(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
*(dst + 1) = s->vga.gr[0x10];
}
val <<= 1;
- dst += 2;
}
memory_region_set_dirty(&s->vga.vram, offset, 16);
}
--
2.11.0

9
debian/patches/series vendored
View File

@ -40,3 +40,12 @@ extra/0011-vga-fix-display-update-region-calculation-split-scre.patch
extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch
extra/0013-multiboot-validate-multiboot-header-address-values.patch
extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch
extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch
extra/0016-vga-migration-Update-memory-map-in-post_load.patch
extra/0017-vga-drop-line_offset-variable.patch
extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch
extra/0019-vga-add-ram_addr_t-cast.patch
extra/0020-vga-fix-region-checks-in-wraparound-case.patch
extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch
extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch
extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch