gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
* gnu/packages/patches/qemu-CVE-2017-15038.patch, gnu/packages/patches/qemu-CVE-2017-15268.patch, gnu/packages/patches/qemu-CVE-2017-15289.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.master
parent
d4d7d70912
commit
adf7e69cab
|
@ -1015,6 +1015,9 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
||||
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
|
||||
%D%/packages/patches/python2-unittest2-remove-argparse.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-15038.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-15268.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-15289.patch \
|
||||
%D%/packages/patches/qt4-ldflags.patch \
|
||||
%D%/packages/patches/qtscript-disable-tests.patch \
|
||||
%D%/packages/patches/quagga-reproducible-build.patch \
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
Fix CVE-2017-15038:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6
|
||||
|
||||
From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 16 Oct 2017 14:21:59 +0200
|
||||
Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
|
||||
|
||||
9p back-end first queries the size of an extended attribute,
|
||||
allocates space for it via g_malloc() and then retrieves its
|
||||
value into allocated buffer. Race between querying attribute
|
||||
size and retrieving its could lead to memory bytes disclosure.
|
||||
Use g_malloc0() to avoid it.
|
||||
|
||||
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
---
|
||||
hw/9pfs/9p.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 23ac7bb532..f8bbac251d 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
||||
xattr_fidp->fs.xattr.value,
|
||||
xattr_fidp->fs.xattr.len);
|
||||
@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
||||
&name, xattr_fidp->fs.xattr.value,
|
||||
xattr_fidp->fs.xattr.len);
|
||||
--
|
||||
2.15.0
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
Fix CVE-2017-15268:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493
|
||||
|
||||
From a7b20a8efa28e5f22c26c06cd06c2f12bc863493 Mon Sep 17 00:00:00 2001
|
||||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||
Date: Mon, 9 Oct 2017 14:43:42 +0100
|
||||
Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
|
||||
|
||||
The websocket GSource is monitoring the size of the rawoutput
|
||||
buffer to determine if the channel can accepts more writes.
|
||||
The rawoutput buffer, however, is merely a temporary staging
|
||||
buffer before data is copied into the encoutput buffer. Thus
|
||||
its size will always be zero when the GSource runs.
|
||||
|
||||
This flaw causes the encoutput buffer to grow without bound
|
||||
if the other end of the underlying data channel doesn't
|
||||
read data being sent. This can be seen with VNC if a client
|
||||
is on a slow WAN link and the guest OS is sending many screen
|
||||
updates. A malicious VNC client can act like it is on a slow
|
||||
link by playing a video in the guest and then reading data
|
||||
very slowly, causing QEMU host memory to expand arbitrarily.
|
||||
|
||||
This issue is assigned CVE-2017-15268, publically reported in
|
||||
|
||||
https://bugs.launchpad.net/qemu/+bug/1718964
|
||||
|
||||
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
---
|
||||
io/channel-websock.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/io/channel-websock.c b/io/channel-websock.c
|
||||
index d1d471f86e..04bcc059cd 100644
|
||||
--- a/io/channel-websock.c
|
||||
+++ b/io/channel-websock.c
|
||||
@@ -28,7 +28,7 @@
|
||||
#include <time.h>
|
||||
|
||||
|
||||
-/* Max amount to allow in rawinput/rawoutput buffers */
|
||||
+/* Max amount to allow in rawinput/encoutput buffers */
|
||||
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
|
||||
|
||||
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
|
||||
@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
|
||||
if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
|
||||
cond |= G_IO_IN;
|
||||
}
|
||||
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
||||
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
||||
cond |= G_IO_OUT;
|
||||
}
|
||||
|
||||
--
|
||||
2.15.0
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
Fix CVE-2017-15289:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=eb38e1bc3740725ca29a535351de94107ec58d51
|
||||
|
||||
From eb38e1bc3740725ca29a535351de94107ec58d51 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 11 Oct 2017 10:43:14 +0200
|
||||
Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions
|
||||
|
||||
Move dst calculation into the loop, so we apply the mask on each
|
||||
interation and will not overflow vga memory.
|
||||
|
||||
Cc: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 20171011084314.21752-1-kraxel@redhat.com
|
||||
---
|
||||
hw/display/cirrus_vga.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index b4d579857a..bc32bf1e39 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
|
||||
unsigned val = mem_value;
|
||||
uint8_t *dst;
|
||||
|
||||
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
|
||||
for (x = 0; x < 8; x++) {
|
||||
+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
|
||||
if (val & 0x80) {
|
||||
*dst = s->cirrus_shadow_gr1;
|
||||
} else if (mode == 5) {
|
||||
*dst = s->cirrus_shadow_gr0;
|
||||
}
|
||||
val <<= 1;
|
||||
- dst++;
|
||||
}
|
||||
memory_region_set_dirty(&s->vga.vram, offset, 8);
|
||||
}
|
||||
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
|
||||
unsigned val = mem_value;
|
||||
uint8_t *dst;
|
||||
|
||||
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
|
||||
for (x = 0; x < 8; x++) {
|
||||
+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
|
||||
if (val & 0x80) {
|
||||
*dst = s->cirrus_shadow_gr1;
|
||||
*(dst + 1) = s->vga.gr[0x11];
|
||||
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
|
||||
*(dst + 1) = s->vga.gr[0x10];
|
||||
}
|
||||
val <<= 1;
|
||||
- dst += 2;
|
||||
}
|
||||
memory_region_set_dirty(&s->vga.vram, offset, 16);
|
||||
}
|
||||
--
|
||||
2.15.0
|
||||
|
|
@ -82,6 +82,9 @@
|
|||
(method url-fetch)
|
||||
(uri (string-append "https://download.qemu.org/qemu-"
|
||||
version ".tar.xz"))
|
||||
(patches (search-patches "qemu-CVE-2017-15038.patch"
|
||||
"qemu-CVE-2017-15268.patch"
|
||||
"qemu-CVE-2017-15289.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
|
||||
|
|
Reference in New Issue