[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 174/246] qemu: Security fix CVE-2016-4439

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.22-krogoth: 174/246] qemu: Security fix CVE-2016-4439
Date: Thu, 14 Dec 2017 12:02:48 +0000 (UTC)
commit 485e244db8cc7d2c421e60a1ad3a2415a30852ee
Author: Adrian Dudau <adrian dudau enea com>
Date:   Thu Nov 3 14:18:00 2016 +0100

    qemu: Security fix CVE-2016-4439
    
    affects qemu < 2.7.0
    
    Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation
    support is vulnerable to an OOB write access issue. The controller uses
    16-byte FIFO buffer for command and data transfer. The OOB write occurs
    while writing to this command buffer in routine get_cmd().
    
    A privileged user inside guest could use this flaw to crash the Qemu
    process resulting in DoS.
    
    References:
    ----------
    http://www.openwall.com/lists/oss-security/2016/05/19/4
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4441
    
    (From OE-Core rev: 1bc071172236ea020cac9db96e33de81950a15ff)
    
    Signed-off-by: Adrian Dudau <adrian dudau enea com>
    Signed-off-by: Armin Kuster <akuster808 gmail com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../recipes-devtools/qemu/qemu/CVE-2016-4441.patch |   78 ++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb           |    1 +
 2 files changed, 79 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
new file mode 100644
index 0000000..3cbe394
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
@@ -0,0 +1,78 @@
+From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp fedoraproject org>
+Date: Thu, 19 May 2016 16:09:31 +0530
+Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
+
+The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
+FIFO buffer. It is used to handle command and data transfer.
+Routine get_cmd() uses DMA to read scsi commands into this buffer.
+Add check to validate DMA length against buffer size to avoid any
+overrun.
+
+Fixes CVE-2016-4441.
+
+Upstream-Status: Backport
+
+Reported-by: Li Qiang <liqiang6-s 360 cn>
+Cc: qemu-stable nongnu org
+Signed-off-by: Prasad J Pandit <pjp fedoraproject org>
+Message-Id: <1463654371-11169-3-git-send-email-ppandit redhat com>
+Signed-off-by: Paolo Bonzini <pbonzini redhat com>
+Signed-off-by: Adrian Dudau <adrian dudau enea com>
+---
+ hw/scsi/esp.c |   11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 01497e6..591c817 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
+     }
+ }
+ 
+-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
+ {
+     uint32_t dmalen;
+     int target;
+@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+         dmalen = s->rregs[ESP_TCLO];
+         dmalen |= s->rregs[ESP_TCMID] << 8;
+         dmalen |= s->rregs[ESP_TCHI] << 16;
++        if (dmalen > buflen) {
++            return 0;
++        }
+         s->dma_memory_read(s->dma_opaque, buf, dmalen);
+     } else {
+         dmalen = s->ti_size;
+@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
+         s->dma_cb = handle_satn;
+         return;
+     }
+-    len = get_cmd(s, buf);
++    len = get_cmd(s, buf, sizeof(buf));
+     if (len)
+         do_cmd(s, buf);
+ }
+@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
+         s->dma_cb = handle_s_without_atn;
+         return;
+     }
+-    len = get_cmd(s, buf);
++    len = get_cmd(s, buf, sizeof(buf));
+     if (len) {
+         do_busid_cmd(s, buf, 0);
+     }
+@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
+         s->dma_cb = handle_satn_stop;
+         return;
+     }
+-    s->cmdlen = get_cmd(s, s->cmdbuf);
++    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
+     if (s->cmdlen) {
+         trace_esp_handle_satn_stop(s->cmdlen);
+         s->do_cmd = 1;
+-- 
+1.7.0.4
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index ed8d911..58902b1 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -26,6 +26,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-6351_p2.patch \
             file://CVE-2016-4002.patch \
             file://CVE-2016-5403.patch \
+            file://CVE-2016-4441.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2";
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]