01/03: gnu: qemu: Fix CVE-2017-{5667,5898,5931}.

guix-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/03: gnu: qemu: Fix CVE-2017-{5667,5898,5931}.

From:	Leo Famulari
Subject:	01/03: gnu: qemu: Fix CVE-2017-{5667,5898,5931}.
Date:	Sun, 12 Feb 2017 10:32:29 -0500 (EST)
lfam pushed a commit to branch master
in repository guix.

commit 37acc8a07b37b7cd500496dec4d4737a389a2f7a
Author: Leo Famulari <address@hidden>
Date:   Sun Feb 12 09:20:08 2017 -0500

    gnu: qemu: Fix CVE-2017-{5667,5898,5931}.
    
    * gnu/packages/patches/qemu-CVE-2017-5667.patch,
    gnu/packages/patches/qemu-CVE-2017-5898.patch,
    gnu/packages/patches/qemu-CVE-2017-5931.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    gnu/packages/qemu.scm (qemu)[source]: Use them.
---
 gnu/local.mk                                  |  3 ++
 gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 ++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 +++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 +++++++++++++++++++++++++++
 gnu/packages/qemu.scm                         |  5 ++-
 5 files changed, 152 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 2a054ea..7fc7af6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -870,7 +870,10 @@ dist_patch_DATA =                                          
\
   %D%/packages/patches/qemu-CVE-2017-5552.patch                        \
   %D%/packages/patches/qemu-CVE-2017-5578.patch                        \
   %D%/packages/patches/qemu-CVE-2017-5579.patch                        \
+  %D%/packages/patches/qemu-CVE-2017-5667.patch                        \
   %D%/packages/patches/qemu-CVE-2017-5856.patch                        \
+  %D%/packages/patches/qemu-CVE-2017-5898.patch                        \
+  %D%/packages/patches/qemu-CVE-2017-5931.patch                        \
   %D%/packages/patches/qt4-ldflags.patch                       \
   %D%/packages/patches/quickswitch-fix-dmenu-check.patch       \
   %D%/packages/patches/rapicorn-isnan.patch                    \
diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch 
b/gnu/packages/patches/qemu-CVE-2017-5667.patch
new file mode 100644
index 0000000..5adea0d
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5667.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
+
+http://seclists.org/oss-sec/2017/q1/243
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
+
+From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Tue, 7 Feb 2017 18:29:59 +0000
+Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
+
+While doing multi block SDMA transfer in routine
+'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
+index 'begin' and data length 's->data_count' could end up to be same.
+This could lead to an OOB access issue. Correct transfer data length
+to avoid it.
+
+Cc: address@hidden
+Reported-by: Jiang Xin <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Reviewed-by: Peter Maydell <address@hidden>
+Message-id: address@hidden
+Signed-off-by: Peter Maydell <address@hidden>
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 01fbf228be..5bd5ab6319 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+                 boundary_count -= block_size - begin;
+             }
+             dma_memory_read(&address_space_memory, s->sdmasysad,
+-                            &s->fifo_buffer[begin], s->data_count);
++                            &s->fifo_buffer[begin], s->data_count - begin);
+             s->sdmasysad += s->data_count - begin;
+             if (s->data_count == block_size) {
+                 for (n = 0; n < block_size; n++) {
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch 
b/gnu/packages/patches/qemu-CVE-2017-5898.patch
new file mode 100644
index 0000000..5a94bb1
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch
@@ -0,0 +1,44 @@
+Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
+
+http://seclists.org/oss-sec/2017/q1/328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
+
+From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <address@hidden>
+Date: Fri, 3 Feb 2017 00:52:28 +0530
+Subject: [PATCH] usb: ccid: check ccid apdu length
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Message-id: address@hidden
+Signed-off-by: Gerd Hoffmann <address@hidden>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 89e11b68c4..1325ea1659 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, 
CCID_XferBlock *recv)
+     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+                 recv->hdr.bSeq, len);
+     ccid_add_pending_answer(s, (CCID_Header *)recv);
+-    if (s->card) {
++    if (s->card && len <= BULK_OUT_DATA_SIZE) {
+         ccid_card_apdu_from_guest(s->card, recv->abData, len);
+     } else {
+         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch 
b/gnu/packages/patches/qemu-CVE-2017-5931.patch
new file mode 100644
index 0000000..08910e5
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-5931.patch
@@ -0,0 +1,55 @@
+Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
+
+http://seclists.org/oss-sec/2017/q1/337
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
+
+From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
+From: Gonglei <address@hidden>
+Date: Tue, 3 Jan 2017 14:50:03 +0800
+Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
+
+Because the 'size_t' type is 4 bytes in 32-bit platform, which
+is the same with 'int'. It's easy to make 'max_len' to zero when
+integer overflow and then cause heap overflow if 'max_len' is zero.
+
+Using uint_64 instead of size_t to avoid the integer overflow.
+
+Cc: address@hidden
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Gonglei <address@hidden>
+Tested-by: Li Qiang <address@hidden>
+Reviewed-by: Michael S. Tsirkin <address@hidden>
+Signed-off-by: Michael S. Tsirkin <address@hidden>
+---
+ hw/virtio/virtio-crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 2f2467e859..c23e1ad458 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+     uint32_t hash_start_src_offset = 0, len_to_hash = 0;
+     uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
+ 
+-    size_t max_len, curr_size = 0;
++    uint64_t max_len, curr_size = 0;
+     size_t s;
+ 
+     /* Plain cipher */
+@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+         return NULL;
+     }
+ 
+-    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
++    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + 
hash_result_len;
+     if (unlikely(max_len > vcrypto->conf.max_size)) {
+         virtio_error(vdev, "virtio-crypto too big length");
+         return NULL;
+-- 
+2.11.1
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index b4920cf..9afcd83 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -84,7 +84,10 @@
                                       "qemu-CVE-2017-5552.patch"
                                       "qemu-CVE-2017-5578.patch"
                                       "qemu-CVE-2017-5579.patch"
-                                      "qemu-CVE-2017-5856.patch"))))
+                                      "qemu-CVE-2017-5667.patch"
+                                      "qemu-CVE-2017-5856.patch"
+                                      "qemu-CVE-2017-5898.patch"
+                                      "qemu-CVE-2017-5931.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like:
[Prev in Thread]
Current Thread
[Next in Thread]
branch master updated (2c20bf6 -> d606594), Leo Famulari, 2017/02/12
- 02/03: gnu: mpd: Update to 0.20.4., Leo Famulari, 2017/02/12
- 03/03: gnu: screen: Fix CVE-2017-5618., Leo Famulari, 2017/02/12
- 01/03: gnu: qemu: Fix CVE-2017-{5667,5898,5931}., Leo Famulari <=
Prev by Date: 03/03: gnu: screen: Fix CVE-2017-5618.
Next by Date: branch master updated (d606594 -> 46aa4c6)
Previous by thread: 03/03: gnu: screen: Fix CVE-2017-5618.
Next by thread: branch master updated (d606594 -> 46aa4c6)
Index(es):
- Date
- Thread