From da8fdc46be4a3e48a559102b6ff9f2cc78d4a37c Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 27 Feb 2017 19:19:21 +0100 Subject: main/xen: sec fixes fro xsa-207 - xsa-209 added perl-dev as makedepends due to man2pod moved to there. - XSA-207 - CVE-2017-2615 XSA-208 - CVE-2017-2620 XSA-209 - XSA-210 fixes #6915 --- main/xen/APKBUILD | 148 +++------------------ main/xen/xsa207.patch | 31 +++++ main/xen/xsa208-qemut.patch | 56 ++++++++ main/xen/xsa208-qemuu-4.7.patch | 53 ++++++++ ...rus-ignore-source-pitch-value-as-needed-i.patch | 72 ++++++++++ ...blit_is_unsafe-call-to-cirrus_bitblt_cput.patch | 60 +++++++++ main/xen/xsa209-qemut.patch | 54 ++++++++ 7 files changed, 346 insertions(+), 128 deletions(-) create mode 100644 main/xen/xsa207.patch create mode 100644 main/xen/xsa208-qemut.patch create mode 100644 main/xen/xsa208-qemuu-4.7.patch create mode 100644 main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch create mode 100644 main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch create mode 100644 main/xen/xsa209-qemut.patch (limited to 'main/xen') diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 74dc815174..f57edc3e29 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: William Pitcock pkgname=xen pkgver=4.7.1 -pkgrel=4 +pkgrel=5 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64 armhf" @@ -12,7 +12,7 @@ depends="bash iproute2 logrotate" depends_dev="libressl-dev python2-dev e2fsprogs-dev gettext zlib-dev ncurses-dev dev86 texinfo perl pciutils-dev glib-dev yajl-dev libnl3-dev spice-dev gnutls-dev curl-dev libaio-dev lzo-dev xz-dev util-linux-dev - e2fsprogs-dev linux-headers argp-standalone" + e2fsprogs-dev linux-headers argp-standalone perl-dev" makedepends="$depends_dev autoconf automake libtool " # secfixes: @@ -47,6 +47,11 @@ makedepends="$depends_dev autoconf automake libtool " # - CVE-2016-10024 XSA-202 # - CVE-2016-10025 XSA-203 # - CVE-2016-10013 XSA-204 +# 4.7.1-r5: +# - XSA-207 +# - CVE-2017-2615 XSA-208 +# - CVE-2017-2620 XSA-209 +# - XSA-210 case "$CARCH" in x86*) @@ -108,6 +113,13 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g xsa202.patch xsa203-4.7.patch xsa204-4.7.patch + xsa207.patch + xsa208-qemut.patch + xsa208-qemuu-4.7.patch + xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch + xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch + xsa209-qemut.patch + qemu-coroutine-gthread.patch qemu-xen_paths.patch @@ -329,132 +341,6 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -md5sums="8e258d87a1008a3200eec6989e164fa4 xen-4.7.1.tar.gz -dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2 -cd3f3eb54446be6003156158d51f4884 grub-0.97.tar.gz -36cc57650cffda9a0269493be2a169bb lwip-1.3.0.tar.gz -bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz -cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 -7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz -e26becb8a6a2b6695f6b3e8097593db8 tpm_emulator-0.7.4.tar.gz -debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz -7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -b3ccddb149c8f9af4eb5dcbc230fc391 xsa191.patch -002cef87f605db2cd9a6ec5230685554 xsa192.patch -0bde9ad287f8a586fb47abc2f393287e xsa193-4.7.patch -2a37b54c1cfdf422a680652d05683b3f xsa194.patch -03ee88fdd719a6e2cdd53b698b14bfa0 xsa195.patch -362e7460fa4e5db3a5e1c2a4209718cf xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch -3f66b6bb7129867f857fe25916c32d84 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch -7587583e9746ee46c39d48e693c97a2e xsa197-qemut.patch -6d42e09101a5c6f8da5ee7caea4e0cc5 xsa197-qemuu.patch -e8d3ee1e904071920a6afbbf6a27aad2 xsa198.patch -2000ddf0211c153b7cc420a625b7db4e xsa200-4.7.patch -6580371b4b8db7cb6876f2b42ab3fc61 xsa201-1.patch -76394482eaf0caeb3e0611ba70e8923c xsa201-2.patch -136b9ad8b2bcc57d5a7ed3bf13bebe3c xsa201-3-4.7.patch -9cb1516d783fc9c765e9a37574bb3cbd xsa201-4.patch -c519ccfe62d245419ade09de5e8fe4fd xsa202.patch -da401ec1a25668a2dabc666f6687409b xsa203-4.7.patch -dc4ad05682ce371e1755817b22229601 xsa204-4.7.patch -de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch -08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch -e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch -5fab5487fe92fa29302db9ccb04af564 rombios-no-pie.patch -3a04998db5cc3c5c86f3b46e97e9cd82 0001-ipxe-dont-clobber-ebp.patch -0984e3000de17a6d14b8014a3ced46a4 musl-support.patch -513456607a2adfaa0baf1e3ae5124b23 musl-hvmloader-fix-stdint.patch -c9313a790faa727205627a1657b9bf06 stdint_local.h -c13f954d041a6fa78d0d241ad1780c0b elf_local.h -750138c31ec96d1a11fe0c665ac07e9e xen-hotplug-lockfd.patch -649f77b90978cd2b6d506ac44ec6c393 xen-fd-is-file.c -b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch -ea983c48b69eea3885627b2c8da8afec patch-gcc6-etherboot-nonnull-compare.patch -c1b73e5b708002b77b50827742c3af09 patch-gcc6-etherboot-rm-unused-string-functions.patch -e10ec3a62e8dc47052b8d8be77520af7 patch-gcc6-etherboot-nic.c.patch -78433fdb5ed0d9f71a1d2b8103a886c9 patch-gcc6-etherboot-ath.patch -83b0416745dffdfedec8caab7d20b758 patch-gcc6-etherboot-sis190.patch -24ece1158115e508e6a5db0a086f065c patch-gcc6-etherboot-skge.patch -465ca7d4841fe34b7b4d9d99257cd092 patch-gcc6-etherboot-via-velocity.c.patch -b136a8d31272eec48c766065bba260ca patch-gcc6-etherboot-via-rhine.c.patch -ef2d246f23e5ca152a4057617041bac6 patch-gcc6-etherboot-e1000_phy.c.patch -05b86753c6e6ca90af038b499fd564f0 patch-gcc6-etherboot-igb_phy.c.patch -74a5f930491bbc4333c84fff36029a1c patch-gcc6-etherboot-ath9k-9287-array.patch -567de70c3355c9724ebfdb02d7806435 patch-gcc6-etherboot-no-pie.patch -4ae9e861dc0a9b1873236399ba8cff6d patch-gcc6-etherboot-link-header.patch -ce606e447bc4884dffc59080cd10acfd patch-gcc6-etherboot-eth_broadcast.patch -4aeda68bf5b168019762fcf6edb661d3 xenstored.initd -d86504e12f05deca6b3eeeb90157160e xenstored.confd -d1dd5fc9a8b00f7373d789f9b5a605b9 xenconsoled.initd -ec2252c72050d7d5870a3a629b873ba6 xenconsoled.confd -e155d7992ddbb5b0df6148f4cc21c7c6 xendomains.initd -dcdd1de2c29e469e834a02ede4f47806 xendomains.confd -9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate -6a2f777c16678d84039acf670d86fff6 xenqemu.confd -e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="e87f4b0575e78657ee23d31470a15ecf1ce8c3a92a771cda46bbcd4d0d671ffe xen-4.7.1.tar.gz -936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775 gmp-4.3.2.tar.bz2 -4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b grub-0.97.tar.gz -772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f lwip-1.3.0.tar.gz -db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 newlib-1.16.0.tar.gz -f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 pciutils-2.2.9.tar.bz2 -2d29fd04a0d0ba29dae6bd29fb418944c08d3916665dcca74afb297ef37584b6 polarssl-1.1.4-gpl.tgz -4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459 tpm_emulator-0.7.4.tar.gz -1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e zlib-1.2.3.tar.gz -632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -dca534cf4d3711ea8797846a18238ca16cc9e7a24a887300db22c3ba3d95c199 xsa191.patch -687b0216eefd5ecef8a3135cc6f542cb3d9ff35e8e9696a157703e84656c35e8 xsa192.patch -f1b0092c585ebffe83d6ed7df94885ec5dfcb4227bdb33f421bad9febb8135a1 xsa193-4.7.patch -4dad65417d9ff3c86e763d3c88cf8de79b58a9981d531f641ae0dd0dcedce911 xsa194.patch -6ab5f13b81e3bbf6096020f4c3beeffaff67a075cab67e033ba27d199b41cec1 xsa195.patch -c4122280f3786416231ae5f0660123446d29e9ac5cd3ffb92784ed36edeec8b7 xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch -25671c44c746d4d0e8f7e2b109926c013b440e0bf225156282052ec38536e347 xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch -effa90c9ea5e76afeee8d89359b45201826b992d616c2dc118507b4e5926c57b xsa197-qemut.patch -ecb1fac79d7d17db993800b0b9aeb24d8cec90d4877d80ed1b1d548401acf36c xsa197-qemuu.patch -0e4533ad2157c03ab309bd12a54f5ff325f03edbe97f23c60a16a3f378c75eae xsa198.patch -d7113b94f6ef1c2849aedfe33eace85b0713fa83639c8a533fb289aa73e818e8 xsa200-4.7.patch -163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda xsa201-1.patch -0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b xsa201-2.patch -a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76 xsa201-3-4.7.patch -388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919 xsa201-4.patch -057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb xsa202.patch -7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46 xsa203-4.7.patch -d0359f26e9be783672896200e14d85a3111c29d7da580313b593fca04688fef2 xsa204-4.7.patch -3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch -e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch -dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch -74cb62a4614dd042ea9169112fb677bfef751a760aae34c7e73391fa857a8429 rombios-no-pie.patch -ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3 0001-ipxe-dont-clobber-ebp.patch -2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch -479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3 musl-hvmloader-fix-stdint.patch -6b4ad2a9fdb3e23b06c8c1961a46b06c15a46471fe6fb13cdc269da37466f334 stdint_local.h -7f1ed2db24d8eba87a08eea0601a9ab339209906fdfa74c8c03564a1a6e6471e elf_local.h -b183ed028a8c42a64e6fd3fb4b2b6dad832f52ed838fceb69bf681de4e7d794f xen-hotplug-lockfd.patch -d0b3e5f282a07878341c38f40d01041ed37623757a99d6e0a420ca64d1f4ef2a xen-fd-is-file.c -c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch -17bb27d95c86af8cc5e499b1b0db9b95bba3f45910d55b420f9f1f5452355fab patch-gcc6-etherboot-nonnull-compare.patch -5d5fe7bf52cbae9da20cfd1fc798699b2355a1af907ebf7f764e227891a759bb patch-gcc6-etherboot-rm-unused-string-functions.patch -9f34f8ecb9a44c688275b838c83efd233bb817f5e222629eac98e116168d704c patch-gcc6-etherboot-nic.c.patch -cdf7c4a089fe1fe493aafaf669decc3c9e071a0950da77dce526c09088d1c931 patch-gcc6-etherboot-ath.patch -32595581467772b9fa0fbb5384c99caefeb2cee3306b94b9bd2722084454f5a2 patch-gcc6-etherboot-sis190.patch -c73d1653b9b1d97ddce717817dc74429cd94c7b22989a08604eaa60df63f75f8 patch-gcc6-etherboot-skge.patch -448caed900ada2c030738218f5b82f5e29d9dc2e1beef9ebd49cbeb23734df0d patch-gcc6-etherboot-via-velocity.c.patch -61b1518c8d41792ec3b36e0fbfc265adb6c9304945a6fa18d6cc5a197e34b94f patch-gcc6-etherboot-via-rhine.c.patch -577f06e38a9ecbd3576907f2ba1c5040f4f1573fe92912635230702ad157b2e7 patch-gcc6-etherboot-e1000_phy.c.patch -80a24e9504d3893e83dc60550ffe364a873aaf3dafb52dcdade13f61f2ec0ee5 patch-gcc6-etherboot-igb_phy.c.patch -a15d73e0fb51fe3c1cf8b80a5ff17d532444016d14495d90d9e642ec60f320a6 patch-gcc6-etherboot-ath9k-9287-array.patch -2269932e8645c11e7fe60eeb6e0720841c2b5ddac2e6965ead1527d3e5924ee9 patch-gcc6-etherboot-no-pie.patch -cace870b6629003b55d9df9ef24f3445067239b913c006b6e23da511c1a21d78 patch-gcc6-etherboot-link-header.patch -be05ccd8975af402dcba3a3dc78c173319b2edd636bac11ac11163091453b704 patch-gcc6-etherboot-eth_broadcast.patch -90a8fc315bfe305581b3873890b1c1c8da6f62b5d06b73b79bac7a74671bbb07 xenstored.initd -991bb7c9da02941556e29714bd96b26e39e57e0a5b514eadd78d9bfa3fa5a9dc xenstored.confd -d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.initd -2a74be03eb74f6013242a4a5d721df6cb9b959b43c405de1e32813f52d749060 xenconsoled.confd -5fb0fc4a1ac8b139bb31b03f86b5c170050b93ea11a2f5b962d383d277ee815c xendomains.initd -046540c36328809fc351ad209d2b40300f91581d6d46da0caf79f57f2c212285 xendomains.confd -0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate -4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd -c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" sha512sums="eb03244f5fa7b54402fcc1d38f1e69c0ea4536d5ab2f9859b41b5e94920ad9db20fb146e3c3d3635e9ca1d12e93ce0429e57f24bf53d4a2c4b69babc76ec724e xen-4.7.1.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz @@ -483,6 +369,12 @@ ad0f4217ef8218dac6997385690981e7a88d05b735e04779f582ad4a0307d8e7804c015971403133 8f96ec62d9a159370d6c6257d45b7b9e87247ac1ca891033b8f3c9fb86f74d539b9c6d893d31289c6a0f00b967672f76ee9e6875a64d739dcda783ff2911681b xsa202.patch b86ef48db23dacb51fbbdd55041bf08fac8aa0db76a272bb2f9d9be7195cd9a359a30fbbb61e040c66f23358f12ae102a92a30296fb18e4feb1023b58ffad4ff xsa203-4.7.patch a2a091cd51ed54f5b5ba4131efc1c9cc0a69a647cea46415f73c29e5764efb00025e2e65bd5d24cf26f903263fce150b2b1c52ca5d61fd81dea7efe16abf57be xsa204-4.7.patch +89848dcdfaebf462765b2a32c9c57d5404930721ff92f7cb05c221a99be2b82fb23d31f91f52fbf32874a69065a2e8ad921460a3655f4b03cf827a8203137fac xsa207.patch +1ddae183299bd320a2ddb9ccb52ecab36c595e72cc87dde3308c15b4e354550372f289ef35a1ce19a180fed437abb18be83af2f39b96f93335cd3f4ae83390ec xsa208-qemut.patch +1fb853f7d428e21f13bb46f22df2cf0adc04f184a39fdfcd69fb4c14ffdaf8b13c118153544e59221c5513b2765c98b37d699a4ec1ffcea6ca455118a39cebd6 xsa208-qemuu-4.7.patch +5b5b470c174e2144a4854795a1a7c4a1c514351fac7b6cf56e634a06cfd71438fb5cd95cac3239819ceef0b4b7d2903f181ed8835bad2aa97d843dd18da76d5c xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +ba64118f4016347b9c95df3c339f22cb9211e8604666cbc29c34c2a7e565f8b6a3ced7ea1c89cfd5211d6b26a5ba58b63e8852486c8f328b3167c2a919498548 xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +46cd186741c22cb34ca7e98fd0d9af974610c8a7c8a38d434fa878803a9365039f8c4e6338174319b026fbdd9b36c6139c03815bdccb8287f33ff843a5167c5e xsa209-qemut.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch diff --git a/main/xen/xsa207.patch b/main/xen/xsa207.patch new file mode 100644 index 0000000000..6fb86fc9d5 --- /dev/null +++ b/main/xen/xsa207.patch @@ -0,0 +1,31 @@ +From: Oleksandr Tyshchenko +Subject: IOMMU: always call teardown callback + +There is a possible scenario when (d)->need_iommu remains unset +during guest domain execution. For example, when no devices +were assigned to it. Taking into account that teardown callback +is not called when (d)->need_iommu is unset we might have unreleased +resourses after destroying domain. + +So, always call teardown callback to roll back actions +that were performed in init callback. + +This is XSA-207. + +Signed-off-by: Oleksandr Tyshchenko +Reviewed-by: Jan Beulich +Tested-by: Jan Beulich +Tested-by: Julien Grall + +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain + if ( !iommu_enabled || !dom_iommu(d)->platform_ops ) + return; + +- if ( need_iommu(d) ) +- iommu_teardown(d); ++ iommu_teardown(d); + + arch_iommu_domain_destroy(d); + } diff --git a/main/xen/xsa208-qemut.patch b/main/xen/xsa208-qemut.patch new file mode 100644 index 0000000000..27a82da05a --- /dev/null +++ b/main/xen/xsa208-qemut.patch @@ -0,0 +1,56 @@ +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini +Signed-off-by: Ian Jackson +--- + hw/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..364e22d 100644 +--- a/hw/cirrus_vga.c ++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c +@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/main/xen/xsa208-qemuu-4.7.patch b/main/xen/xsa208-qemuu-4.7.patch new file mode 100644 index 0000000000..705bab5020 --- /dev/null +++ b/main/xen/xsa208-qemuu-4.7.patch @@ -0,0 +1,53 @@ +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 5198037..7bf3707 100644 +--- a/hw/display/cirrus_vga.c ++++ b/tools/qemu-xen/hw/display/cirrus_vga.c +@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch new file mode 100644 index 0000000000..787567d5a5 --- /dev/null +++ b/main/xen/xsa209-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch @@ -0,0 +1,72 @@ +From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Tue, 21 Feb 2017 10:54:38 -0800 +Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 7bf3707..34a6900 100644 +--- a/hw/display/cirrus_vga.c ++++ b/tools/qemu-xen/hw/display/cirrus_vga.c +@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.1.4 + diff --git a/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch new file mode 100644 index 0000000000..afaf916237 --- /dev/null +++ b/main/xen/xsa209-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch @@ -0,0 +1,60 @@ +From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 21 Feb 2017 10:54:59 -0800 +Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to + cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Reported-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 34a6900..5901250 100644 +--- a/hw/display/cirrus_vga.c ++++ b/tools/qemu-xen/hw/display/cirrus_vga.c +@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.1.4 + diff --git a/main/xen/xsa209-qemut.patch b/main/xen/xsa209-qemut.patch new file mode 100644 index 0000000000..ffc574ba86 --- /dev/null +++ b/main/xen/xsa209-qemut.patch @@ -0,0 +1,54 @@ +From: Gerd Hoffmann +Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj + +Reported-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +Signed-off-by: Ian Jackson +--- +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..45facb6 100644 +--- a/hw/cirrus_vga.c ++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); -- cgit v1.2.3