From 725f84b743630e6b365b79d4d5272427ecb6150b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Oct 29 2014 19:58:32 +0000 Subject: CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641) CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035) --- diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch index a08a9cb..a442e24 100644 --- a/0001-loader-Add-load_image_gzipped-function.patch +++ b/0001-loader-Add-load_image_gzipped-function.patch @@ -1,4 +1,3 @@ -From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 19 Aug 2014 18:56:28 +0100 Subject: [PATCH] loader: Add load_image_gzipped function. diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch index fbb3e38..3f3f637 100644 --- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch @@ -1,4 +1,3 @@ -From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 19 Aug 2014 18:56:28 +0100 Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch index 82b144e..b003edf 100644 --- a/0003-block.curl-adding-timeout-option.patch +++ b/0003-block.curl-adding-timeout-option.patch @@ -1,4 +1,3 @@ -From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Wed, 13 Aug 2014 12:44:27 -0300 Subject: [PATCH] block.curl: adding 'timeout' option diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch index 9cf999a..e58b6e4 100644 --- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch @@ -1,4 +1,3 @@ -From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 29 Aug 2014 16:03:12 +0100 Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch index ded64ae..b00a751 100644 --- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch @@ -1,4 +1,3 @@ -From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 28 Aug 2014 09:04:21 +0100 Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. diff --git a/0006-virtio-pci-enable-bus-master-for-old-guests.patch b/0006-virtio-pci-enable-bus-master-for-old-guests.patch index 9a203f8..24f54e8 100644 --- a/0006-virtio-pci-enable-bus-master-for-old-guests.patch +++ b/0006-virtio-pci-enable-bus-master-for-old-guests.patch @@ -1,4 +1,3 @@ -From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Thu, 11 Sep 2014 18:45:33 +0200 Subject: [PATCH] virtio-pci: enable bus master for old guests diff --git a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch index 5d37121..80e9c2e 100644 --- a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch +++ b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch @@ -1,4 +1,3 @@ -From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Thu, 11 Sep 2014 18:34:29 +0300 Subject: [PATCH] virtio-pci: fix migration for pci bus master diff --git a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch index c1b0103..8aa58fe 100644 --- a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch +++ b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch @@ -1,4 +1,3 @@ -From 9d8b817bfe327873c009fa4621c0308e7f3bc5de Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 29 Sep 2014 11:27:32 +0300 Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master" diff --git a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch new file mode 100644 index 0000000..a6caa18 --- /dev/null +++ b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch @@ -0,0 +1,45 @@ +From: Petr Matousek +Date: Mon, 27 Oct 2014 12:41:44 +0100 +Subject: [PATCH] vnc: sanitize bits_per_pixel from the client + +bits_per_pixel that are less than 8 could result in accessing +non-initialized buffers later in the code due to the expectation +that bytes_per_pixel value that is used to initialize these buffers is +never zero. + +To fix this check that bits_per_pixel from the client is one of the +values that the rfb protocol specification allows. + +This is CVE-2014-7815. + +Signed-off-by: Petr Matousek + +[ kraxel: apply codestyle fix ] + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) +--- + ui/vnc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/ui/vnc.c b/ui/vnc.c +index f8d9b7d..87e34ae 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, + return; + } + ++ switch (bits_per_pixel) { ++ case 8: ++ case 16: ++ case 32: ++ break; ++ default: ++ vnc_client_error(vs); ++ return; ++ } ++ + vs->client_pf.rmax = red_max; + vs->client_pf.rbits = hweight_long(red_max); + vs->client_pf.rshift = red_shift; diff --git a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch new file mode 100644 index 0000000..31915be --- /dev/null +++ b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch @@ -0,0 +1,34 @@ +From: Gerd Hoffmann +Date: Wed, 29 Oct 2014 12:56:06 +0100 +Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel + +Quick & easy stopgap for CVE-2014-3689: We just compile out the +hardware acceleration functions which lack sanity checks. Thankfully +we have capability bits for them (SVGA_CAP_RECT_COPY and +SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory. + +Subsequent patches will add the missing checks and re-enable the +hardware acceleration emulation. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +--- + hw/display/vmware_vga.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 591b645..4a4229b 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -29,8 +29,10 @@ + #include "hw/pci/pci.h" + + #undef VERBOSE ++#if 0 + #define HW_RECT_ACCEL + #define HW_FILL_ACCEL ++#endif + #define HW_MOUSE_ACCEL + + #include "vga_int.h" diff --git a/0011-vmware-vga-add-vmsvga_verify_rect.patch b/0011-vmware-vga-add-vmsvga_verify_rect.patch new file mode 100644 index 0000000..a48878c --- /dev/null +++ b/0011-vmware-vga-add-vmsvga_verify_rect.patch @@ -0,0 +1,79 @@ +From: Gerd Hoffmann +Date: Wed, 29 Oct 2014 12:56:07 +0100 +Subject: [PATCH] vmware-vga: add vmsvga_verify_rect + +Add verification function for rectangles, returning +true if verification passes and false otherwise. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +--- + hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 52 insertions(+), 1 deletion(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 4a4229b..f0e487f 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -294,8 +294,59 @@ enum { + SVGA_CURSOR_ON_RESTORE_TO_FB = 3, + }; + ++static inline bool vmsvga_verify_rect(DisplaySurface *surface, ++ const char *name, ++ int x, int y, int w, int h) ++{ ++ if (x < 0) { ++ fprintf(stderr, "%s: x was < 0 (%d)\n", name, x); ++ return false; ++ } ++ if (x > SVGA_MAX_WIDTH) { ++ fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x); ++ return false; ++ } ++ if (w < 0) { ++ fprintf(stderr, "%s: w was < 0 (%d)\n", name, w); ++ return false; ++ } ++ if (w > SVGA_MAX_WIDTH) { ++ fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w); ++ return false; ++ } ++ if (x + w > surface_width(surface)) { ++ fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n", ++ name, surface_width(surface), x, w); ++ return false; ++ } ++ ++ if (y < 0) { ++ fprintf(stderr, "%s: y was < 0 (%d)\n", name, y); ++ return false; ++ } ++ if (y > SVGA_MAX_HEIGHT) { ++ fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y); ++ return false; ++ } ++ if (h < 0) { ++ fprintf(stderr, "%s: h was < 0 (%d)\n", name, h); ++ return false; ++ } ++ if (h > SVGA_MAX_HEIGHT) { ++ fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h); ++ return false; ++ } ++ if (y + h > surface_height(surface)) { ++ fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n", ++ name, surface_height(surface), y, h); ++ return false; ++ } ++ ++ return true; ++} ++ + static inline void vmsvga_update_rect(struct vmsvga_state_s *s, +- int x, int y, int w, int h) ++ int x, int y, int w, int h) + { + DisplaySurface *surface = qemu_console_surface(s->vga.con); + int line; diff --git a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch new file mode 100644 index 0000000..0605011 --- /dev/null +++ b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch @@ -0,0 +1,61 @@ +From: Gerd Hoffmann +Date: Wed, 29 Oct 2014 12:56:08 +0100 +Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect + +Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change +in behavior: We don't try to automatically fixup rectangles any more. +In case we find invalid update requests we'll do a full-screen update +instead. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +--- + hw/display/vmware_vga.c | 32 ++++---------------------------- + 1 file changed, 4 insertions(+), 28 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index f0e487f..718746e 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s, + uint8_t *src; + uint8_t *dst; + +- if (x < 0) { +- fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x); +- w += x; ++ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { ++ /* go for a fullscreen update as fallback */ + x = 0; +- } +- if (w < 0) { +- fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w); +- w = 0; +- } +- if (x + w > surface_width(surface)) { +- fprintf(stderr, "%s: update width too large x: %d, w: %d\n", +- __func__, x, w); +- x = MIN(x, surface_width(surface)); +- w = surface_width(surface) - x; +- } +- +- if (y < 0) { +- fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y); +- h += y; + y = 0; +- } +- if (h < 0) { +- fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h); +- h = 0; +- } +- if (y + h > surface_height(surface)) { +- fprintf(stderr, "%s: update height too large y: %d, h: %d\n", +- __func__, y, h); +- y = MIN(y, surface_height(surface)); +- h = surface_height(surface) - y; ++ w = surface_width(surface); ++ h = surface_height(surface); + } + + bypl = surface_stride(surface); diff --git a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch new file mode 100644 index 0000000..a101aca --- /dev/null +++ b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch @@ -0,0 +1,75 @@ +From: Gerd Hoffmann +Date: Wed, 29 Oct 2014 12:56:09 +0100 +Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect + +Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +--- + hw/display/vmware_vga.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 718746e..c2e0a43 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -29,8 +29,8 @@ + #include "hw/pci/pci.h" + + #undef VERBOSE +-#if 0 + #define HW_RECT_ACCEL ++#if 0 + #define HW_FILL_ACCEL + #endif + #define HW_MOUSE_ACCEL +@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s) + } + + #ifdef HW_RECT_ACCEL +-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, ++static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, + int x0, int y0, int x1, int y1, int w, int h) + { + DisplaySurface *surface = qemu_console_surface(s->vga.con); +@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, + int line = h; + uint8_t *ptr[2]; + ++ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) { ++ return -1; ++ } ++ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) { ++ return -1; ++ } ++ + if (y1 > y0) { + ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1); + ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1); +@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, + } + + vmsvga_update_rect_delayed(s, x1, y1, w, h); ++ return 0; + } + #endif + +@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + width = vmsvga_fifo_read(s); + height = vmsvga_fifo_read(s); + #ifdef HW_RECT_ACCEL +- vmsvga_copy_rect(s, x, y, dx, dy, width, height); +- break; +-#else ++ if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) { ++ break; ++ } ++#endif + args = 0; + goto badcmd; +-#endif + + case SVGA_CMD_DEFINE_CURSOR: + len -= 8; diff --git a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch new file mode 100644 index 0000000..efd5ae3 --- /dev/null +++ b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch @@ -0,0 +1,72 @@ +From: Gerd Hoffmann +Date: Wed, 29 Oct 2014 12:56:10 +0100 +Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect + +Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Don Koch +--- + hw/display/vmware_vga.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index c2e0a43..d44e3e8 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -30,9 +30,7 @@ + + #undef VERBOSE + #define HW_RECT_ACCEL +-#if 0 + #define HW_FILL_ACCEL +-#endif + #define HW_MOUSE_ACCEL + + #include "vga_int.h" +@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, + #endif + + #ifdef HW_FILL_ACCEL +-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, ++static inline int vmsvga_fill_rect(struct vmsvga_state_s *s, + uint32_t c, int x, int y, int w, int h) + { + DisplaySurface *surface = qemu_console_surface(s->vga.con); +@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, + uint8_t *src; + uint8_t col[4]; + ++ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { ++ return -1; ++ } ++ + col[0] = c; + col[1] = c >> 8; + col[2] = c >> 16; +@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, + } + + vmsvga_update_rect_delayed(s, x, y, w, h); ++ return 0; + } + #endif + +@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + width = vmsvga_fifo_read(s); + height = vmsvga_fifo_read(s); + #ifdef HW_FILL_ACCEL +- vmsvga_fill_rect(s, colour, x, y, width, height); +- break; +-#else ++ if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) { ++ break; ++ } ++#endif + args = 0; + goto badcmd; +-#endif + + case SVGA_CMD_RECT_COPY: + len -= 7; diff --git a/qemu.spec b/qemu.spec index ede4e63..89d34f3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -152,7 +152,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.1.2 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -204,6 +204,16 @@ Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch # Fix PPC virtio regression (bz #1144490) Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch +# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client +# sanitization (bz #1157647, bz #1157641) +Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch +# CVE-2014-3689 vmware_vga: insufficient parameter validation in +# rectangle functions (bz #1153038, bz #1153035) +Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch +Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch +Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch +Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch +Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -742,6 +752,16 @@ CAC emulation development files. %patch0007 -p1 # Fix PPC virtio regression (bz #1144490) %patch0008 -p1 +# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client +# sanitization (bz #1157647, bz #1157641) +%patch0009 -p1 +# CVE-2014-3689 vmware_vga: insufficient parameter validation in +# rectangle functions (bz #1153038, bz #1153035) +%patch0010 -p1 +%patch0011 -p1 +%patch0012 -p1 +%patch0013 -p1 +%patch0014 -p1 %build @@ -1521,6 +1541,12 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 29 2014 Cole Robinson - 2:2.1.2-6 +- CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization + (bz #1157647, bz #1157641) +- CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle + functions (bz #1153038, bz #1153035) + * Fri Oct 24 2014 Danel P. Berrange - 2:2.1.2-5 - Fix dep on numactl-devel to be build time not install time