vapier 14/05/31 16:03:53 Added: qemu-2.0.0-usb-post-load-checks.patch qemu-2.0.0-qcow-check-max-sizes.patch qemu-2.0.0-CVE-2014-0223.patch qemu-2.0.0-CVE-2014-0222.patch qemu-2.0.0-CVE-2013-4541.patch Log: Add fixes from upstream for various CVEs #510208 #510234. (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
Revision Changes Path 1.1 app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch?rev=1.1&content-type=text/plain Index: qemu-2.0.0-usb-post-load-checks.patch =================================================================== https://bugs.gentoo.org/510208 >From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" <m...@redhat.com> Date: Tue, 13 May 2014 12:33:16 +0300 Subject: [PATCH] usb: fix up post load checks Correct post load checks: 1. dev->setup_len == sizeof(dev->data_buf) seems fine, no need to fail migration 2. When state is DATA, passing index > len will cause memcpy with negative length, resulting in heap overflow First of the issues was reported by dgilbert. Reported-by: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Signed-off-by: Michael S. Tsirkin <m...@redhat.com> Signed-off-by: Juan Quintela <quint...@redhat.com> --- hw/usb/bus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index 699aa10..927a47b 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id) } if (dev->setup_index < 0 || dev->setup_len < 0 || - dev->setup_index >= sizeof(dev->data_buf) || - dev->setup_len >= sizeof(dev->data_buf)) { + dev->setup_index > dev->setup_len || + dev->setup_len > sizeof(dev->data_buf)) { return -EINVAL; } return 0; -- 1.9.3 1.1 app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch?rev=1.1&content-type=text/plain Index: qemu-2.0.0-qcow-check-max-sizes.patch =================================================================== >From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001 From: Kevin Wolf <kw...@redhat.com> Date: Wed, 7 May 2014 17:30:30 +0200 Subject: [PATCH] qcow1: Check maximum cluster size Huge values for header.cluster_bits cause unbounded allocations (e.g. for s->cluster_cache) and crash qemu this way. Less huge values may survive those allocations, but can cause integer overflows later on. The only cluster sizes that qemu can create are 4k (for standalone images) and 512 (for images with backing files), so we can limit it to 64k. Cc: qemu-sta...@nongnu.org Signed-off-by: Kevin Wolf <kw...@redhat.com> Reviewed-by: Benoit Canet <ben...@irqsave.net> --- block/qcow.c | 10 ++++++-- tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++ tests/qemu-iotests/092.out | 13 ++++++++++ tests/qemu-iotests/group | 1 + 4 files changed, 85 insertions(+), 2 deletions(-) create mode 100755 tests/qemu-iotests/092 create mode 100644 tests/qemu-iotests/092.out diff --git a/block/qcow.c b/block/qcow.c index 3684794..e60df23 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - if (header.size <= 1 || header.cluster_bits < 9) { - error_setg(errp, "invalid value in qcow header"); + if (header.size <= 1) { + error_setg(errp, "Image size is too small (must be at least 2 bytes)"); ret = -EINVAL; goto fail; } + if (header.cluster_bits < 9 || header.cluster_bits > 16) { + error_setg(errp, "Cluster size must be between 512 and 64k"); + ret = -EINVAL; + goto fail; + } + if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL; -- 1.9.3 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch?rev=1.1&content-type=text/plain Index: qemu-2.0.0-CVE-2014-0223.patch =================================================================== >From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001 From: Kevin Wolf <kw...@redhat.com> Date: Thu, 8 May 2014 13:08:20 +0200 Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223) A huge image size could cause s->l1_size to overflow. Make sure that images never require a L1 table larger than what fits in s->l1_size. This cannot only cause unbounded allocations, but also the allocation of a too small L1 table, resulting in out-of-bounds array accesses (both reads and writes). Cc: qemu-sta...@nongnu.org Signed-off-by: Kevin Wolf <kw...@redhat.com> --- block/qcow.c | 16 ++++++++++++++-- tests/qemu-iotests/092 | 9 +++++++++ tests/qemu-iotests/092.out | 7 +++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/block/qcow.c b/block/qcow.c index e8038e5..3566c05 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -61,7 +61,7 @@ typedef struct BDRVQcowState { int cluster_sectors; int l2_bits; int l2_size; - int l1_size; + unsigned int l1_size; uint64_t cluster_offset_mask; uint64_t l1_table_offset; uint64_t *l1_table; @@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, /* read the level 1 table */ shift = s->cluster_bits + s->l2_bits; - s->l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (header.size > UINT64_MAX - (1LL << shift)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } else { + uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; + if (l1_size > INT_MAX / sizeof(uint64_t)) { + error_setg(errp, "Image too large"); + ret = -EINVAL; + goto fail; + } + s->l1_size = l1_size; + } s->l1_table_offset = header.l1_table_offset; s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); -- 1.9.3 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch?rev=1.1&content-type=text/plain Index: qemu-2.0.0-CVE-2014-0222.patch =================================================================== >From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001 From: Kevin Wolf <kw...@redhat.com> Date: Thu, 15 May 2014 16:10:11 +0200 Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222) Too large L2 table sizes cause unbounded allocations. Images actually created by qemu-img only have 512 byte or 4k L2 tables. To keep things consistent with cluster sizes, allow ranges between 512 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically working, but L2 table sizes smaller than a cluster don't make a lot of sense). This also means that the number of bytes on the virtual disk that are described by the same L2 table is limited to at most 8k * 64k or 2^29, preventively avoiding any integer overflows. Cc: qemu-sta...@nongnu.org Signed-off-by: Kevin Wolf <kw...@redhat.com> Reviewed-by: Benoit Canet <ben...@irqsave.net> --- block/qcow.c | 8 ++++++++ tests/qemu-iotests/092 | 15 +++++++++++++++ tests/qemu-iotests/092.out | 11 +++++++++++ 3 files changed, 34 insertions(+) diff --git a/block/qcow.c b/block/qcow.c index e60df23..e8038e5 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } + /* l2_bits specifies number of entries; storing a uint64_t in each entry, + * so bytes = num_entries << 3. */ + if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { + error_setg(errp, "L2 table size must be between 512 and 64k"); + ret = -EINVAL; + goto fail; + } + if (header.crypt_method > QCOW_CRYPT_AES) { error_setg(errp, "invalid encryption method in qcow header"); ret = -EINVAL; -- 1.9.3 1.1 app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch?rev=1.1&content-type=text/plain Index: qemu-2.0.0-CVE-2013-4541.patch =================================================================== >From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" <m...@redhat.com> Date: Thu, 3 Apr 2014 19:52:25 +0300 Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kra...@redhat.com> Signed-off-by: Michael S. Tsirkin <m...@redhat.com> Reviewed-by: Gerd Hoffmann <kra...@redhat.com> Signed-off-by: Juan Quintela <quint...@redhat.com> --- hw/usb/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/usb/bus.c b/hw/usb/bus.c index fe70429..e48b19f 100644 --- a/hw/usb/bus.c +++ b/hw/usb/bus.c @@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) } else { dev->attached = 1; } - if (dev->setup_index >= sizeof(dev->data_buf) || + if (dev->setup_index < 0 || + dev->setup_len < 0 || + dev->setup_index >= sizeof(dev->data_buf) || dev->setup_len >= sizeof(dev->data_buf)) { return -EINVAL; } -- 1.9.3