[gnome-continuous-yocto/gnomeostree-3.22-krogoth: 68/246] qemu: Secuirty fix for CVE-2016-5403



commit 76aa0c3d5d99661ccc0272257899ad0df21f445a
Author: Armin Kuster <akuster mvista com>
Date:   Mon Sep 19 20:01:16 2016 -0700

    qemu: Secuirty fix for CVE-2016-5403
    
    affects qemu < 2.7.0-rc0
    
    (From OE-Core rev: c53820180cdccd97de1f314078570fac1ff16052)
    
    Signed-off-by: Armin Kuster <akuster mvista com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../recipes-devtools/qemu/qemu/CVE-2016-5403.patch |   67 ++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb           |    1 +
 2 files changed, 68 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644
index 0000000..fe084f5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
+From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha redhat com>
+Date: Tue, 19 Jul 2016 13:07:13 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits, causing unbounded memory allocation in QEMU.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is not allowed by the
+VIRTIO 1.0 specification.
+
+In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
+says:
+
+  1. The driver places the buffer into free descriptor(s) in the
+     descriptor table, chaining as necessary
+
+and
+
+  Note that the above code does not take precautions against the
+  available ring buffer wrapping around: this is not possible since the
+  ring buffer is the same size as the descriptor table, so step (1) will
+  prevent such a condition.
+
+This implies that placing more buffers into the virtqueue than the
+descriptor table size is not allowed.
+
+QEMU is missing the check to prevent this case.  Processing a request
+allocates a VirtQueueElement leading to unbounded memory allocation
+controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
+Marvel Team, China.
+
+Reported-by: Zhenhao Hong <hongzhenhao 360 cn>
+Signed-off-by: Stefan Hajnoczi <stefanha redhat com>
+
+Upstream-Status: Backport
+CVE: CVE-2106-5403
+Signed-off-by: Armin Kuster <akuster mvista com>
+
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        error_report("Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
+         vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 0ffec98..ed8d911 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -25,6 +25,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-6351_p1.patch \
             file://CVE-2016-6351_p2.patch \
             file://CVE-2016-4002.patch \
+            file://CVE-2016-5403.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2";
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]