mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-25 22:08:16 -05:00
gnu: qemu: Fix CVE-2017-{5667,5898,5931}.
* gnu/packages/patches/qemu-CVE-2017-5667.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch, gnu/packages/patches/qemu-CVE-2017-5931.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. gnu/packages/qemu.scm (qemu)[source]: Use them.
This commit is contained in:
parent
2c20bf62db
commit
37acc8a07b
5 changed files with 152 additions and 1 deletions
|
@ -870,7 +870,10 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5552.patch \
|
%D%/packages/patches/qemu-CVE-2017-5552.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5578.patch \
|
%D%/packages/patches/qemu-CVE-2017-5578.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5579.patch \
|
%D%/packages/patches/qemu-CVE-2017-5579.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5667.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5856.patch \
|
%D%/packages/patches/qemu-CVE-2017-5856.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5898.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5931.patch \
|
||||||
%D%/packages/patches/qt4-ldflags.patch \
|
%D%/packages/patches/qt4-ldflags.patch \
|
||||||
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
||||||
%D%/packages/patches/rapicorn-isnan.patch \
|
%D%/packages/patches/rapicorn-isnan.patch \
|
||||||
|
|
46
gnu/packages/patches/qemu-CVE-2017-5667.patch
Normal file
46
gnu/packages/patches/qemu-CVE-2017-5667.patch
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
|
||||||
|
|
||||||
|
http://seclists.org/oss-sec/2017/q1/243
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
|
||||||
|
|
||||||
|
From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Tue, 7 Feb 2017 18:29:59 +0000
|
||||||
|
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
|
||||||
|
|
||||||
|
While doing multi block SDMA transfer in routine
|
||||||
|
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
|
||||||
|
index 'begin' and data length 's->data_count' could end up to be same.
|
||||||
|
This could lead to an OOB access issue. Correct transfer data length
|
||||||
|
to avoid it.
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
Message-id: 20170130064736.9236-1-ppandit@redhat.com
|
||||||
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
---
|
||||||
|
hw/sd/sdhci.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||||
|
index 01fbf228be..5bd5ab6319 100644
|
||||||
|
--- a/hw/sd/sdhci.c
|
||||||
|
+++ b/hw/sd/sdhci.c
|
||||||
|
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||||
|
boundary_count -= block_size - begin;
|
||||||
|
}
|
||||||
|
dma_memory_read(&address_space_memory, s->sdmasysad,
|
||||||
|
- &s->fifo_buffer[begin], s->data_count);
|
||||||
|
+ &s->fifo_buffer[begin], s->data_count - begin);
|
||||||
|
s->sdmasysad += s->data_count - begin;
|
||||||
|
if (s->data_count == block_size) {
|
||||||
|
for (n = 0; n < block_size; n++) {
|
||||||
|
--
|
||||||
|
2.11.1
|
||||||
|
|
44
gnu/packages/patches/qemu-CVE-2017-5898.patch
Normal file
44
gnu/packages/patches/qemu-CVE-2017-5898.patch
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
|
||||||
|
|
||||||
|
http://seclists.org/oss-sec/2017/q1/328
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
|
||||||
|
|
||||||
|
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||||||
|
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||||||
|
|
||||||
|
CCID device emulator uses Application Protocol Data Units(APDU)
|
||||||
|
to exchange command and responses to and from the host.
|
||||||
|
The length in these units couldn't be greater than 65536. Add
|
||||||
|
check to ensure the same. It'd also avoid potential integer
|
||||||
|
overflow in emulated_apdu_from_guest.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
hw/usb/dev-smartcard-reader.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||||||
|
index 89e11b68c4..1325ea1659 100644
|
||||||
|
--- a/hw/usb/dev-smartcard-reader.c
|
||||||
|
+++ b/hw/usb/dev-smartcard-reader.c
|
||||||
|
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||||||
|
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||||||
|
recv->hdr.bSeq, len);
|
||||||
|
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||||||
|
- if (s->card) {
|
||||||
|
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||||||
|
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||||||
|
} else {
|
||||||
|
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
||||||
|
--
|
||||||
|
2.11.1
|
||||||
|
|
55
gnu/packages/patches/qemu-CVE-2017-5931.patch
Normal file
55
gnu/packages/patches/qemu-CVE-2017-5931.patch
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
|
||||||
|
|
||||||
|
http://seclists.org/oss-sec/2017/q1/337
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
|
||||||
|
|
||||||
|
From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gonglei <arei.gonglei@huawei.com>
|
||||||
|
Date: Tue, 3 Jan 2017 14:50:03 +0800
|
||||||
|
Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
|
||||||
|
|
||||||
|
Because the 'size_t' type is 4 bytes in 32-bit platform, which
|
||||||
|
is the same with 'int'. It's easy to make 'max_len' to zero when
|
||||||
|
integer overflow and then cause heap overflow if 'max_len' is zero.
|
||||||
|
|
||||||
|
Using uint_64 instead of size_t to avoid the integer overflow.
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
|
||||||
|
Tested-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
---
|
||||||
|
hw/virtio/virtio-crypto.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
|
||||||
|
index 2f2467e859..c23e1ad458 100644
|
||||||
|
--- a/hw/virtio/virtio-crypto.c
|
||||||
|
+++ b/hw/virtio/virtio-crypto.c
|
||||||
|
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||||
|
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
|
||||||
|
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
|
||||||
|
|
||||||
|
- size_t max_len, curr_size = 0;
|
||||||
|
+ uint64_t max_len, curr_size = 0;
|
||||||
|
size_t s;
|
||||||
|
|
||||||
|
/* Plain cipher */
|
||||||
|
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||||
|
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||||
|
if (unlikely(max_len > vcrypto->conf.max_size)) {
|
||||||
|
virtio_error(vdev, "virtio-crypto too big length");
|
||||||
|
return NULL;
|
||||||
|
--
|
||||||
|
2.11.1
|
||||||
|
|
|
@ -84,7 +84,10 @@ (define-public qemu
|
||||||
"qemu-CVE-2017-5552.patch"
|
"qemu-CVE-2017-5552.patch"
|
||||||
"qemu-CVE-2017-5578.patch"
|
"qemu-CVE-2017-5578.patch"
|
||||||
"qemu-CVE-2017-5579.patch"
|
"qemu-CVE-2017-5579.patch"
|
||||||
"qemu-CVE-2017-5856.patch"))))
|
"qemu-CVE-2017-5667.patch"
|
||||||
|
"qemu-CVE-2017-5856.patch"
|
||||||
|
"qemu-CVE-2017-5898.patch"
|
||||||
|
"qemu-CVE-2017-5931.patch"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(;; Running tests in parallel can occasionally lead to failures, like:
|
'(;; Running tests in parallel can occasionally lead to failures, like:
|
||||||
|
|
Loading…
Reference in a new issue