From 2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Mon, 19 Sep 2016 20:01:16 -0700 Subject: qemu: Secuirty fix for CVE-2016-5403 affects qemu < 2.7.0-rc0 Signed-off-by: Armin Kuster --- .../recipes-devtools/qemu/qemu/CVE-2016-5403.patch | 67 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch new file mode 100644 index 0000000000..fe084f5b08 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch @@ -0,0 +1,67 @@ +From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Tue, 19 Jul 2016 13:07:13 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits, causing unbounded memory allocation in QEMU. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is not allowed by the +VIRTIO 1.0 specification. + +In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification +says: + + 1. The driver places the buffer into free descriptor(s) in the + descriptor table, chaining as necessary + +and + + Note that the above code does not take precautions against the + available ring buffer wrapping around: this is not possible since the + ring buffer is the same size as the descriptor table, so step (1) will + prevent such a condition. + +This implies that placing more buffers into the virtqueue than the +descriptor table size is not allowed. + +QEMU is missing the check to prevent this case. Processing a request +allocates a VirtQueueElement leading to unbounded memory allocation +controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 +Marvel Team, China. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi + +Upstream-Status: Backport +CVE: CVE-2106-5403 +Signed-off-by: Armin Kuster + +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: qemu-2.4.0/hw/virtio/virtio.c +=================================================================== +--- qemu-2.4.0.orig/hw/virtio/virtio.c ++++ qemu-2.4.0/hw/virtio/virtio.c +@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue + + max = vq->vring.num; + ++ if (vq->inuse >= vq->vring.num) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { + vring_set_avail_event(vq, vq->last_avail_idx); diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index c33eb66c89..ad5ca89b96 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb @@ -29,6 +29,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://CVE-2016-6351_p1.patch \ file://CVE-2016-6351_p2.patch \ file://CVE-2016-4002.patch \ + file://CVE-2016-5403.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" -- cgit 1.2.3-korg