From 72ee7cac11523a56b99282c03199b5b84326edf5 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Mon, 19 Sep 2016 19:52:57 -0700
Subject: qemu: Security fix CVE-2016-6351

affects qemu < 2.6.0

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../qemu/qemu/CVE-2016-6351_p1.patch               | 75 ++++++++++++++++++++++
 .../qemu/qemu/CVE-2016-6351_p2.patch               | 60 +++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb           |  2 +
 3 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch
new file mode 100644
index 0000000000..350ae2becc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch
@@ -0,0 +1,75 @@
+From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 16 Jun 2016 00:22:35 +0200
+Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
+
+While doing DMA read into ESP command buffer 's->cmdbuf', it could
+write past the 's->cmdbuf' area, if it was transferring more than 16
+bytes.  Increase the command buffer size to 32, which is maximum when
+'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-6351 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/scsi/esp.c         | 6 ++++--
+ include/hw/scsi/esp.h | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+Index: qemu-2.4.0/hw/scsi/esp.c
+===================================================================
+--- qemu-2.4.0.orig/hw/scsi/esp.c
++++ qemu-2.4.0/hw/scsi/esp.c
+@@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s)
+     len = s->dma_left;
+     if (s->do_cmd) {
+         trace_esp_do_dma(s->cmdlen, len);
++        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
++                len <= sizeof(s->cmdbuf) - s->cmdlen);
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         s->ti_size = 0;
+         s->cmdlen = 0;
+@@ -340,7 +342,7 @@ static void handle_ti(ESPState *s)
+     s->dma_counter = dmalen;
+ 
+     if (s->do_cmd)
+-        minlen = (dmalen < 32) ? dmalen : 32;
++        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
+     else if (s->ti_size < 0)
+         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
+     else
+@@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t
+         break;
+     case ESP_FIFO:
+         if (s->do_cmd) {
+-            if (s->cmdlen < TI_BUFSZ) {
++            if (s->cmdlen < ESP_CMDBUF_SZ) {
+                 s->cmdbuf[s->cmdlen++] = val & 0xff;
+             } else {
+                 trace_esp_error_fifo_overrun();
+Index: qemu-2.4.0/include/hw/scsi/esp.h
+===================================================================
+--- qemu-2.4.0.orig/include/hw/scsi/esp.h
++++ qemu-2.4.0/include/hw/scsi/esp.h
+@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi
+ 
+ #define ESP_REGS 16
+ #define TI_BUFSZ 16
++#define ESP_CMDBUF_SZ 32
+ 
+ typedef struct ESPState ESPState;
+ 
+@@ -31,7 +32,7 @@ struct ESPState {
+     SCSIBus bus;
+     SCSIDevice *current_dev;
+     SCSIRequest *current_req;
+-    uint8_t cmdbuf[TI_BUFSZ];
++    uint8_t cmdbuf[ESP_CMDBUF_SZ];
+     uint32_t cmdlen;
+     uint32_t do_cmd;
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
new file mode 100644
index 0000000000..c4ed354e8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
@@ -0,0 +1,60 @@
+From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 Jun 2016 16:32:39 +0200
+Subject: [PATCH] scsi: esp: fix migration
+
+Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
+2016-06-16) changed the size of a migrated field.  Split it in two
+parts, and only migrate the second part in a new vmstate version.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-6351 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/scsi/esp.c               | 5 +++--
+ include/migration/vmstate.h | 5 ++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+Index: qemu-2.4.0/hw/scsi/esp.c
+===================================================================
+--- qemu-2.4.0.orig/hw/scsi/esp.c
++++ qemu-2.4.0/hw/scsi/esp.c
+@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque
+ 
+ const VMStateDescription vmstate_esp = {
+     .name ="esp",
+-    .version_id = 3,
++    .version_id = 4,
+     .minimum_version_id = 3,
+     .fields = (VMStateField[]) {
+         VMSTATE_BUFFER(rregs, ESPState),
+@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = {
+         VMSTATE_BUFFER(ti_buf, ESPState),
+         VMSTATE_UINT32(status, ESPState),
+         VMSTATE_UINT32(dma, ESPState),
+-        VMSTATE_BUFFER(cmdbuf, ESPState),
++        VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
++        VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
+         VMSTATE_UINT32(cmdlen, ESPState),
+         VMSTATE_UINT32(do_cmd, ESPState),
+         VMSTATE_UINT32(dma_left, ESPState),
+Index: qemu-2.4.0/include/migration/vmstate.h
+===================================================================
+--- qemu-2.4.0.orig/include/migration/vmstate.h
++++ qemu-2.4.0/include/migration/vmstate.h
+@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi
+ #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size)                         \
+     VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
+ 
++#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
++    VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
++
+ #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
+-    VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
++    VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
+ 
+ #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size)                        \
+     VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index d1d718554e..feb6352531 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -22,6 +22,8 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-3712_p3.patch \
             file://CVE-2016-3712_p4.patch \
             file://CVE-2016-4439.patch \
+            file://CVE-2016-6351_p1.patch \
+            file://CVE-2016-6351_p2.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
-- 
cgit 1.2.3-korg