qemu-kvm update

To: debian-lts@lists.debian.org
Subject: qemu-kvm update
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 23 Feb 2017 18:14:12 +0100
Message-id: <[🔎] 20170223171412.6vxvy3e33pqesnel@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org

Hi,
after wading through the open qemu issues I've prepared a QEMU kvm
update at:

    https://people.debian.org/~agx/debian-lts/

I'd be happy about any review. Debdiff attached, it's a snapshot build
on purpose so you get the correct package when the DLA is releaed.

It currently does not address CVE-2017-2633 and CVE-2016-9602 since
these require more backporting and I wanted to avoid running out of
time and will continue to work on this in parallel.

I've marked all CVEs that are memory leaks on device unplug and that can
only be unplugged via the monitor (not via libvirt) as no-dsa since
fixing all of them is a hopeless cause and triggering them requires
access to the monitor of some sort (root access in the guest is not
enough).

Cheers,
 -- Guido

diff --git a/debian/changelog b/debian/changelog
index ff28da0808..be4869de82 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+qemu-kvm (1.1.2+dfsg-6+deb7u20~1.gbp01559b) UNRELEASED; urgency=medium
+
+  ** SNAPSHOT build @01559b3f8d5f7c1ed1417770f7d9dba9aa29142d **
+
+  * CVE-2017-2620: cirrus: add blit_is_unsafe call to cirrus_bitblt
+  * display: cirrus: ignore source pitch value as needed in blit_is_unsafe
+    This is an update for CVE-2016-9921
+  * CVE-2017-2615: cirrus: fix oob access issue
+  * CVE-2017-5973: xhci: apply limits to loops
+  * CVE-2017-5898: usb: ccid: check ccid apdu length
+
+ -- Guido Günther <agx@sigxcpu.org>  Thu, 23 Feb 2017 17:57:04 +0100
+
 qemu-kvm (1.1.2+dfsg-6+deb7u19) wheezy-security; urgency=medium
 
   * Non-maintainer upload by the LTS Team.
diff --git a/debian/patches/security/CVE-2017-2615-cirrus-fix-oob-access-issue.patch b/debian/patches/security/CVE-2017-2615-cirrus-fix-oob-access-issue.patch
new file mode 100644
index 0000000000..9de59c6c01
--- /dev/null
+++ b/debian/patches/security/CVE-2017-2615-cirrus-fix-oob-access-issue.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 23 Feb 2017 16:38:41 +0100
+Subject: CVE-2017-2615: cirrus: fix oob access issue
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+Upstream-Commit: 62d4c6bd5263bb8413a06c80144fc678df6dfb64d
+---
+ hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index a2ed2fe..b2de9c0 100644
+--- a/hw/cirrus_vga.c
++++ b/hw/cirrus_vga.c
+@@ -267,10 +267,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     }
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
diff --git a/debian/patches/security/CVE-2017-2620-cirrus-add-blit_is_unsafe-call-to-cirrus_bi.patch b/debian/patches/security/CVE-2017-2620-cirrus-add-blit_is_unsafe-call-to-cirrus_bi.patch
new file mode 100644
index 0000000000..cecaef99a4
--- /dev/null
+++ b/debian/patches/security/CVE-2017-2620-cirrus-add-blit_is_unsafe-call-to-cirrus_bi.patch
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 23 Feb 2017 16:58:11 +0100
+Subject: CVE-2017-2620: cirrus: add blit_is_unsafe call to cirrus_bitblt
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+Upstream-URL: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg05244.html
+---
+ hw/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index 6d64c0f..52d9597 100644
+--- a/hw/cirrus_vga.c
++++ b/hw/cirrus_vga.c
+@@ -862,6 +862,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -887,6 +891,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
diff --git a/debian/patches/security/CVE-2017-5898-usb-ccid-check-ccid-apdu-length.patch b/debian/patches/security/CVE-2017-5898-usb-ccid-check-ccid-apdu-length.patch
new file mode 100644
index 0000000000..b8c92ea4ef
--- /dev/null
+++ b/debian/patches/security/CVE-2017-5898-usb-ccid-check-ccid-apdu-length.patch
@@ -0,0 +1,31 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 3 Feb 2017 00:52:28 +0530
+Subject: CVE-2017-5898 usb: ccid: check ccid apdu length
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+The code is not compiled into Wheezy's kvm but this allows us to
+keep the patches in sync with qemu.
+
+Upstream-Commit: c7dfbf322595ded4e70b626bf83158a9f3807c6a
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 3b7604e..99734c5 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -863,7 +863,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+                 recv->hdr.bSeq, len);
+     ccid_add_pending_answer(s, (CCID_Header *)recv);
+-    if (s->card) {
++    if (s->card && len <= BULK_OUT_DATA_SIZE) {
+         ccid_card_apdu_from_guest(s->card, recv->abData, len);
+     } else {
+         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
diff --git a/debian/patches/security/CVE-2017-5973-xhci-apply-limits-to-loops.patch b/debian/patches/security/CVE-2017-5973-xhci-apply-limits-to-loops.patch
new file mode 100644
index 0000000000..d79a27e99d
--- /dev/null
+++ b/debian/patches/security/CVE-2017-5973-xhci-apply-limits-to-loops.patch
@@ -0,0 +1,97 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 23 Feb 2017 15:43:39 +0100
+Subject: CVE-2017-5973 xhci: apply limits to loops
+
+Limits should be big enough that normal guest should not hit it.
+Add a tracepoint to log them, just in case.  Also, while being
+at it, log the existing link trb limit too.
+
+Upstream-Commit: f89b60f6e5fee3923bedf80e82b4e5efc1bb156b
+---
+ hw/usb/hcd-xhci.c | 16 +++++++++++++++-
+ trace-events      |  3 +++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index fee539f..766e04e 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -23,6 +23,7 @@
+ #include "hw/usb.h"
+ #include "hw/pci.h"
+ #include "hw/msi.h"
++#include "trace.h"
+ 
+ //#define DEBUG_XHCI
+ //#define DEBUG_DATA
+@@ -54,6 +55,8 @@
+ #define ER_FULL_HACK
+ 
+ #define TRB_LINK_LIMIT  4
++#define COMMAND_LIMIT   256
++#define TRANSFER_LIMIT  256
+ 
+ #define LEN_CAP         0x40
+ #define OFF_OPER        LEN_CAP
+@@ -727,6 +730,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+             return type;
+         } else {
+             if (++link_cnt > TRB_LINK_LIMIT) {
++                trace_usb_xhci_enforced_limit("trb-link");
+                 return 0;
+             }
+             ring->dequeue = xhci_mask64(trb->parameter);
+@@ -1672,6 +1676,7 @@ static int xhci_fire_transfer(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext
+ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid)
+ {
+     XHCIEPContext *epctx;
++    unsigned int count = 0;
+     int length;
+     int i;
+ 
+@@ -1776,6 +1781,10 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid
+             epctx->retry = xfer;
+             break;
+         }
++        if (count++ > TRANSFER_LIMIT) {
++            trace_usb_xhci_enforced_limit("transfers");
++            break;
++        }
+     }
+ }
+ 
+@@ -2164,7 +2173,7 @@ static void xhci_process_commands(XHCIState *xhci)
+     TRBType type;
+     XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
+     dma_addr_t addr;
+-    unsigned int i, slotid = 0;
++    unsigned int i, slotid = 0, count = 0;
+ 
+     DPRINTF("xhci_process_commands()\n");
+     if (!xhci_running(xhci)) {
+@@ -2276,6 +2285,11 @@ static void xhci_process_commands(XHCIState *xhci)
+         }
+         event.slotid = slotid;
+         xhci_event(xhci, &event);
++
++        if (count++ > COMMAND_LIMIT) {
++            trace_usb_xhci_enforced_limit("commands");
++            return;
++        }
+     }
+ }
+ 
+diff --git a/trace-events b/trace-events
+index 45c6bc1..ba8ec0f 100644
+--- a/trace-events
++++ b/trace-events
+@@ -289,6 +289,9 @@ usb_uhci_td_nextqh(uint32_t qh, uint32_t td) "qh 0x%x, td 0x%x"
+ usb_uhci_td_async(uint32_t qh, uint32_t td) "qh 0x%x, td 0x%x"
+ usb_uhci_td_complete(uint32_t qh, uint32_t td) "qh 0x%x, td 0x%x"
+ 
++# hw/usb/hcd-xhci.c
++usb_xhci_enforced_limit(const char *item) "%s"
++
+ # hw/usb/desc.c
+ usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
+ usb_desc_device_qualifier(int addr, int len, int ret) "dev %d query device qualifier, len %d, ret %d"
diff --git a/debian/patches/security/display-cirrus-ignore-source-pitch-value-as-needed-in-bli.patch b/debian/patches/security/display-cirrus-ignore-source-pitch-value-as-needed-in-bli.patch
new file mode 100644
index 0000000000..732ec360a3
--- /dev/null
+++ b/debian/patches/security/display-cirrus-ignore-source-pitch-value-as-needed-in-bli.patch
@@ -0,0 +1,66 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 23 Feb 2017 17:05:30 +0100
+Subject: display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Upstream-Commit: 913a87885f589d263e682c2eb6637c6e14538061
+---
+ hw/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index b2de9c0..6d64c0f 100644
+--- a/hw/cirrus_vga.c
++++ b/hw/cirrus_vga.c
+@@ -283,7 +283,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -297,6 +297,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -662,7 +665,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -680,7 +683,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -783,7 +786,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
diff --git a/debian/patches/series b/debian/patches/series
index 3cf8b19a58..c77abb51e8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -140,3 +140,8 @@ CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-lengt.patch
 9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
 security/CVE-2016-9921-check-vga-bits-per-pixel-value.patch
 security/CVE-2016-9911-fix-memory-leak-ehci_init_transfer.patch
+security/CVE-2017-5898-usb-ccid-check-ccid-apdu-length.patch
+security/CVE-2017-5973-xhci-apply-limits-to-loops.patch
+security/CVE-2017-2615-cirrus-fix-oob-access-issue.patch
+security/display-cirrus-ignore-source-pitch-value-as-needed-in-bli.patch
+security/CVE-2017-2620-cirrus-add-blit_is_unsafe-call-to-cirrus_bi.patch

Reply to:

Prev by Date: Re: testing and review requested for Wheezy update of apache2
Next by Date: Re: testing and review requested for Wheezy update of apache2
Previous by thread: Re: Accepted bitlbee 3.0.5-1.2+deb7u1 (source all amd64) into oldstable
Next by thread: Re: [SECURITY] [DSA 3792-1] libreoffice security update
Index(es):
- Date
- Thread