From 8b6291f7279bfad516e232199d12f5299b339e59 Mon Sep 17 00:00:00 2001 From: Mario Preksavec Date: Sat, 4 Mar 2017 19:27:25 +0100 Subject: [PATCH] system/xen: XSA 207-210 update. Signed-off-by: Mario Preksavec --- system/xen/xen.SlackBuild | 2 +- system/xen/xsa/xsa207.patch | 31 ++++++++ system/xen/xsa/xsa208-qemut.patch | 56 +++++++++++++++ system/xen/xsa/xsa208-qemuu.patch | 54 ++++++++++++++ system/xen/xsa/xsa209-qemut.patch | 54 ++++++++++++++ ...gnore-source-pitch-value-as-needed-i.patch | 72 +++++++++++++++++++ ...is_unsafe-call-to-cirrus_bitblt_cput.patch | 60 ++++++++++++++++ system/xen/xsa/xsa210.patch | 41 +++++++++++ 8 files changed, 369 insertions(+), 1 deletion(-) create mode 100644 system/xen/xsa/xsa207.patch create mode 100644 system/xen/xsa/xsa208-qemut.patch create mode 100644 system/xen/xsa/xsa208-qemuu.patch create mode 100644 system/xen/xsa/xsa209-qemut.patch create mode 100644 system/xen/xsa/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch create mode 100644 system/xen/xsa/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch create mode 100644 system/xen/xsa/xsa210.patch diff --git a/system/xen/xen.SlackBuild b/system/xen/xen.SlackBuild index 9694420a23..0ce84dd55a 100644 --- a/system/xen/xen.SlackBuild +++ b/system/xen/xen.SlackBuild @@ -24,7 +24,7 @@ PRGNAM=xen VERSION=${VERSION:-4.8.0} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} SEABIOS=${SEABIOS:-1.10.0} diff --git a/system/xen/xsa/xsa207.patch b/system/xen/xsa/xsa207.patch new file mode 100644 index 0000000000..6fb86fc9d5 --- /dev/null +++ b/system/xen/xsa/xsa207.patch @@ -0,0 +1,31 @@ +From: Oleksandr Tyshchenko +Subject: IOMMU: always call teardown callback + +There is a possible scenario when (d)->need_iommu remains unset +during guest domain execution. For example, when no devices +were assigned to it. Taking into account that teardown callback +is not called when (d)->need_iommu is unset we might have unreleased +resourses after destroying domain. + +So, always call teardown callback to roll back actions +that were performed in init callback. + +This is XSA-207. + +Signed-off-by: Oleksandr Tyshchenko +Reviewed-by: Jan Beulich +Tested-by: Jan Beulich +Tested-by: Julien Grall + +--- a/xen/drivers/passthrough/iommu.c ++++ b/xen/drivers/passthrough/iommu.c +@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain + if ( !iommu_enabled || !dom_iommu(d)->platform_ops ) + return; + +- if ( need_iommu(d) ) +- iommu_teardown(d); ++ iommu_teardown(d); + + arch_iommu_domain_destroy(d); + } diff --git a/system/xen/xsa/xsa208-qemut.patch b/system/xen/xsa/xsa208-qemut.patch new file mode 100644 index 0000000000..c86db0f47e --- /dev/null +++ b/system/xen/xsa/xsa208-qemut.patch @@ -0,0 +1,56 @@ +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini +Signed-off-by: Ian Jackson +--- + hw/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..364e22d 100644 +--- a/hw/cirrus_vga.c ++++ b/hw/cirrus_vga.c +@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/system/xen/xsa/xsa208-qemuu.patch b/system/xen/xsa/xsa208-qemuu.patch new file mode 100644 index 0000000000..8c8ad2d451 --- /dev/null +++ b/system/xen/xsa/xsa208-qemuu.patch @@ -0,0 +1,54 @@ +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +Signed-off-by: Stefano Stabellini +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index bdb092e..3bbe3d5 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + } + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max > s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +1.8.3.1 diff --git a/system/xen/xsa/xsa209-qemut.patch b/system/xen/xsa/xsa209-qemut.patch new file mode 100644 index 0000000000..444beeb2e1 --- /dev/null +++ b/system/xen/xsa/xsa209-qemut.patch @@ -0,0 +1,54 @@ +From: Gerd Hoffmann +Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj + +Reported-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +Signed-off-by: Ian Jackson +--- +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..45facb6 100644 +--- a/hw/cirrus_vga.c ++++ b/hw/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); diff --git a/system/xen/xsa/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/system/xen/xsa/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch new file mode 100644 index 0000000000..95f1ace5b1 --- /dev/null +++ b/system/xen/xsa/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch @@ -0,0 +1,72 @@ +From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Tue, 21 Feb 2017 10:54:38 -0800 +Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 7bf3707..34a6900 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.1.4 + diff --git a/system/xen/xsa/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/system/xen/xsa/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch new file mode 100644 index 0000000000..ed549f917d --- /dev/null +++ b/system/xen/xsa/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch @@ -0,0 +1,60 @@ +From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 21 Feb 2017 10:54:59 -0800 +Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to + cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Reported-by: Gerd Hoffmann +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 34a6900..5901250 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.1.4 + diff --git a/system/xen/xsa/xsa210.patch b/system/xen/xsa/xsa210.patch new file mode 100644 index 0000000000..0696570c08 --- /dev/null +++ b/system/xen/xsa/xsa210.patch @@ -0,0 +1,41 @@ +From: Julien Grall +Subject: arm/p2m: remove the page from p2m->pages list before freeing it + +The p2m code is using the page list field to link all the pages used +for the stage-2 page tables. The page is added into the p2m->pages +list just after the allocation but never removed from the list. + +The page list field is also used by the allocator, not removing may +result a later Xen crash due to inconsistency (see [1]). + +This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7 +"xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry". + +[1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html + +Reported-by: Vijaya Kumar K +Signed-off-by: Julien Grall +Reviewed-by: Stefano Stabellini + +--- a/xen/arch/arm/p2m.c ++++ b/xen/arch/arm/p2m.c +@@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m, + unsigned int i; + lpae_t *table; + mfn_t mfn; ++ struct page_info *pg; + + /* Nothing to do if the entry is invalid. */ + if ( !p2m_valid(entry) ) +@@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m, + mfn = _mfn(entry.p2m.base); + ASSERT(mfn_valid(mfn_x(mfn))); + +- free_domheap_page(mfn_to_page(mfn_x(mfn))); ++ pg = mfn_to_page(mfn_x(mfn)); ++ ++ page_list_del(pg, &p2m->pages); ++ free_domheap_page(pg); + } + + static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry,