From: "S.Çağlar Onur" <caglar@pardus.org.tr>
To: xen-devel@lists.xensource.com
Subject: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
Date: Tue, 1 May 2007 16:29:20 +0300 [thread overview]
Message-ID: <200705011629.20671.caglar@pardus.org.tr> (raw)
[-- Attachment #1.1.1: Type: text/plain, Size: 376 bytes --]
Hi;
If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affects
qemu and also seems valid for xen.
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.1.2: ioemu.patch --]
[-- Type: text/x-diff, Size: 13738 bytes --]
diff -r 3341afbb1953 tools/ioemu/block.c
--- a/tools/ioemu/block.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/block.c Tue May 01 16:26:32 2007 +0300
@@ -458,8 +458,15 @@ int bdrv_write(BlockDriverState *bs, int
return -1;
if (bs->read_only)
return -1;
+ if (sector_num < 0)
+ return -1;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
+ }
+ {
+ unsigned int ns = sector_num * 512;
+ if (ns < 0)
+ return -1;
}
return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors);
}
diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/cirrus_vga.c Tue May 01 16:26:32 2007 +0300
@@ -219,6 +219,20 @@
/* I/O and memory hook */
#define CIRRUS_HOOK_NOT_HANDLED 0
#define CIRRUS_HOOK_HANDLED 1
+
+#define BLTUNSAFE(s) \
+ ( \
+ ( /* check dst is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
+ + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) || \
+ ( /* check src is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
+ + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) \
+ )
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
@@ -598,7 +612,7 @@ static void cirrus_invalidate_region(Cir
for (y = 0; y < lines; y++) {
off_cur = off_begin;
- off_cur_end = off_cur + bytesperline;
+ off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
off_cur &= TARGET_PAGE_MASK;
while (off_cur < off_cur_end) {
cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
@@ -613,7 +627,11 @@ static int cirrus_bitblt_common_patternc
{
uint8_t *dst;
- dst = s->vram_ptr + s->cirrus_blt_dstaddr;
+ dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+ if (BLTUNSAFE(s))
+ return 0;
+
(*s->cirrus_rop) (s, dst, src,
s->cirrus_blt_dstpitch, 0,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -629,8 +647,11 @@ static int cirrus_bitblt_solidfill(Cirru
{
cirrus_fill_t rop_func;
+ if (BLTUNSAFE(s))
+ return 0;
+
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
- rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+ rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -649,8 +670,8 @@ static int cirrus_bitblt_videotovideo_pa
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
{
return cirrus_bitblt_common_patterncopy(s,
- s->vram_ptr +
- (s->cirrus_blt_srcaddr & ~7));
+ s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
+ s->cirrus_addr_mask));
}
static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -700,8 +721,10 @@ static void cirrus_do_copy(CirrusVGAStat
if (notify)
vga_hw_update();
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -727,8 +750,14 @@ static int cirrus_bitblt_videotovideo_co
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+
+ if (BLTUNSAFE(s))
+ return 0;
+
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -760,8 +789,9 @@ static void cirrus_bitblt_cputovideo_nex
} else {
/* at least one scan line */
do {
- (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+ (*s->cirrus_rop)(s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
@@ -1861,7 +1891,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
@@ -1884,7 +1914,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga_rop.h
--- a/tools/ioemu/hw/cirrus_vga_rop.h Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/cirrus_vga_rop.h Tue May 01 16:26:32 2007 +0300
@@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
int x,y;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (dstpitch < 0 || srcpitch < 0) {
+ /* is 0 valid? srcpitch == 0 could be useful */
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
ROP_OP(*dst, *src);
diff -r 3341afbb1953 tools/ioemu/hw/dma.c
--- a/tools/ioemu/hw/dma.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/dma.c Tue May 01 16:26:32 2007 +0300
@@ -340,9 +340,11 @@ static void channel_run (int ncont, int
#endif
r = dma_controllers[ncont].regs + ichan;
- n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
- r->now[COUNT], (r->base[COUNT] + 1) << ncont);
- r->now[COUNT] = n;
+ if (r->transfer_handler) {
+ n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+ r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+ r->now[COUNT] = n;
+ }
ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
}
diff -r 3341afbb1953 tools/ioemu/hw/fdc.c
--- a/tools/ioemu/hw/fdc.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/fdc.c Tue May 01 16:26:32 2007 +0300
@@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl
len = fdctrl->data_len - fdctrl->data_pos;
if (len > FD_SECTOR_LEN)
len = FD_SECTOR_LEN;
- bdrv_read(cur_drv->bs, fd_sector(cur_drv),
- fdctrl->fifo, len);
+ if (cur_drv->bs) {
+ bdrv_read(cur_drv->bs, fd_sector(cur_drv),
+ fdctrl->fifo, len);
+ } else {
+ FLOPPY_ERROR("can't read data from drive\n");
+ return 0;
+ }
}
}
retval = fdctrl->fifo[pos];
diff -r 3341afbb1953 tools/ioemu/hw/i8259.c
--- a/tools/ioemu/hw/i8259.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/i8259.c Tue May 01 16:26:32 2007 +0300
@@ -292,9 +292,11 @@ static void pic_ioport_write(void *opaqu
s->init_state = 1;
s->init4 = val & 1;
if (val & 0x02)
- hw_error("single mode not supported");
+ /* hw_error("single mode not supported"); */
+ return;
if (val & 0x08)
- hw_error("level sensitive irq not supported");
+ /* hw_error("level sensitive irq not supported"); */
+ return;
} else if (val & 0x08) {
if (val & 0x04)
s->poll = 1;
diff -r 3341afbb1953 tools/ioemu/hw/ne2000.c
--- a/tools/ioemu/hw/ne2000.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/ne2000.c Tue May 01 16:26:32 2007 +0300
@@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque,
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque,
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ /* taviso: this can wrap, so check its okay. */
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;
diff -r 3341afbb1953 tools/ioemu/hw/pc.c
--- a/tools/ioemu/hw/pc.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/pc.c Tue May 01 16:26:32 2007 +0300
@@ -327,7 +327,8 @@ void bochs_bios_write(void *opaque, uint
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
- exit(1);
+ /* according to documentation, these can be safely ignored */
+ break;
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
@@ -350,8 +351,9 @@ void bochs_bios_write(void *opaque, uint
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:
+ /* according to documentation, these can be safely ignored */
fprintf(stderr, "VGA BIOS panic, line %d\n", val);
- exit(1);
+ break;
case 0x500:
case 0x503:
#ifdef DEBUG_BIOS
diff -r 3341afbb1953 tools/ioemu/hw/sb16.c
--- a/tools/ioemu/hw/sb16.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/sb16.c Tue May 01 16:26:32 2007 +0300
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
s->block_size);
#endif
- while (s->left_till_irq <= 0) {
- s->left_till_irq = s->block_size + s->left_till_irq;
+ if (s->block_size) {
+ while (s->left_till_irq <= 0) {
+ s->left_till_irq = s->block_size + s->left_till_irq;
+ }
}
return dma_pos;
diff -r 3341afbb1953 tools/ioemu/target-i386/translate.c
--- a/tools/ioemu/target-i386/translate.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/target-i386/translate.c Tue May 01 16:26:32 2007 +0300
@@ -5244,7 +5244,12 @@ static target_ulong disas_insn(DisasCont
if (CODE64(s))
goto illegal_op;
val = ldub_code(s->pc++);
- gen_op_aam(val);
+ /* taviso: operand can be zero */
+ if (val) {
+ gen_op_aam(val);
+ } else {
+ gen_exception(s, EXCP00_DIVZ, s->pc - s->cs_base);
+ }
s->cc_op = CC_OP_LOGICB;
break;
case 0xd5: /* aad */
@@ -5292,6 +5297,7 @@ static target_ulong disas_insn(DisasCont
gen_jmp_im(pc_start - s->cs_base);
gen_op_into(s->pc - pc_start);
break;
+#ifdef WANT_ICEBP
case 0xf1: /* icebp (undocumented, exits to external debugger) */
#if 1
gen_debug(s, pc_start - s->cs_base);
@@ -5301,6 +5307,7 @@ static target_ulong disas_insn(DisasCont
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
#endif
break;
+#endif /* icebp */
case 0xfa: /* cli */
if (!s->vm86) {
if (s->cpl <= s->iopl) {
diff -r 3341afbb1953 tools/ioemu/vl.c
--- a/tools/ioemu/vl.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/vl.c Tue May 01 16:26:32 2007 +0300
@@ -3239,8 +3239,8 @@ typedef struct NetSocketState {
VLANClientState *vc;
int fd;
int state; /* 0 = getting length, 1 = getting data */
- int index;
- int packet_len;
+ unsigned int index;
+ unsigned int packet_len;
uint8_t buf[4096];
struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
} NetSocketState;
@@ -3271,7 +3271,8 @@ static void net_socket_send(void *opaque
static void net_socket_send(void *opaque)
{
NetSocketState *s = opaque;
- int l, size, err;
+ int size, err;
+ unsigned l;
uint8_t buf1[4096];
const uint8_t *buf;
@@ -3310,7 +3311,15 @@ static void net_socket_send(void *opaque
l = s->packet_len - s->index;
if (l > size)
l = size;
- memcpy(s->buf + s->index, buf, l);
+ if (s->index + l <= sizeof(s->buf)) {
+ memcpy(s->buf + s->index, buf, l);
+ } else {
+ fprintf(stderr, "serious error: oversized packet received,"
+ "connection terminated.\n");
+ s->state = 0;
+ goto eoc;
+ }
+
s->index += l;
buf += l;
size -= l;
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2007-05-01 13:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-01 13:29 S.Çağlar Onur [this message]
2007-05-01 13:44 ` [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 Keir Fraser
2007-05-01 14:15 ` S.Çağlar Onur
2007-05-01 14:44 ` Keir Fraser
2007-05-01 18:56 ` S.Çağlar Onur
2007-05-01 20:12 ` Keir Fraser
2007-05-01 20:46 ` S.Çağlar Onur
2007-05-01 23:04 ` S.Çağlar Onur
2007-05-01 18:14 ` Christian Limpach
2007-05-01 19:21 ` S.Çağlar Onur
2007-09-25 22:45 ` Robert Buchholz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200705011629.20671.caglar@pardus.org.tr \
--to=caglar@pardus.org.tr \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.