From mboxrd@z Thu Jan 1 00:00:00 1970 From: "=?utf-8?q?S=2E=C3=87a=C4=9Flar?= Onur" Subject: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 Date: Tue, 1 May 2007 16:29:20 +0300 Message-ID: <200705011629.20671.caglar@pardus.org.tr> Reply-To: caglar@pardus.org.tr Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0893181750==" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Mime-version: 1.0 Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org --===============0893181750== Content-Type: multipart/signed; boundary="nextPart1696379.aHTErlmESa"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1696379.aHTErlmESa Content-Type: multipart/mixed; boundary="Boundary-01=_wC0NGCae3jXwllv" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_wC0NGCae3jXwllv Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi; If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,= =20 CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affect= s=20 qemu and also seems valid for xen. Cheers =2D-=20 S.=C3=87a=C4=9Flar Onur http://cekirdek.pardus.org.tr/~caglar/ Linux is like living in a teepee. No Windows, no Gates and an Apache in hou= se! --Boundary-01=_wC0NGCae3jXwllv Content-Type: text/x-diff; charset="utf-8"; name="ioemu.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ioemu.patch" diff -r 3341afbb1953 tools/ioemu/block.c =2D-- a/tools/ioemu/block.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/block.c Tue May 01 16:26:32 2007 +0300 @@ -458,8 +458,15 @@ int bdrv_write(BlockDriverState *bs, int return -1; if (bs->read_only) return -1; + if (sector_num < 0) + return -1; if (sector_num =3D=3D 0 && bs->boot_sector_enabled && nb_sectors > 0) { memcpy(bs->boot_sector_data, buf, 512); =20 + } + { + unsigned int ns =3D sector_num * 512; + if (ns < 0) + return -1; } return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors); } diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga.c =2D-- a/tools/ioemu/hw/cirrus_vga.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/cirrus_vga.c Tue May 01 16:26:32 2007 +0300 @@ -219,6 +219,20 @@ /* I/O and memory hook */ #define CIRRUS_HOOK_NOT_HANDLED 0 #define CIRRUS_HOOK_HANDLED 1 + +#define BLTUNSAFE(s) \ + ( \ + ( /* check dst is within bounds */ \ + (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \ + + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \ + (s)->vram_size \ + ) || \ + ( /* check src is within bounds */ \ + (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \ + + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \ + (s)->vram_size \ + ) \ + ) =20 struct CirrusVGAState; typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, @@ -598,7 +612,7 @@ static void cirrus_invalidate_region(Cir =20 for (y =3D 0; y < lines; y++) { off_cur =3D off_begin; =2D off_cur_end =3D off_cur + bytesperline; + off_cur_end =3D (off_cur + bytesperline) & s->cirrus_addr_mask; off_cur &=3D TARGET_PAGE_MASK; while (off_cur < off_cur_end) { cpu_physical_memory_set_dirty(s->vram_offset + off_cur); @@ -613,7 +627,11 @@ static int cirrus_bitblt_common_patternc { uint8_t *dst; =20 =2D dst =3D s->vram_ptr + s->cirrus_blt_dstaddr; + dst =3D s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + =20 + if (BLTUNSAFE(s)) + return 0; + (*s->cirrus_rop) (s, dst, src, s->cirrus_blt_dstpitch, 0,=20 s->cirrus_blt_width, s->cirrus_blt_height); @@ -629,8 +647,11 @@ static int cirrus_bitblt_solidfill(Cirru { cirrus_fill_t rop_func; =20 + if (BLTUNSAFE(s)) + return 0; + rop_func =3D cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwid= th - 1]; =2D rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,=20 + rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask= ),=20 s->cirrus_blt_dstpitch, s->cirrus_blt_width, s->cirrus_blt_height); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, @@ -649,8 +670,8 @@ static int cirrus_bitblt_videotovideo_pa static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) { return cirrus_bitblt_common_patterncopy(s, =2D s->vram_ptr +=20 =2D (s->cirrus_blt_srcaddr & ~7)= ); + s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &=20 + s->cirrus_addr_mask)); } =20 static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int= h) @@ -700,8 +721,10 @@ static void cirrus_do_copy(CirrusVGAStat if (notify) vga_hw_update(); =20 =2D (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, =2D s->vram_ptr + s->cirrus_blt_srcaddr, + (*s->cirrus_rop) (s, s->vram_ptr +=20 + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr +=20 + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height); =20 @@ -727,8 +750,14 @@ static int cirrus_bitblt_videotovideo_co s->cirrus_blt_srcaddr - s->start_addr, s->cirrus_blt_width, s->cirrus_blt_height); } else { =2D (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr, =2D s->vram_ptr + s->cirrus_blt_srcaddr, + + if (BLTUNSAFE(s)) + return 0; + + (*s->cirrus_rop) (s, s->vram_ptr +=20 + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr +=20 + (s->cirrus_blt_srcaddr & s->cirrus_addr_mask), s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch, s->cirrus_blt_width, s->cirrus_blt_height); =20 @@ -760,8 +789,9 @@ static void cirrus_bitblt_cputovideo_nex } else { /* at least one scan line */ do { =2D (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr, =2D s->cirrus_bltbuf, 0, 0, s->cirrus_blt_w= idth, 1); + (*s->cirrus_rop)(s, s->vram_ptr +=20 + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1); cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0, s->cirrus_blt_width, 1); s->cirrus_blt_dstaddr +=3D s->cirrus_blt_dstpitch; @@ -1861,7 +1891,7 @@ static void cirrus_mem_writeb_mode4and5_ unsigned val =3D mem_value; uint8_t *dst; =20 =2D dst =3D s->vram_ptr + offset; + dst =3D s->vram_ptr + (offset &=3D s->cirrus_addr_mask); for (x =3D 0; x < 8; x++) { if (val & 0x80) { *dst =3D s->cirrus_shadow_gr1; @@ -1884,7 +1914,7 @@ static void cirrus_mem_writeb_mode4and5_ unsigned val =3D mem_value; uint8_t *dst; =20 =2D dst =3D s->vram_ptr + offset; + dst =3D s->vram_ptr + (offset &=3D s->cirrus_addr_mask); for (x =3D 0; x < 8; x++) { if (val & 0x80) { *dst =3D s->cirrus_shadow_gr1; diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga_rop.h =2D-- a/tools/ioemu/hw/cirrus_vga_rop.h Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/cirrus_vga_rop.h Tue May 01 16:26:32 2007 +0300 @@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C int x,y; dstpitch -=3D bltwidth; srcpitch -=3D bltwidth; + + if (dstpitch < 0 || srcpitch < 0) { + /* is 0 valid? srcpitch =3D=3D 0 could be useful */ + return; + } + for (y =3D 0; y < bltheight; y++) { for (x =3D 0; x < bltwidth; x++) { ROP_OP(*dst, *src); diff -r 3341afbb1953 tools/ioemu/hw/dma.c =2D-- a/tools/ioemu/hw/dma.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/dma.c Tue May 01 16:26:32 2007 +0300 @@ -340,9 +340,11 @@ static void channel_run (int ncont, int=20 #endif =20 r =3D dma_controllers[ncont].regs + ichan; =2D n =3D r->transfer_handler (r->opaque, ichan + (ncont << 2), =2D r->now[COUNT], (r->base[COUNT] + 1) << ncon= t); =2D r->now[COUNT] =3D n; + if (r->transfer_handler) { + n =3D r->transfer_handler (r->opaque, ichan + (ncont << 2), + r->now[COUNT], (r->base[COUNT] + 1) << nc= ont); + r->now[COUNT] =3D n; + } ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont); } =20 diff -r 3341afbb1953 tools/ioemu/hw/fdc.c =2D-- a/tools/ioemu/hw/fdc.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/fdc.c Tue May 01 16:26:32 2007 +0300 @@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl len =3D fdctrl->data_len - fdctrl->data_pos; if (len > FD_SECTOR_LEN) len =3D FD_SECTOR_LEN; =2D bdrv_read(cur_drv->bs, fd_sector(cur_drv), =2D fdctrl->fifo, len); + if (cur_drv->bs) { + bdrv_read(cur_drv->bs, fd_sector(cur_drv), + fdctrl->fifo, len); + } else { + FLOPPY_ERROR("can't read data from drive\n"); + return 0; + } } } retval =3D fdctrl->fifo[pos]; diff -r 3341afbb1953 tools/ioemu/hw/i8259.c =2D-- a/tools/ioemu/hw/i8259.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/i8259.c Tue May 01 16:26:32 2007 +0300 @@ -292,9 +292,11 @@ static void pic_ioport_write(void *opaqu s->init_state =3D 1; s->init4 =3D val & 1; if (val & 0x02) =2D hw_error("single mode not supported"); + /* hw_error("single mode not supported"); */ + return; if (val & 0x08) =2D hw_error("level sensitive irq not supported"); + /* hw_error("level sensitive irq not supported"); */ + return; } else if (val & 0x08) { if (val & 0x04) s->poll =3D 1; diff -r 3341afbb1953 tools/ioemu/hw/ne2000.c =2D-- a/tools/ioemu/hw/ne2000.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/ne2000.c Tue May 01 16:26:32 2007 +0300 @@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque, { NE2000State *s =3D opaque; uint8_t *p; =2D int total_len, next, avail, len, index, mcast_idx; + unsigned int total_len, next, avail, len, index, mcast_idx; uint8_t buf1[60]; static const uint8_t broadcast_macaddr[6] =3D=20 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; @@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque, =20 /* write packet data */ while (size > 0) { =2D avail =3D s->stop - index; + /* taviso: this can wrap, so check its okay. */ + if (index <=3D s->stop) + avail =3D s->stop - index; + else + avail =3D 0; len =3D size; if (len > avail) len =3D avail; diff -r 3341afbb1953 tools/ioemu/hw/pc.c =2D-- a/tools/ioemu/hw/pc.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/pc.c Tue May 01 16:26:32 2007 +0300 @@ -327,7 +327,8 @@ void bochs_bios_write(void *opaque, uint case 0x400: case 0x401: fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val); =2D exit(1); + /* according to documentation, these can be safely ignored */ + break; case 0x402: case 0x403: #ifdef DEBUG_BIOS @@ -350,8 +351,9 @@ void bochs_bios_write(void *opaque, uint /* LGPL'ed VGA BIOS messages */ case 0x501: case 0x502: + /* according to documentation, these can be safely ignored */ fprintf(stderr, "VGA BIOS panic, line %d\n", val); =2D exit(1); + break; case 0x500: case 0x503: #ifdef DEBUG_BIOS diff -r 3341afbb1953 tools/ioemu/hw/sb16.c =2D-- a/tools/ioemu/hw/sb16.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/hw/sb16.c Tue May 01 16:26:32 2007 +0300 @@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in s->block_size); #endif =20 =2D while (s->left_till_irq <=3D 0) { =2D s->left_till_irq =3D s->block_size + s->left_till_irq; + if (s->block_size) { + while (s->left_till_irq <=3D 0) { + s->left_till_irq =3D s->block_size + s->left_till_irq; + } } =20 return dma_pos; diff -r 3341afbb1953 tools/ioemu/target-i386/translate.c =2D-- a/tools/ioemu/target-i386/translate.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/target-i386/translate.c Tue May 01 16:26:32 2007 +0300 @@ -5244,7 +5244,12 @@ static target_ulong disas_insn(DisasCont if (CODE64(s)) goto illegal_op; val =3D ldub_code(s->pc++); =2D gen_op_aam(val); + /* taviso: operand can be zero */ + if (val) { + gen_op_aam(val); + } else { + gen_exception(s, EXCP00_DIVZ, s->pc - s->cs_base); + } s->cc_op =3D CC_OP_LOGICB; break; case 0xd5: /* aad */ @@ -5292,6 +5297,7 @@ static target_ulong disas_insn(DisasCont gen_jmp_im(pc_start - s->cs_base); gen_op_into(s->pc - pc_start); break; +#ifdef WANT_ICEBP case 0xf1: /* icebp (undocumented, exits to external debugger) */ #if 1 gen_debug(s, pc_start - s->cs_base); @@ -5301,6 +5307,7 @@ static target_ulong disas_insn(DisasCont cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); #endif break; +#endif /* icebp */ case 0xfa: /* cli */ if (!s->vm86) { if (s->cpl <=3D s->iopl) { diff -r 3341afbb1953 tools/ioemu/vl.c =2D-- a/tools/ioemu/vl.c Thu Feb 15 11:34:58 2007 +0000 +++ b/tools/ioemu/vl.c Tue May 01 16:26:32 2007 +0300 @@ -3239,8 +3239,8 @@ typedef struct NetSocketState { VLANClientState *vc; int fd; int state; /* 0 =3D getting length, 1 =3D getting data */ =2D int index; =2D int packet_len; + unsigned int index; + unsigned int packet_len; uint8_t buf[4096]; struct sockaddr_in dgram_dst; /* contains inet host and port destinati= on iff connectionless (SOCK_DGRAM) */ } NetSocketState; @@ -3271,7 +3271,8 @@ static void net_socket_send(void *opaque static void net_socket_send(void *opaque) { NetSocketState *s =3D opaque; =2D int l, size, err; + int size, err; + unsigned l; uint8_t buf1[4096]; const uint8_t *buf; =20 @@ -3310,7 +3311,15 @@ static void net_socket_send(void *opaque l =3D s->packet_len - s->index; if (l > size) l =3D size; =2D memcpy(s->buf + s->index, buf, l); + if (s->index + l <=3D sizeof(s->buf)) { + memcpy(s->buf + s->index, buf, l); + } else { + fprintf(stderr, "serious error: oversized packet received," + "connection terminated.\n"); + s->state =3D 0; + goto eoc; + } + s->index +=3D l; buf +=3D l; size -=3D l; --Boundary-01=_wC0NGCae3jXwllv-- --nextPart1696379.aHTErlmESa Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQBGN0Cwy7E6i0LKo6YRArPzAJ4zSLOXqd3Pv5eZeTd/SjpaJiKZ3QCffCTz e8B07nYJSDLh8J664xo1Mao= =olUb -----END PGP SIGNATURE----- --nextPart1696379.aHTErlmESa-- --===============0893181750== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============0893181750==--