From mboxrd@z Thu Jan  1 00:00:00 1970
From: Robert Buchholz <rbu@gentoo.org>
Subject: Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 ,
	CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
Date: Wed, 26 Sep 2007 00:45:48 +0200
Message-ID: <200709260045.48939.rbu@gentoo.org>
References: <200705011629.20671.caglar@pardus.org.tr>
	<3d8eece20705011114o48e9361et898e5c999e48fbf7@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0667595180=="
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <3d8eece20705011114o48e9361et898e5c999e48fbf7@mail.gmail.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Mime-version: 1.0
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com, Christian.Limpach@cl.cam.ac.uk
Cc: caglar@pardus.org.tr
List-Id: xen-devel@lists.xenproject.org

--===============0667595180==
Content-Type: multipart/signed; boundary="nextPart2739558.FPVAFNHilU";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart2739558.FPVAFNHilU
Content-Type: multipart/mixed;
  boundary="Boundary-01=_c+Y+GeX/v0D/zwW"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--Boundary-01=_c+Y+GeX/v0D/zwW
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday, 1. May 2007, Christian Limpach wrote:
> On 5/1/07, S.=C3=87a=C4=9Flar Onur <caglar@pardus.org.tr> wrote:
> > Hi;
> >
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> I've seen this patch before and I picked the most relevant fixes,
> cleaned them up and checked them in a while ago.  I left out the ones
> which touch code we don't compile and the ones which touch code we
> don't enable by default.  If somebody else cleans up those, it would
> be great to get them checked in.
>
> We have the first check to bdrv_write in block.c and we have the same
> check in bdrv_read -- we don't have that unsigned int ns < 0 check.
>
> We have a fix for the cirrus bitblit issue -- I think the fix in the
> patch you post actually doesn't cover all cases.
>
> We have the hw/dma.c null pointer check.
>
> We don't have the hw/fdc.c null pointer check.  We should probably
> add that one.
>
> We don't have the hw/i8259.c change since we don't use that file.
>
> We don't have the hw/ne2000.c change since we use the rtl8139 driver
> by default -- could add that one.
>
> We don't have the hw/pc.c change since exit'ing seems safer.
>
> We don't have the hw/sb16.c change since we don't have sound by
> default -- we should probably add that one.
>
> We don't have the target-i386/translate.c changes since we don't use
> that file.
>
> We don't have the vl.c changes since we only use the network tap
> mode.

How much cleaning would the remaining fixes need? I've re-attached the=20
patch proposed by S.=C3=87a=C4=9Flar Onur, with those issues fixed in 3.1.0=
=20
removed and only including those you marked "should/could add".

Regards,
Robert

--Boundary-01=_c+Y+GeX/v0D/zwW
Content-Type: text/x-diff;
  charset="utf-8";
  name="ioemu.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="ioemu.patch"

Index: xen-3.1.0-src/tools/ioemu/block.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- xen-3.1.0-src.orig/tools/ioemu/block.c
+++ xen-3.1.0-src/tools/ioemu/block.c
@@ -465,6 +465,11 @@ int bdrv_write(BlockDriverState *bs, int
     if (sector_num =3D=3D 0 && bs->boot_sector_enabled && nb_sectors > 0) {
         memcpy(bs->boot_sector_data, buf, 512);  =20
     }
+    {
+        unsigned int ns =3D sector_num * 512;
+        if (ns < 0)
+            return -1;
+    }
     return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors);
 }
=20
Index: xen-3.1.0-src/tools/ioemu/hw/fdc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- xen-3.1.0-src.orig/tools/ioemu/hw/fdc.c
+++ xen-3.1.0-src/tools/ioemu/hw/fdc.c
@@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl
             len =3D fdctrl->data_len - fdctrl->data_pos;
             if (len > FD_SECTOR_LEN)
                 len =3D FD_SECTOR_LEN;
=2D            bdrv_read(cur_drv->bs, fd_sector(cur_drv),
=2D                      fdctrl->fifo, len);
+            if (cur_drv->bs) {
+                bdrv_read(cur_drv->bs, fd_sector(cur_drv),
+                          fdctrl->fifo, len);
+            } else {
+                FLOPPY_ERROR("can't read data from drive\n");
+                return 0;
+            }
         }
     }
     retval =3D fdctrl->fifo[pos];
Index: xen-3.1.0-src/tools/ioemu/hw/ne2000.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- xen-3.1.0-src.orig/tools/ioemu/hw/ne2000.c
+++ xen-3.1.0-src/tools/ioemu/hw/ne2000.c
@@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque,
 {
     NE2000State *s =3D opaque;
     uint8_t *p;
=2D    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
     uint8_t buf1[60];
     static const uint8_t broadcast_macaddr[6] =3D=20
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque,
=20
     /* write packet data */
     while (size > 0) {
=2D        avail =3D s->stop - index;
+        /* taviso: this can wrap, so check its okay. */
+        if (index <=3D s->stop)
+            avail =3D s->stop - index;
+        else
+            avail =3D 0;
         len =3D size;
         if (len > avail)
             len =3D avail;
Index: xen-3.1.0-src/tools/ioemu/hw/sb16.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- xen-3.1.0-src.orig/tools/ioemu/hw/sb16.c
+++ xen-3.1.0-src/tools/ioemu/hw/sb16.c
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
             s->block_size);
 #endif
=20
=2D    while (s->left_till_irq <=3D 0) {
=2D        s->left_till_irq =3D s->block_size + s->left_till_irq;
+    if (s->block_size) {
+        while (s->left_till_irq <=3D 0) {
+            s->left_till_irq =3D s->block_size + s->left_till_irq;
+        }
     }
=20
     return dma_pos;

--Boundary-01=_c+Y+GeX/v0D/zwW--

--nextPart2739558.FPVAFNHilU
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBG+Y+cyZx3L/ph1soRAiHdAJsGARGQyeCcBdlRTybgoF/4P9HG2gCgrHlc
lMc/fsAX3oCxG9quM+oFXb4=
=aix5
-----END PGP SIGNATURE-----

--nextPart2739558.FPVAFNHilU--


--===============0667595180==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--===============0667595180==--