* [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
@ 2007-05-01 13:29 S.Çağlar Onur
2007-05-01 13:44 ` Keir Fraser
2007-05-01 18:14 ` Christian Limpach
0 siblings, 2 replies; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 13:29 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1.1.1: Type: text/plain, Size: 376 bytes --]
Hi;
If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affects
qemu and also seems valid for xen.
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.1.2: ioemu.patch --]
[-- Type: text/x-diff, Size: 13738 bytes --]
diff -r 3341afbb1953 tools/ioemu/block.c
--- a/tools/ioemu/block.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/block.c Tue May 01 16:26:32 2007 +0300
@@ -458,8 +458,15 @@ int bdrv_write(BlockDriverState *bs, int
return -1;
if (bs->read_only)
return -1;
+ if (sector_num < 0)
+ return -1;
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
+ }
+ {
+ unsigned int ns = sector_num * 512;
+ if (ns < 0)
+ return -1;
}
return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors);
}
diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/cirrus_vga.c Tue May 01 16:26:32 2007 +0300
@@ -219,6 +219,20 @@
/* I/O and memory hook */
#define CIRRUS_HOOK_NOT_HANDLED 0
#define CIRRUS_HOOK_HANDLED 1
+
+#define BLTUNSAFE(s) \
+ ( \
+ ( /* check dst is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
+ + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) || \
+ ( /* check src is within bounds */ \
+ (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
+ + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
+ (s)->vram_size \
+ ) \
+ )
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
@@ -598,7 +612,7 @@ static void cirrus_invalidate_region(Cir
for (y = 0; y < lines; y++) {
off_cur = off_begin;
- off_cur_end = off_cur + bytesperline;
+ off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
off_cur &= TARGET_PAGE_MASK;
while (off_cur < off_cur_end) {
cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
@@ -613,7 +627,11 @@ static int cirrus_bitblt_common_patternc
{
uint8_t *dst;
- dst = s->vram_ptr + s->cirrus_blt_dstaddr;
+ dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+
+ if (BLTUNSAFE(s))
+ return 0;
+
(*s->cirrus_rop) (s, dst, src,
s->cirrus_blt_dstpitch, 0,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -629,8 +647,11 @@ static int cirrus_bitblt_solidfill(Cirru
{
cirrus_fill_t rop_func;
+ if (BLTUNSAFE(s))
+ return 0;
+
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
- rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+ rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -649,8 +670,8 @@ static int cirrus_bitblt_videotovideo_pa
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
{
return cirrus_bitblt_common_patterncopy(s,
- s->vram_ptr +
- (s->cirrus_blt_srcaddr & ~7));
+ s->vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
+ s->cirrus_addr_mask));
}
static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -700,8 +721,10 @@ static void cirrus_do_copy(CirrusVGAStat
if (notify)
vga_hw_update();
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -727,8 +750,14 @@ static int cirrus_bitblt_videotovideo_co
s->cirrus_blt_srcaddr - s->start_addr,
s->cirrus_blt_width, s->cirrus_blt_height);
} else {
- (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->vram_ptr + s->cirrus_blt_srcaddr,
+
+ if (BLTUNSAFE(s))
+ return 0;
+
+ (*s->cirrus_rop) (s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->vram_ptr +
+ (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -760,8 +789,9 @@ static void cirrus_bitblt_cputovideo_nex
} else {
/* at least one scan line */
do {
- (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+ (*s->cirrus_rop)(s, s->vram_ptr +
+ (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
@@ -1861,7 +1891,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
@@ -1884,7 +1914,7 @@ static void cirrus_mem_writeb_mode4and5_
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vram_ptr + offset;
+ dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
diff -r 3341afbb1953 tools/ioemu/hw/cirrus_vga_rop.h
--- a/tools/ioemu/hw/cirrus_vga_rop.h Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/cirrus_vga_rop.h Tue May 01 16:26:32 2007 +0300
@@ -31,6 +31,12 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(C
int x,y;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (dstpitch < 0 || srcpitch < 0) {
+ /* is 0 valid? srcpitch == 0 could be useful */
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
ROP_OP(*dst, *src);
diff -r 3341afbb1953 tools/ioemu/hw/dma.c
--- a/tools/ioemu/hw/dma.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/dma.c Tue May 01 16:26:32 2007 +0300
@@ -340,9 +340,11 @@ static void channel_run (int ncont, int
#endif
r = dma_controllers[ncont].regs + ichan;
- n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
- r->now[COUNT], (r->base[COUNT] + 1) << ncont);
- r->now[COUNT] = n;
+ if (r->transfer_handler) {
+ n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+ r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+ r->now[COUNT] = n;
+ }
ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
}
diff -r 3341afbb1953 tools/ioemu/hw/fdc.c
--- a/tools/ioemu/hw/fdc.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/fdc.c Tue May 01 16:26:32 2007 +0300
@@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl
len = fdctrl->data_len - fdctrl->data_pos;
if (len > FD_SECTOR_LEN)
len = FD_SECTOR_LEN;
- bdrv_read(cur_drv->bs, fd_sector(cur_drv),
- fdctrl->fifo, len);
+ if (cur_drv->bs) {
+ bdrv_read(cur_drv->bs, fd_sector(cur_drv),
+ fdctrl->fifo, len);
+ } else {
+ FLOPPY_ERROR("can't read data from drive\n");
+ return 0;
+ }
}
}
retval = fdctrl->fifo[pos];
diff -r 3341afbb1953 tools/ioemu/hw/i8259.c
--- a/tools/ioemu/hw/i8259.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/i8259.c Tue May 01 16:26:32 2007 +0300
@@ -292,9 +292,11 @@ static void pic_ioport_write(void *opaqu
s->init_state = 1;
s->init4 = val & 1;
if (val & 0x02)
- hw_error("single mode not supported");
+ /* hw_error("single mode not supported"); */
+ return;
if (val & 0x08)
- hw_error("level sensitive irq not supported");
+ /* hw_error("level sensitive irq not supported"); */
+ return;
} else if (val & 0x08) {
if (val & 0x04)
s->poll = 1;
diff -r 3341afbb1953 tools/ioemu/hw/ne2000.c
--- a/tools/ioemu/hw/ne2000.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/ne2000.c Tue May 01 16:26:32 2007 +0300
@@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque,
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque,
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ /* taviso: this can wrap, so check its okay. */
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;
diff -r 3341afbb1953 tools/ioemu/hw/pc.c
--- a/tools/ioemu/hw/pc.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/pc.c Tue May 01 16:26:32 2007 +0300
@@ -327,7 +327,8 @@ void bochs_bios_write(void *opaque, uint
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
- exit(1);
+ /* according to documentation, these can be safely ignored */
+ break;
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
@@ -350,8 +351,9 @@ void bochs_bios_write(void *opaque, uint
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:
+ /* according to documentation, these can be safely ignored */
fprintf(stderr, "VGA BIOS panic, line %d\n", val);
- exit(1);
+ break;
case 0x500:
case 0x503:
#ifdef DEBUG_BIOS
diff -r 3341afbb1953 tools/ioemu/hw/sb16.c
--- a/tools/ioemu/hw/sb16.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/hw/sb16.c Tue May 01 16:26:32 2007 +0300
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
s->block_size);
#endif
- while (s->left_till_irq <= 0) {
- s->left_till_irq = s->block_size + s->left_till_irq;
+ if (s->block_size) {
+ while (s->left_till_irq <= 0) {
+ s->left_till_irq = s->block_size + s->left_till_irq;
+ }
}
return dma_pos;
diff -r 3341afbb1953 tools/ioemu/target-i386/translate.c
--- a/tools/ioemu/target-i386/translate.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/target-i386/translate.c Tue May 01 16:26:32 2007 +0300
@@ -5244,7 +5244,12 @@ static target_ulong disas_insn(DisasCont
if (CODE64(s))
goto illegal_op;
val = ldub_code(s->pc++);
- gen_op_aam(val);
+ /* taviso: operand can be zero */
+ if (val) {
+ gen_op_aam(val);
+ } else {
+ gen_exception(s, EXCP00_DIVZ, s->pc - s->cs_base);
+ }
s->cc_op = CC_OP_LOGICB;
break;
case 0xd5: /* aad */
@@ -5292,6 +5297,7 @@ static target_ulong disas_insn(DisasCont
gen_jmp_im(pc_start - s->cs_base);
gen_op_into(s->pc - pc_start);
break;
+#ifdef WANT_ICEBP
case 0xf1: /* icebp (undocumented, exits to external debugger) */
#if 1
gen_debug(s, pc_start - s->cs_base);
@@ -5301,6 +5307,7 @@ static target_ulong disas_insn(DisasCont
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
#endif
break;
+#endif /* icebp */
case 0xfa: /* cli */
if (!s->vm86) {
if (s->cpl <= s->iopl) {
diff -r 3341afbb1953 tools/ioemu/vl.c
--- a/tools/ioemu/vl.c Thu Feb 15 11:34:58 2007 +0000
+++ b/tools/ioemu/vl.c Tue May 01 16:26:32 2007 +0300
@@ -3239,8 +3239,8 @@ typedef struct NetSocketState {
VLANClientState *vc;
int fd;
int state; /* 0 = getting length, 1 = getting data */
- int index;
- int packet_len;
+ unsigned int index;
+ unsigned int packet_len;
uint8_t buf[4096];
struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
} NetSocketState;
@@ -3271,7 +3271,8 @@ static void net_socket_send(void *opaque
static void net_socket_send(void *opaque)
{
NetSocketState *s = opaque;
- int l, size, err;
+ int size, err;
+ unsigned l;
uint8_t buf1[4096];
const uint8_t *buf;
@@ -3310,7 +3311,15 @@ static void net_socket_send(void *opaque
l = s->packet_len - s->index;
if (l > size)
l = size;
- memcpy(s->buf + s->index, buf, l);
+ if (s->index + l <= sizeof(s->buf)) {
+ memcpy(s->buf + s->index, buf, l);
+ } else {
+ fprintf(stderr, "serious error: oversized packet received,"
+ "connection terminated.\n");
+ s->state = 0;
+ goto eoc;
+ }
+
s->index += l;
buf += l;
size -= l;
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 13:29 [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 S.Çağlar Onur
@ 2007-05-01 13:44 ` Keir Fraser
2007-05-01 14:15 ` S.Çağlar Onur
2007-05-01 18:14 ` Christian Limpach
1 sibling, 1 reply; 11+ messages in thread
From: Keir Fraser @ 2007-05-01 13:44 UTC (permalink / raw)
To: caglar, xen-devel
On 1/5/07 14:29, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
> CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affects
> qemu and also seems valid for xen.
Is the patch from upstream qemu? We have our own patches to fix these issues
in 3.0.5-rc, but we'd consider an alternative that keeps us closer to
upstream qemu (albeit a later qemu than we build against).
-- Keir
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 13:44 ` Keir Fraser
@ 2007-05-01 14:15 ` S.Çağlar Onur
2007-05-01 14:44 ` Keir Fraser
0 siblings, 1 reply; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 14:15 UTC (permalink / raw)
To: Keir Fraser; +Cc: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1113 bytes --]
01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 14:29, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> Is the patch from upstream qemu? We have our own patches to fix these
> issues in 3.0.5-rc, but we'd consider an alternative that keeps us closer
> to upstream qemu (albeit a later qemu than we build against).
I'm not sure these go into upstream or not but our security team grabbed this
from Debian [1].
P.S: while i get your attention :) is it possible to push both 3.0.4 and 3.0.5
CVEish patches into trees, we have 15 pending patch in our package which
submitted to list and xen-bugzilla long before?
[1]
http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 14:15 ` S.Çağlar Onur
@ 2007-05-01 14:44 ` Keir Fraser
2007-05-01 18:56 ` S.Çağlar Onur
0 siblings, 1 reply; 11+ messages in thread
From: Keir Fraser @ 2007-05-01 14:44 UTC (permalink / raw)
To: caglar; +Cc: xen-devel
On 1/5/07 15:15, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> P.S: while i get your attention :) is it possible to push both 3.0.4 and 3.0.5
> CVEish patches into trees, we have 15 pending patch in our package which
> submitted to list and xen-bugzilla long before?
I don't believe I have any outstanding patches for 3.0.5. Please send any
that you think are critical. There's no plan to do a 3.0.4-2 in the
immediate future.
-- Keir
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 13:29 [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 S.Çağlar Onur
2007-05-01 13:44 ` Keir Fraser
@ 2007-05-01 18:14 ` Christian Limpach
2007-05-01 19:21 ` S.Çağlar Onur
2007-09-25 22:45 ` Robert Buchholz
1 sibling, 2 replies; 11+ messages in thread
From: Christian Limpach @ 2007-05-01 18:14 UTC (permalink / raw)
To: caglar; +Cc: xen-devel
[-- Attachment #1: Type: text/plain, Size: 1454 bytes --]
On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr> wrote:
> Hi;
>
> If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
> CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affects
> qemu and also seems valid for xen.
I've seen this patch before and I picked the most relevant fixes,
cleaned them up and checked them in a while ago. I left out the ones
which touch code we don't compile and the ones which touch code we
don't enable by default. If somebody else cleans up those, it would
be great to get them checked in.
We have the first check to bdrv_write in block.c and we have the same
check in bdrv_read -- we don't have that unsigned int ns < 0 check.
We have a fix for the cirrus bitblit issue -- I think the fix in the
patch you post actually doesn't cover all cases.
We have the hw/dma.c null pointer check.
We don't have the hw/fdc.c null pointer check. We should probably add that one.
We don't have the hw/i8259.c change since we don't use that file.
We don't have the hw/ne2000.c change since we use the rtl8139 driver
by default -- could add that one.
We don't have the hw/pc.c change since exit'ing seems safer.
We don't have the hw/sb16.c change since we don't have sound by
default -- we should probably add that one.
We don't have the target-i386/translate.c changes since we don't use that file.
We don't have the vl.c changes since we only use the network tap mode.
christian
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 14:44 ` Keir Fraser
@ 2007-05-01 18:56 ` S.Çağlar Onur
2007-05-01 20:12 ` Keir Fraser
2007-05-01 23:04 ` S.Çağlar Onur
0 siblings, 2 replies; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 18:56 UTC (permalink / raw)
To: Keir Fraser; +Cc: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1739 bytes --]
01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 15:15, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> > P.S: while i get your attention :) is it possible to push both 3.0.4 and
> > 3.0.5 CVEish patches into trees, we have 15 pending patch in our package
> > which submitted to list and xen-bugzilla long before?
>
> I don't believe I have any outstanding patches for 3.0.5. Please send any
> that you think are critical. There's no plan to do a 3.0.4-2 in the
> immediate future.
Hmm i think there are some :)
I have following patches on top of current 3.0.5-testing tree, this series
contains all released CVE's from 2.6.18 to up until now (linus's current
git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...
[caglar@zangetsu][~/buildbox/xen/linux-2.6.18/patches]> quilt series
linux-2.6-xen.patch <-- "make mkpatches" of current tree
CVE-2005-4352.patch
CVE-2006-4814.patch
CVE-2006-5619.patch
CVE-2006-5749.patch
CVE-2006-5751.patch
CVE-2006-5753.patch
CVE-2006-5757-CVE-2006-6060.patch
CVE-2006-5823.patch
CVE-2006-6053.patch
CVE-2006-6054.patch
CVE-2006-6056.patch
CVE-2006-6106.patch
CVE-2006-6333.patch
CVE-2007-0005.patch
CVE-2007-0006.patch
CVE-2007-0772.patch
CVE-2007-0958.patch
CVE-2007-1000.patch
CVE-2007-1217.patch
CVE-2007-1388.patch
CVE-2007-1497.patch
CVE-2007-1592.patch
CVE-2007-1861.patch
CVE-2007-2172.patch
Instead of submitting all these patches to mailing list i just upload to [1]
[1] http://cekirdek.pardus.org.tr/~caglar/patches/
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 18:14 ` Christian Limpach
@ 2007-05-01 19:21 ` S.Çağlar Onur
2007-09-25 22:45 ` Robert Buchholz
1 sibling, 0 replies; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 19:21 UTC (permalink / raw)
To: xen-devel, Christian.Limpach
[-- Attachment #1.1: Type: text/plain, Size: 935 bytes --]
01 May 2007 Sal tarihinde, Christian Limpach şunları yazmıştı:
> On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr> wrote:
> > Hi;
> >
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> I've seen this patch before and I picked the most relevant fixes,
> cleaned them up and checked them in a while ago. I left out the ones
> which touch code we don't compile and the ones which touch code we
> don't enable by default. If somebody else cleans up those, it would
> be great to get them checked in.
Great, is it possible to also inform the list for these kind of updates in
future?
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 18:56 ` S.Çağlar Onur
@ 2007-05-01 20:12 ` Keir Fraser
2007-05-01 20:46 ` S.Çağlar Onur
2007-05-01 23:04 ` S.Çağlar Onur
1 sibling, 1 reply; 11+ messages in thread
From: Keir Fraser @ 2007-05-01 20:12 UTC (permalink / raw)
To: caglar; +Cc: xen-devel
On 1/5/07 19:56, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> Hmm i think there are some :)
>
> I have following patches on top of current 3.0.5-testing tree, this series
> contains all released CVE's from 2.6.18 to up until now (linus's current
> git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...
Presumably we'd get most of these by upgrading to linux-2.6.18.8?
-- Keir
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 20:12 ` Keir Fraser
@ 2007-05-01 20:46 ` S.Çağlar Onur
0 siblings, 0 replies; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 20:46 UTC (permalink / raw)
To: Keir Fraser; +Cc: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1824 bytes --]
01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 19:56, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> > Hmm i think there are some :)
> >
> > I have following patches on top of current 3.0.5-testing tree, this
> > series contains all released CVE's from 2.6.18 to up until now (linus's
> > current git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is
> > missing...
>
> Presumably we'd get most of these by upgrading to linux-2.6.18.8?
8 of them are in 2.6.18.8 others are backported/applied etc,
CVE-2005-4352.patch <- solved with 2.6.18.3
CVE-2006-4814.patch <- solved with 2.6.18.8
CVE-2006-5619.patch <- solved with 2.6.18.2
CVE-2006-5749.patch <- solved with 2.6.20-rc2
CVE-2006-5751.patch <- solved with 2.6.18.4
CVE-2006-5753.patch <- solved with 2.6.20-rc4
CVE-2006-5757-CVE-2006-6060.patch <- solved in 2.6.18.8
CVE-2006-5823.patch <- solved with 2.6.20-rc1
CVE-2006-6053.patch <- solved with 2.6.20-rc1
CVE-2006-6054.patch <- solved with 2.6.20-rc1
CVE-2006-6056.patch <- solved with 2.6.18.8
CVE-2006-6106.patch <- solved with 2.6.18.6
CVE-2006-6333.patch <- solved with 2.6.20
CVE-2007-0005.patch <- solved with 2.6.21-rc3
CVE-2007-0006.patch <- solved with 2.6.21
CVE-2007-0772.patch <- solved with 2.6.18.7
CVE-2007-0958.patch <- solved with 2.6.20-rc7
CVE-2007-1000.patch <- solved with 2.6.21
CVE-2007-1217.patch <- solved with 2.6.20.1
CVE-2007-1388.patch <- solved with 2.6.21
CVE-2007-1497.patch <- solved with 2.6.21
CVE-2007-1592.patch <- solved with 2.6.21
CVE-2007-1861.patch <- solved with 2.6.21.1
CVE-2007-2172.patch <- solved with 2.6.20.6
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 18:56 ` S.Çağlar Onur
2007-05-01 20:12 ` Keir Fraser
@ 2007-05-01 23:04 ` S.Çağlar Onur
1 sibling, 0 replies; 11+ messages in thread
From: S.Çağlar Onur @ 2007-05-01 23:04 UTC (permalink / raw)
To: xen-devel; +Cc: Keir Fraser
[-- Attachment #1.1: Type: text/plain, Size: 639 bytes --]
01 May 2007 Sal tarihinde, S.Çağlar Onur şunları yazmıştı:
> I have following patches on top of current 3.0.5-testing tree, this series
> contains all released CVE's from 2.6.18 to up until now (linus's current
> git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...
Just added CVE-2007-2242.patch and also full-tarball [1] in case of anybody
wants to review/use etc.
[1] http://cekirdek.pardus.org.tr/~caglar/patches/patches.tar.gz
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366
2007-05-01 18:14 ` Christian Limpach
2007-05-01 19:21 ` S.Çağlar Onur
@ 2007-09-25 22:45 ` Robert Buchholz
1 sibling, 0 replies; 11+ messages in thread
From: Robert Buchholz @ 2007-09-25 22:45 UTC (permalink / raw)
To: xen-devel, Christian.Limpach; +Cc: caglar
[-- Attachment #1.1.1: Type: text/plain, Size: 1828 bytes --]
On Tuesday, 1. May 2007, Christian Limpach wrote:
> On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr> wrote:
> > Hi;
> >
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> I've seen this patch before and I picked the most relevant fixes,
> cleaned them up and checked them in a while ago. I left out the ones
> which touch code we don't compile and the ones which touch code we
> don't enable by default. If somebody else cleans up those, it would
> be great to get them checked in.
>
> We have the first check to bdrv_write in block.c and we have the same
> check in bdrv_read -- we don't have that unsigned int ns < 0 check.
>
> We have a fix for the cirrus bitblit issue -- I think the fix in the
> patch you post actually doesn't cover all cases.
>
> We have the hw/dma.c null pointer check.
>
> We don't have the hw/fdc.c null pointer check. We should probably
> add that one.
>
> We don't have the hw/i8259.c change since we don't use that file.
>
> We don't have the hw/ne2000.c change since we use the rtl8139 driver
> by default -- could add that one.
>
> We don't have the hw/pc.c change since exit'ing seems safer.
>
> We don't have the hw/sb16.c change since we don't have sound by
> default -- we should probably add that one.
>
> We don't have the target-i386/translate.c changes since we don't use
> that file.
>
> We don't have the vl.c changes since we only use the network tap
> mode.
How much cleaning would the remaining fixes need? I've re-attached the
patch proposed by S.Çağlar Onur, with those issues fixed in 3.1.0
removed and only including those you marked "should/could add".
Regards,
Robert
[-- Attachment #1.1.2: ioemu.patch --]
[-- Type: text/x-diff, Size: 2959 bytes --]
Index: xen-3.1.0-src/tools/ioemu/block.c
===================================================================
--- xen-3.1.0-src.orig/tools/ioemu/block.c
+++ xen-3.1.0-src/tools/ioemu/block.c
@@ -465,6 +465,11 @@ int bdrv_write(BlockDriverState *bs, int
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
memcpy(bs->boot_sector_data, buf, 512);
}
+ {
+ unsigned int ns = sector_num * 512;
+ if (ns < 0)
+ return -1;
+ }
return bs->drv->bdrv_write(bs, sector_num, buf, nb_sectors);
}
Index: xen-3.1.0-src/tools/ioemu/hw/fdc.c
===================================================================
--- xen-3.1.0-src.orig/tools/ioemu/hw/fdc.c
+++ xen-3.1.0-src/tools/ioemu/hw/fdc.c
@@ -1110,8 +1110,13 @@ static uint32_t fdctrl_read_data (fdctrl
len = fdctrl->data_len - fdctrl->data_pos;
if (len > FD_SECTOR_LEN)
len = FD_SECTOR_LEN;
- bdrv_read(cur_drv->bs, fd_sector(cur_drv),
- fdctrl->fifo, len);
+ if (cur_drv->bs) {
+ bdrv_read(cur_drv->bs, fd_sector(cur_drv),
+ fdctrl->fifo, len);
+ } else {
+ FLOPPY_ERROR("can't read data from drive\n");
+ return 0;
+ }
}
}
retval = fdctrl->fifo[pos];
Index: xen-3.1.0-src/tools/ioemu/hw/ne2000.c
===================================================================
--- xen-3.1.0-src.orig/tools/ioemu/hw/ne2000.c
+++ xen-3.1.0-src/tools/ioemu/hw/ne2000.c
@@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque,
{
NE2000State *s = opaque;
uint8_t *p;
- int total_len, next, avail, len, index, mcast_idx;
+ unsigned int total_len, next, avail, len, index, mcast_idx;
uint8_t buf1[60];
static const uint8_t broadcast_macaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -327,7 +327,11 @@ static void ne2000_receive(void *opaque,
/* write packet data */
while (size > 0) {
- avail = s->stop - index;
+ /* taviso: this can wrap, so check its okay. */
+ if (index <= s->stop)
+ avail = s->stop - index;
+ else
+ avail = 0;
len = size;
if (len > avail)
len = avail;
Index: xen-3.1.0-src/tools/ioemu/hw/sb16.c
===================================================================
--- xen-3.1.0-src.orig/tools/ioemu/hw/sb16.c
+++ xen-3.1.0-src/tools/ioemu/hw/sb16.c
@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in
s->block_size);
#endif
- while (s->left_till_irq <= 0) {
- s->left_till_irq = s->block_size + s->left_till_irq;
+ if (s->block_size) {
+ while (s->left_till_irq <= 0) {
+ s->left_till_irq = s->block_size + s->left_till_irq;
+ }
}
return dma_pos;
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2007-09-25 22:45 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-01 13:29 [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 S.Çağlar Onur
2007-05-01 13:44 ` Keir Fraser
2007-05-01 14:15 ` S.Çağlar Onur
2007-05-01 14:44 ` Keir Fraser
2007-05-01 18:56 ` S.Çağlar Onur
2007-05-01 20:12 ` Keir Fraser
2007-05-01 20:46 ` S.Çağlar Onur
2007-05-01 23:04 ` S.Çağlar Onur
2007-05-01 18:14 ` Christian Limpach
2007-05-01 19:21 ` S.Çağlar Onur
2007-09-25 22:45 ` Robert Buchholz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.