[master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-2857.patch | 51 ++++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb           |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
new file mode 100644
index 0000000..73cfa2a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
@@ -0,0 +1,51 @@
+From 362786f14a753d8a5256ef97d7c10ed576d6572b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 2 Mar 2016 17:29:58 +0530
+Subject: [PATCH] net: check packet payload length
+
+While computing IP checksum, 'net_checksum_calculate' reads
+payload length from the packet. It could exceed the given 'data'
+buffer size. Add a check to avoid it.
+
+Reported-by: Liu Ling <liuling-it@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2857
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=362786f14a753d8a5256ef97d7c10ed576d6572b
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ net/checksum.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+Index: qemu-2.5.0/net/checksum.c
+===================================================================
+--- qemu-2.5.0.orig/net/checksum.c
++++ qemu-2.5.0/net/checksum.c
+@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *dat
+     int hlen, plen, proto, csum_offset;
+     uint16_t csum;
+ 
++    /* Ensure data has complete L2 & L3 headers. */
++    if (length < 14 + 20) {
++        return;
++    }
++
+     if ((data[14] & 0xf0) != 0x40)
+ 	return; /* not IPv4 */
+     hlen  = (data[14] & 0x0f) * 4;
+@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *dat
+ 	return;
+     }
+ 
+-    if (plen < csum_offset+2)
+-	return;
++    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
++        return;
++    }
+ 
+     data[14+hlen+csum_offset]   = 0;
+     data[14+hlen+csum_offset+1] = 0;
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index e9d9a8d..7622386 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -11,6 +11,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-2197.patch \
             file://CVE-2016-2198.patch \
             file://pathlimit.patch \
+            file://CVE-2016-2857.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
-- 
2.3.5

[master][krogoth][PATCH 2/2] qemu: Security fix CVE-2016-2858

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-2858.patch | 183 +++++++++++++++++++++
 ...ng_move_request_from_RngEgd_to_RngBackend.patch | 138 ++++++++++++++++
 ...t_queue_cleanup_from_RngEgd_to_RngBackend.patch | 150 +++++++++++++++++
 ...move_the_unused_request_cancellation_code.patch | 101 ++++++++++++
 meta/recipes-devtools/qemu/qemu_2.5.0.bb           |   4 +
 5 files changed, 576 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
new file mode 100644
index 0000000..d5395e6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
@@ -0,0 +1,183 @@
+From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH] rng: add request queue support to rng-random
+
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2016-2858
+
+http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ backends/rng-egd.c    | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c        | 13 ++++++++++++-
+ include/sysemu/rng.h  |  3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
++++ qemu-2.5.0/backends/rng-egd.c
+@@ -26,20 +26,10 @@ typedef struct RngEgd
+     char *chr_name;
+ } RngEgd;
+ 
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+-                                    EntropyReceiveFunc *receive_entropy,
+-                                    void *opaque)
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RngEgd *s = RNG_EGD(b);
+-    RngRequest *req;
+-
+-    req = g_malloc(sizeof(*req));
+-
+-    req->offset = 0;
+-    req->size = size;
+-    req->receive_entropy = receive_entropy;
+-    req->opaque = opaque;
+-    req->data = g_malloc(req->size);
++    size_t size = req->size;
+ 
+     while (size > 0) {
+         uint8_t header[2];
+@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB
+ 
+         size -= len;
+     }
+-
+-    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static int rng_egd_chr_can_read(void *opaque)
+Index: qemu-2.5.0/backends/rng-random.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-random.c
++++ qemu-2.5.0/backends/rng-random.c
+@@ -21,10 +21,6 @@ struct RndRandom
+ 
+     int fd;
+     char *filename;
+-
+-    EntropyReceiveFunc *receive_func;
+-    void *opaque;
+-    size_t size;
+ };
+ 
+ /**
+@@ -37,36 +33,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+     RndRandom *s = RNG_RANDOM(opaque);
+-    uint8_t buffer[s->size];
+-    ssize_t len;
+ 
+-    len = read(s->fd, buffer, s->size);
+-    if (len < 0 && errno == EAGAIN) {
+-        return;
+-    }
+-    g_assert(len != -1);
++    while (s->parent.requests != NULL) {
++        RngRequest *req = s->parent.requests->data;
++        ssize_t len;
++
++        len = read(s->fd, req->data, req->size);
++        if (len < 0 && errno == EAGAIN) {
++            return;
++        }
++        g_assert(len != -1);
++
++        req->receive_entropy(req->opaque, req->data, len);
+ 
+-    s->receive_func(s->opaque, buffer, len);
+-    s->receive_func = NULL;
++        rng_backend_finalize_request(&s->parent, req);
++    }
+ 
++    /* We've drained all requests, the fd handler can be reset. */
+     qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+ 
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+-                                        EntropyReceiveFunc *receive_entropy,
+-                                        void *opaque)
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RndRandom *s = RNG_RANDOM(b);
+ 
+-    if (s->receive_func) {
+-        s->receive_func(s->opaque, NULL, 0);
++    if (s->parent.requests == NULL) {
++        /* If there are no pending requests yet, we need to
++         * install our fd handler. */
++        qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+     }
+-
+-    s->receive_func = receive_entropy;
+-    s->opaque = opaque;
+-    s->size = size;
+-
+-    qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+ 
+ static void rng_random_opened(RngBackend *b, Error **errp)
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
++++ qemu-2.5.0/backends/rng.c
+@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack
+                                  void *opaque)
+ {
+     RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
++    RngRequest *req;
+ 
+     if (k->request_entropy) {
+-        k->request_entropy(s, size, receive_entropy, opaque);
++        req = g_malloc(sizeof(*req));
++
++        req->offset = 0;
++        req->size = size;
++        req->receive_entropy = receive_entropy;
++        req->opaque = opaque;
++        req->data = g_malloc(req->size);
++
++        k->request_entropy(s, req);
++
++        s->requests = g_slist_append(s->requests, req);
+     }
+ }
+ 
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
++++ qemu-2.5.0/include/sysemu/rng.h
+@@ -46,8 +46,7 @@ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+ 
+-    void (*request_entropy)(RngBackend *s, size_t size,
+-                            EntropyReceiveFunc *receive_entropy, void *opaque);
++    void (*request_entropy)(RngBackend *s, RngRequest *req);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
new file mode 100644
index 0000000..01928f9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,138 @@
+From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+
+Upstream-Status: Backport
+in support of CVE-2016-2858
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ backends/rng-egd.c   | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
++++ qemu-2.5.0/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+ 
+     CharDriverState *chr;
+     char *chr_name;
+-
+-    GSList *requests;
+ } RngEgd;
+ 
+-typedef struct RngRequest
+-{
+-    EntropyReceiveFunc *receive_entropy;
+-    uint8_t *data;
+-    void *opaque;
+-    size_t offset;
+-    size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+                                     EntropyReceiveFunc *receive_entropy,
+                                     void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB
+         size -= len;
+     }
+ 
+-    s->requests = g_slist_append(s->requests, req);
++    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op
+     GSList *i;
+     int size = 0;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         RngRequest *req = i->data;
+         size += req->size - req->offset;
+     }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu
+     RngEgd *s = RNG_EGD(opaque);
+     size_t buf_offset = 0;
+ 
+-    while (size > 0 && s->requests) {
+-        RngRequest *req = s->requests->data;
++    while (size > 0 && s->parent.requests) {
++        RngRequest *req = s->parent.requests->data;
+         int len = MIN(size, req->size - req->offset);
+ 
+         memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->requests = g_slist_remove_link(s->requests, s->requests);
++            s->parent.requests = g_slist_remove_link(s->parent.requests,
++                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd
+ {
+     GSList *i;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         rng_egd_free_request(i->data);
+     }
+ 
+-    g_slist_free(s->requests);
+-    s->requests = NULL;
++    g_slist_free(s->parent.requests);
++    s->parent.requests = NULL;
+ }
+ 
+ static void rng_egd_cancel_requests(RngBackend *b)
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
++++ qemu-2.5.0/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+ 
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+ 
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *
+                                   const void *data,
+                                   size_t size);
+ 
++struct RngRequest
++{
++    EntropyReceiveFunc *receive_entropy;
++    uint8_t *data;
++    void *opaque;
++    size_t offset;
++    size_t size;
++};
++
+ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+@@ -49,6 +59,7 @@ struct RngBackend
+ 
+     /*< protected >*/
+     bool opened;
++    GSList *requests;
+ };
+ 
+ /**
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
new file mode 100644
index 0000000..afe8bf6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,150 @@
+From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
+
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+
+Upstream-Status: Backport
+in support of CVE-2016-2858
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ backends/rng-egd.c   | 25 +------------------------
+ backends/rng.c       | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
++++ qemu-2.5.0/backends/rng-egd.c
+@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngB
+     s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+-static void rng_egd_free_request(RngRequest *req)
+-{
+-    g_free(req->data);
+-    g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+     RngEgd *s = RNG_EGD(opaque);
+@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaqu
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->parent.requests = g_slist_remove_link(s->parent.requests,
+-                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+-
+-            rng_egd_free_request(req);
++            rng_backend_finalize_request(&s->parent, req);
+         }
+     }
+ }
+ 
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+-    GSList *i;
+-
+-    for (i = s->parent.requests; i; i = i->next) {
+-        rng_egd_free_request(i->data);
+-    }
+-
+-    g_slist_free(s->parent.requests);
+-    s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj
+     }
+ 
+     g_free(s->chr_name);
+-
+-    rng_egd_free_requests(s);
+ }
+ 
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
++++ qemu-2.5.0/backends/rng.c
+@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(
+     s->opened = true;
+ }
+ 
++static void rng_backend_free_request(RngRequest *req)
++{
++    g_free(req->data);
++    g_free(req);
++}
++
++static void rng_backend_free_requests(RngBackend *s)
++{
++    GSList *i;
++
++    for (i = s->requests; i; i = i->next) {
++        rng_backend_free_request(i->data);
++    }
++
++    g_slist_free(s->requests);
++    s->requests = NULL;
++}
++
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
++{
++    s->requests = g_slist_remove(s->requests, req);
++    rng_backend_free_request(req);
++}
++
+ static void rng_backend_init(Object *obj)
+ {
+     object_property_add_bool(obj, "opened",
+@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj
+                              NULL);
+ }
+ 
++static void rng_backend_finalize(Object *obj)
++{
++    RngBackend *s = RNG_BACKEND(obj);
++
++    rng_backend_free_requests(s);
++}
++
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info =
+     .parent = TYPE_OBJECT,
+     .instance_size = sizeof(RngBackend),
+     .instance_init = rng_backend_init,
++    .instance_finalize = rng_backend_finalize,
+     .class_size = sizeof(RngBackendClass),
+     .class_init = rng_backend_class_init,
+     .abstract = true,
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
++++ qemu-2.5.0/include/sysemu/rng.h
+@@ -61,6 +61,7 @@ struct RngBackend
+     GSList *requests;
+ };
+ 
++
+ /**
+  * rng_backend_request_entropy:
+  * @s: the backend to request entropy from
diff --git a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
new file mode 100644
index 0000000..51296bc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
@@ -0,0 +1,101 @@
+From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH] rng: remove the unused request cancellation code
+
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+
+Upstream-Status: Backport
+in support of CVE-2016-2858
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ backends/rng-egd.c   | 12 ------------
+ backends/rng.c       |  9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
++++ qemu-2.5.0/backends/rng-egd.c
+@@ -114,17 +114,6 @@ static void rng_egd_free_requests(RngEgd
+     s->parent.requests = NULL;
+ }
+ 
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+-    RngEgd *s = RNG_EGD(b);
+-
+-    /* We simply delete the list of pending requests.  If there is data in the 
+-     * queue waiting to be read, this is okay, because there will always be
+-     * more data than we requested originally
+-     */
+-    rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -202,7 +191,6 @@ static void rng_egd_class_init(ObjectCla
+     RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+ 
+     rbc->request_entropy = rng_egd_request_entropy;
+-    rbc->cancel_requests = rng_egd_cancel_requests;
+     rbc->opened = rng_egd_opened;
+ }
+ 
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
++++ qemu-2.5.0/backends/rng.c
+@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBack
+     }
+ }
+ 
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+-    RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+-    if (k->cancel_requests) {
+-        k->cancel_requests(s);
+-    }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+     RngBackend *s = RNG_BACKEND(obj);
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
++++ qemu-2.5.0/include/sysemu/rng.h
+@@ -48,7 +48,6 @@ struct RngBackendClass
+ 
+     void (*request_entropy)(RngBackend *s, size_t size,
+                             EntropyReceiveFunc *receive_entropy, void *opaque);
+-    void (*cancel_requests)(RngBackend *s);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -80,14 +79,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy.  This
+- * should be used by a device during reset or in preparation for live migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 7622386..03a6cbe 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -12,6 +12,10 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-2198.patch \
             file://pathlimit.patch \
             file://CVE-2016-2857.patch \
+            file://rng_move_request_from_RngEgd_to_RngBackend.patch \
+            file://rng_remove_the_unused_request_cancellation_code.patch \
+            file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
+            file://CVE-2016-2858.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
-- 
2.3.5

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Joshua G Lock]

Hi Armin,

On Thu, 2016-04-28 at 11:23 -0700, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
> 

I've been seeing:

"qemu: uncaught target signal 11 (Segmentation fault) - core dumped"

when trying to build gobject-introspection for qemux86 recently and
narrowed it down to this change, if I revert this patch the use of
qemu-native by gobject-introspection no longer causes a segmentation
fault.

Are we missing some related patches for this CVE fix? I haven't dug
into the details, but noticed that Fedora's CVE-2016-2857 diffstat[1]
is much larger than ours[2].

Regards,

Joshua

1. http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=54cb1301
c61f0be7b96e343902bb09be081b34fe
2. http://git.openembedded.org/openembedded-core/commit/?id=d1b972a55c5
9a3f3336b3ebd309532dc204ea97b

> ---
>  .../recipes-devtools/qemu/qemu/CVE-2016-2857.patch | 51
> ++++++++++++++++++++++
>  meta/recipes-devtools/qemu/qemu_2.5.0.bb           |  1 +
>  2 files changed, 52 insertions(+)
>  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-
> 2857.patch
> 
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> new file mode 100644
> index 0000000..73cfa2a
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> @@ -0,0 +1,51 @@
> +From 362786f14a753d8a5256ef97d7c10ed576d6572b Mon Sep 17 00:00:00
> 2001
> +From: Prasad J Pandit <pjp@fedoraproject.org>
> +Date: Wed, 2 Mar 2016 17:29:58 +0530
> +Subject: [PATCH] net: check packet payload length
> +
> +While computing IP checksum, 'net_checksum_calculate' reads
> +payload length from the packet. It could exceed the given 'data'
> +buffer size. Add a check to avoid it.
> +
> +Reported-by: Liu Ling <liuling-it@360.cn>
> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> +Signed-off-by: Jason Wang <jasowang@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2016-2857
> +
> +http://git.qemu.org/?p=qemu.git;a=commit;h=362786f14a753d8a5256ef97d
> 7c10ed576d6572b
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + net/checksum.c | 10 ++++++++--
> + 1 file changed, 8 insertions(+), 2 deletions(-)
> +
> +Index: qemu-2.5.0/net/checksum.c
> +===================================================================
> +--- qemu-2.5.0.orig/net/checksum.c
> ++++ qemu-2.5.0/net/checksum.c
> +@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *dat
> +     int hlen, plen, proto, csum_offset;
> +     uint16_t csum;
> + 
> ++    /* Ensure data has complete L2 & L3 headers. */
> ++    if (length < 14 + 20) {
> ++        return;
> ++    }
> ++
> +     if ((data[14] & 0xf0) != 0x40)
> + 	return; /* not IPv4 */
> +     hlen  = (data[14] & 0x0f) * 4;
> +@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *dat
> + 	return;
> +     }
> + 
> +-    if (plen < csum_offset+2)
> +-	return;
> ++    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
> ++        return;
> ++    }
> + 
> +     data[14+hlen+csum_offset]   = 0;
> +     data[14+hlen+csum_offset+1] = 0;
> diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-
> devtools/qemu/qemu_2.5.0.bb
> index e9d9a8d..7622386 100644
> --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
> +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
> @@ -11,6 +11,7 @@ SRC_URI += "file://configure-fix-Darwin-target-dete
> ction.patch \
>              file://CVE-2016-2197.patch \
>              file://CVE-2016-2198.patch \
>              file://pathlimit.patch \
> +            file://CVE-2016-2857.patch \
>             "
>  SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.b
> z2"
>  SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
> -- 
> 2.3.5
> 

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Alexander Kanavin]

On 05/04/2016 12:52 PM, Joshua G Lock wrote:
> I've been seeing:
>
> "qemu: uncaught target signal 11 (Segmentation fault) - core dumped"
>
> when trying to build gobject-introspection for qemux86 recently and
> narrowed it down to this change, if I revert this patch the use of
> qemu-native by gobject-introspection no longer causes a segmentation
> fault.
>
> Are we missing some related patches for this CVE fix? I haven't dug
> into the details, but noticed that Fedora's CVE-2016-2857 diffstat[1]
> is much larger than ours[2].

Also this patch is included in qemu 2.5.1 release that happened several 
weeks ago, so maybe we should update master to that instead.

Also 2.6.0 will appear any day now.


Alex

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Joshua G Lock]

On Wed, 2016-05-04 at 10:52 +0100, Joshua G Lock wrote:
> Hi Armin,
> 
> On Thu, 2016-04-28 at 11:23 -0700, Armin Kuster wrote:
> > 
> > From: Armin Kuster <akuster@mvista.com>
> > 
> I've been seeing:
> 
> "qemu: uncaught target signal 11 (Segmentation fault) - core dumped"
> 
> when trying to build gobject-introspection for qemux86 recently and
> narrowed it down to this change, if I revert this patch the use of
> qemu-native by gobject-introspection no longer causes a segmentation
> fault.
> 
> Are we missing some related patches for this CVE fix? I haven't dug
> into the details, but noticed that Fedora's CVE-2016-2857 diffstat[1]
> is much larger than ours[2].

If I apply the 5 patches from Fedora's CVE-2016-2857 fix (with our
patch reverted) qemu-native's use during a gobject-introspection build
no longer causes segmentation faults.

I've sent a patch proposing an upgrade to 2.5.1 for krogoth and master,
which includes the 5 patch series mentioned above and several other
fixes.

Regards,

Joshua

> 1. http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=54cb13
> 01
> c61f0be7b96e343902bb09be081b34fe
> 2. http://git.openembedded.org/openembedded-core/commit/?id=d1b972a55
> c5
> 9a3f3336b3ebd309532dc204ea97b
> 
> > 
> > ---
> >  .../recipes-devtools/qemu/qemu/CVE-2016-2857.patch | 51
> > ++++++++++++++++++++++
> >  meta/recipes-devtools/qemu/qemu_2.5.0.bb           |  1 +
> >  2 files changed, 52 insertions(+)
> >  create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-
> > 2857.patch
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> > b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> > new file mode 100644
> > index 0000000..73cfa2a
> > --- /dev/null
> > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2857.patch
> > @@ -0,0 +1,51 @@
> > +From 362786f14a753d8a5256ef97d7c10ed576d6572b Mon Sep 17 00:00:00
> > 2001
> > +From: Prasad J Pandit <pjp@fedoraproject.org>
> > +Date: Wed, 2 Mar 2016 17:29:58 +0530
> > +Subject: [PATCH] net: check packet payload length
> > +
> > +While computing IP checksum, 'net_checksum_calculate' reads
> > +payload length from the packet. It could exceed the given 'data'
> > +buffer size. Add a check to avoid it.
> > +
> > +Reported-by: Liu Ling <liuling-it@360.cn>
> > +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> > +Signed-off-by: Jason Wang <jasowang@redhat.com>
> > +
> > +Upstream-Status: Backport
> > +CVE: CVE-2016-2857
> > +
> > +http://git.qemu.org/?p=qemu.git;a=commit;h=362786f14a753d8a5256ef9
> > 7d
> > 7c10ed576d6572b
> > +Signed-off-by: Armin Kuster <akuster@mvista.com>
> > +
> > +---
> > + net/checksum.c | 10 ++++++++--
> > + 1 file changed, 8 insertions(+), 2 deletions(-)
> > +
> > +Index: qemu-2.5.0/net/checksum.c
> > +==================================================================
> > =
> > +--- qemu-2.5.0.orig/net/checksum.c
> > ++++ qemu-2.5.0/net/checksum.c
> > +@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *dat
> > +     int hlen, plen, proto, csum_offset;
> > +     uint16_t csum;
> > + 
> > ++    /* Ensure data has complete L2 & L3 headers. */
> > ++    if (length < 14 + 20) {
> > ++        return;
> > ++    }
> > ++
> > +     if ((data[14] & 0xf0) != 0x40)
> > + 	return; /* not IPv4 */
> > +     hlen  = (data[14] & 0x0f) * 4;
> > +@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *dat
> > + 	return;
> > +     }
> > + 
> > +-    if (plen < csum_offset+2)
> > +-	return;
> > ++    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
> > ++        return;
> > ++    }
> > + 
> > +     data[14+hlen+csum_offset]   = 0;
> > +     data[14+hlen+csum_offset+1] = 0;
> > diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
> > b/meta/recipes-
> > devtools/qemu/qemu_2.5.0.bb
> > index e9d9a8d..7622386 100644
> > --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
> > +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
> > @@ -11,6 +11,7 @@ SRC_URI += "file://configure-fix-Darwin-target-de
> > te
> > ction.patch \
> >              file://CVE-2016-2197.patch \
> >              file://CVE-2016-2198.patch \
> >              file://pathlimit.patch \
> > +            file://CVE-2016-2857.patch \
> >             "
> >  SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar
> > .b
> > z2"
> >  SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
> > -- 
> > 2.3.5
> > 

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Joshua G Lock]

On Wed, 2016-05-04 at 07:16 -0700, akuster wrote:
> 
> On 05/04/2016 02:52 AM, Joshua G Lock wrote:
> > 
> > Hi Armin,
> > 
> > On Thu, 2016-04-28 at 11:23 -0700, Armin Kuster wrote:
> > > 
> > > From: Armin Kuster <akuster@mvista.com>
> > > 
> > I've been seeing:
> > 
> > "qemu: uncaught target signal 11 (Segmentation fault) - core
> > dumped"
> > 
> > when trying to build gobject-introspection for qemux86 recently and
> > narrowed it down to this change, if I revert this patch the use of
> > qemu-native by gobject-introspection no longer causes a
> > segmentation
> > fault.
> well that is not good. To be clear, this is a build issue not an
> execution issue? I would like to better understand what went wrong to
> tighten up my processes.

It's an execution issue for qemu-native, the segmentation error occurs
when trying to build gobject-introspection (which calls qemu-native).

I didn't try calling qemu-native any other way (runqemu, etc) to see
whether it was something specific to the way gobject-introspection
calls qemu.

> > 
> > 
> > Are we missing some related patches for this CVE fix? 
> The only commit identified for is the on this patch came from.
> 
> I haven't dug
> > 
> > into the details, but noticed that Fedora's CVE-2016-2857
> > diffstat[1]
> > is much larger than ours[2].
> The Fedora change includes several other CVE fixes
> +# CVE-2016-2538: Integer overflow in usb module (bz #1305815)
> +Patch0103: 0103-usb-check-RNDIS-message-length.patch
> +Patch0104: 0104-usb-check-RNDIS-buffer-offsets-length.patch
> +# CVE-2016-2841: ne2000: infinite loop (bz #1304047)
> +Patch0105: 0105-net-ne2000-check-ring-buffer-control-registers.patch
> +# CVE-2016-2857: net: out of bounds read (bz #1309564)
> +Patch0106: 0106-net-check-packet-payload-length.patch
> +# CVE-2016-2392: usb: null pointer dereference (bz #1307115)
> +Patch0107: 0107-usb-check-USB-configuration-descriptor-object.patch
> +# Fix external snapshot any more after active committing (bz
> #1300209)
> +Patch0108: 0108-block-set-device_list.tqe_prev-to-NULL-on-BDS-
> remova.patch
> 
> which we seem to be missing some as well.

Several (possibly all) of those are in the 2.5.1 upgrade I proposed. 

Regards,

Joshua

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[akuster808]

On 05/04/2016 03:17 PM, Joshua G Lock wrote:
> On Wed, 2016-05-04 at 07:16 -0700, akuster wrote:
>>
>> On 05/04/2016 02:52 AM, Joshua G Lock wrote:
>>>
>>> Hi Armin,
>>>
>>> On Thu, 2016-04-28 at 11:23 -0700, Armin Kuster wrote:
>>>>
>>>> From: Armin Kuster <akuster@mvista.com>
>>>>
>>> I've been seeing:
>>>
>>> "qemu: uncaught target signal 11 (Segmentation fault) - core
>>> dumped"
>>>
>>> when trying to build gobject-introspection for qemux86 recently and
>>> narrowed it down to this change, if I revert this patch the use of
>>> qemu-native by gobject-introspection no longer causes a
>>> segmentation
>>> fault.
>> well that is not good. To be clear, this is a build issue not an
>> execution issue? I would like to better understand what went wrong to
>> tighten up my processes.
> 
> It's an execution issue for qemu-native, the segmentation error occurs
> when trying to build gobject-introspection (which calls qemu-native).
> 
> I didn't try calling qemu-native any other way (runqemu, etc) to see
> whether it was something specific to the way gobject-introspection
> calls qemu.
> 

I can not reproduce this issue. I have used two different build systems.
I have another I will try.

so the testcase be?

1) bitbake core-image-sato
2) runqemu qemux86

I am surprised the AB didn't catch this prior to release.


>>>
>>>
>>> Are we missing some related patches for this CVE fix? 
>> The only commit identified for is the on this patch came from.
>>
>> I haven't dug
>>>
>>> into the details, but noticed that Fedora's CVE-2016-2857
>>> diffstat[1]
>>> is much larger than ours[2].
>> The Fedora change includes several other CVE fixes
>> +# CVE-2016-2538: Integer overflow in usb module (bz #1305815)
>> +Patch0103: 0103-usb-check-RNDIS-message-length.patch
>> +Patch0104: 0104-usb-check-RNDIS-buffer-offsets-length.patch
>> +# CVE-2016-2841: ne2000: infinite loop (bz #1304047)
>> +Patch0105: 0105-net-ne2000-check-ring-buffer-control-registers.patch
>> +# CVE-2016-2857: net: out of bounds read (bz #1309564)
>> +Patch0106: 0106-net-check-packet-payload-length.patch
>> +# CVE-2016-2392: usb: null pointer dereference (bz #1307115)
>> +Patch0107: 0107-usb-check-USB-configuration-descriptor-object.patch
>> +# Fix external snapshot any more after active committing (bz
>> #1300209)
>> +Patch0108: 0108-block-set-device_list.tqe_prev-to-NULL-on-BDS-
>> remova.patch
>>
>> which we seem to be missing some as well.
> 
> Several (possibly all) of those are in the 2.5.1 upgrade I proposed. 

There are over 50 commits in that release, some of them extend
functionality which is why I am a bit hesitant in upgrading Krogoth at
this time. Dot releases tend to be the cleaner method to loads for back
ports. I need to think about this a bit more.


Is anyone else seeing a problem?

- Armin
> 
> Regards,
> 
> Joshua
> 

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Alexander Kanavin]

On 05/06/2016 06:47 PM, akuster808 wrote:

> I can not reproduce this issue. I have used two different build systems.
> I have another I will try.
>
> so the testcase be?
>
> 1) bitbake core-image-sato
> 2) runqemu qemux86

3) verify that you have a bunch of .gir and .typelib files on that image 
(or in target sysroot)


Alex

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[akuster808]

On 5/6/16 8:51 AM, Alexander Kanavin wrote:
> On 05/06/2016 06:47 PM, akuster808 wrote:
>
>> I can not reproduce this issue. I have used two different build systems.
>> I have another I will try.
>>
>> so the testcase be?
>>
>> 1) bitbake core-image-sato
>> 2) runqemu qemux86
>
> 3) verify that you have a bunch of .gir and .typelib files on that
> image (or in target sysroot)

yeah. they are there. wonder how to reproduce this issue?? host os release??

- armin
>
>
> Alex
>

Re: [master][krogoth][PATCH 1/2] qemu: Security fix CVE-2016-2857

[Joshua G Lock]

On Mon, 2016-05-09 at 14:27 -0700, akuster808 wrote:
> On 5/6/16 8:51 AM, Alexander Kanavin wrote:
> > 
> > On 05/06/2016 06:47 PM, akuster808 wrote:
> > 
> > > 
> > > I can not reproduce this issue. I have used two different build
> > > systems.
> > > I have another I will try.
> > > 
> > > so the testcase be?
> > > 
> > > 1) bitbake core-image-sato
> > > 2) runqemu qemux86
> > 3) verify that you have a bunch of .gir and .typelib files on that
> > image (or in target sysroot)
> yeah. they are there. wonder how to reproduce this issue?? host os
> release??

I discovered this issue on an Ubuntu 14.04.4 host (gcc 4.8.4) where
neither qemu-native nor gobject-introspection were available in the
sstate-cache. I can revert the qemu upgrade and attempt to reproduce
again if it would help?

Joshua

> 
> - armin
> > 
> > 
> > 
> > Alex
> >