* [PATCH 1/3] qemu: Security fix CVE-2016-1568 @ 2016-02-09 1:29 Armin Kuster 2016-02-09 1:29 ` [PATCH 2/3] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 Armin Kuster 2016-02-09 1:29 ` [PATCH 3/3] nettle: Security fix CVE-2015-8804 Armin Kuster 0 siblings, 2 replies; 5+ messages in thread From: Armin Kuster @ 2016-02-09 1:29 UTC (permalink / raw) To: openembedded-core; +Cc: Armin Kuster From: Armin Kuster <akuster@mvista.com> CVE-2016-1568 Qemu: ide: ahci use-after-free vulnerability in aio port commands Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../recipes-devtools/qemu/qemu/CVE-2016-1568.patch | 46 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.5.0.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch new file mode 100644 index 0000000..56fd346 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch @@ -0,0 +1,46 @@ +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: John Snow <jsnow@redhat.com> +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow <jsnow@redhat.com> + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab + +CVE: CVE-2016-1568 +[Yocto # 9013] + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +Index: qemu-2.5.0/hw/ide/ahci.c +=================================================================== +--- qemu-2.5.0.orig/hw/ide/ahci.c ++++ qemu-2.5.0/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *nc + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 6ad7bbb..e51ec16 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb @@ -7,6 +7,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ file://qemu-enlarge-env-entry-size.patch \ file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ file://no-valgrind.patch \ + file://CVE-2016-1568.patch \ " SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db" -- 2.3.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 2016-02-09 1:29 [PATCH 1/3] qemu: Security fix CVE-2016-1568 Armin Kuster @ 2016-02-09 1:29 ` Armin Kuster 2016-02-09 1:29 ` [PATCH 3/3] nettle: Security fix CVE-2015-8804 Armin Kuster 1 sibling, 0 replies; 5+ messages in thread From: Armin Kuster @ 2016-02-09 1:29 UTC (permalink / raw) To: openembedded-core; +Cc: Armin Kuster From: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../nettle/nettle-3.1.1/CVE-2015-8803_8805.patch | 71 ++++++++++++++++++++++ meta/recipes-support/nettle/nettle_3.1.1.bb | 4 ++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch diff --git a/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch new file mode 100644 index 0000000..b4ff228 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8803_8805.patch @@ -0,0 +1,71 @@ +Upstream-Status: Backport +https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d + +CVE: CVE-2015-8803 +CVE: CVE-2015-8805 + +Same fix for both. + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nettle-3.1.1/ecc-256.c +=================================================================== +--- nettle-3.1.1.orig/ecc-256.c ++++ nettle-3.1.1/ecc-256.c +@@ -113,8 +113,19 @@ ecc_256_modp (const struct ecc_modulo *p + + assert (q2 < 2); + +- /* We multiply by two low limbs of p, 2^96 - 1, so we could use +- shifts rather than mul. */ ++ /* ++ n-1 n-2 n-3 n-4 ++ +---+---+---+---+ ++ | u1| u0| u low | ++ +---+---+---+---+ ++ - | q1(2^96-1)| ++ +-------+---+ ++ |q2(2^.)| ++ +-------+ ++ ++ We multiply by two low limbs of p, 2^96 - 1, so we could use ++ shifts rather than mul. ++ */ + t = mpn_submul_1 (rp + n - 4, p->m, 2, q1); + t += cnd_sub_n (q2, rp + n - 3, p->m, 1); + t += (-q2) & 0xffffffff; +@@ -124,7 +135,10 @@ ecc_256_modp (const struct ecc_modulo *p + u0 -= t; + t = (u1 < cy); + u1 -= cy; +- u1 += cnd_add_n (t, rp + n - 4, p->m, 3); ++ ++ cy = cnd_add_n (t, rp + n - 4, p->m, 2); ++ u0 += cy; ++ u1 += (u0 < cy); + u1 -= (-t) & 0xffffffff; + } + rp[2] = u0; +@@ -211,7 +225,7 @@ ecc_256_modq (const struct ecc_modulo *q + + /* Conditional add of p */ + u1 += t; +- u2 += (t<<32) + (u0 < t); ++ u2 += (t<<32) + (u1 < t); + + t = cnd_add_n (t, rp + n - 4, q->m, 2); + u1 += t; +Index: nettle-3.1.1/ChangeLog +=================================================================== +--- nettle-3.1.1.orig/ChangeLog ++++ nettle-3.1.1/ChangeLog +@@ -1,3 +1,9 @@ ++2015-12-10 Niels Möller <nisse@lysator.liu.se> ++ ++ * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem ++ reported by Hanno Böck. ++ (ecc_256_modq): Fixed another carry propagation bug. ++ + 2015-04-24 Niels Möller <nisse@lysator.liu.se> + + * Released nettle-3.1.1. diff --git a/meta/recipes-support/nettle/nettle_3.1.1.bb b/meta/recipes-support/nettle/nettle_3.1.1.bb index 7d7134f..1fe3461 100644 --- a/meta/recipes-support/nettle/nettle_3.1.1.bb +++ b/meta/recipes-support/nettle/nettle_3.1.1.bb @@ -7,5 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6 file://serpent-decrypt.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e \ file://serpent-set-key.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e" +SRC_URI += "\ + file://CVE-2015-8803_8805.patch \ + " + SRC_URI[md5sum] = "b40fa88dc32f37a182b6b42092ebb144" SRC_URI[sha256sum] = "5fd4d25d64d8ddcb85d0d897572af73b05b4d163c6cc49438a5bfbb8ff293d4c" -- 2.3.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] nettle: Security fix CVE-2015-8804 2016-02-09 1:29 [PATCH 1/3] qemu: Security fix CVE-2016-1568 Armin Kuster 2016-02-09 1:29 ` [PATCH 2/3] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 Armin Kuster @ 2016-02-09 1:29 ` Armin Kuster 2016-02-09 10:33 ` Alexander Kanavin 1 sibling, 1 reply; 5+ messages in thread From: Armin Kuster @ 2016-02-09 1:29 UTC (permalink / raw) To: openembedded-core; +Cc: Armin Kuster From: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> --- .../nettle/nettle-3.1.1/CVE-2015-8804.patch | 281 +++++++++++++++++++++ meta/recipes-support/nettle/nettle_3.1.1.bb | 1 + 2 files changed, 282 insertions(+) create mode 100644 meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch diff --git a/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch new file mode 100644 index 0000000..1d34db7 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.1.1/CVE-2015-8804.patch @@ -0,0 +1,281 @@ +Upstream-Status: Backport + https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7 + +CVE: CVE-2015-8804 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nettle-3.1.1/ChangeLog +=================================================================== +--- nettle-3.1.1.orig/ChangeLog ++++ nettle-3.1.1/ChangeLog +@@ -1,3 +1,11 @@ ++2015-12-15 Niels Möller <nisse@lysator.liu.se> ++ ++ * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem ++ reported by Hanno Böck. Simplified the folding to always use ++ non-negative carry, the old code attempted to add in a carry which ++ could be either positive or negative, but didn't get that case ++ right. ++ + 2015-12-10 Niels Möller <nisse@lysator.liu.se> + + * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem +Index: nettle-3.1.1/x86_64/ecc-384-modp.asm +=================================================================== +--- nettle-3.1.1.orig/x86_64/ecc-384-modp.asm ++++ nettle-3.1.1/x86_64/ecc-384-modp.asm +@@ -1,7 +1,7 @@ + C x86_64/ecc-384-modp.asm + + ifelse(< +- Copyright (C) 2013 Niels Möller ++ Copyright (C) 2013, 2015 Niels Möller + + This file is part of GNU Nettle. + +@@ -33,7 +33,7 @@ ifelse(< + .file "ecc-384-modp.asm" + + define(<RP>, <%rsi>) +-define(<D4>, <%rax>) ++define(<D5>, <%rax>) + define(<T0>, <%rbx>) + define(<T1>, <%rcx>) + define(<T2>, <%rdx>) +@@ -48,8 +48,8 @@ define(<H4>, <%r13>) + define(<H5>, <%r14>) + define(<C2>, <%r15>) + define(<C0>, H5) C Overlap +-define(<D0>, RP) C Overlap +-define(<TMP>, H4) C Overlap ++define(<TMP>, RP) C Overlap ++ + + PROLOGUE(nettle_ecc_384_modp) + W64_ENTRY(2, 0) +@@ -61,34 +61,38 @@ PROLOGUE(nettle_ecc_384_modp) + push %r14 + push %r15 + +- C First get top 2 limbs, which need folding twice ++ C First get top 2 limbs, which need folding twice. ++ C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. ++ C We handle the terms as follow: + C +- C H5 H4 +- C -H5 +- C ------ +- C H0 D4 ++ C B^6: Folded immediatly. + C +- C Then shift right, (H1,H0,D4) <-- (H0,D4) << 32 +- C and add ++ C B^4: Delayed, added in in the next folding. + C +- C H5 H4 +- C H1 H0 +- C ---------- +- C C2 H1 H0 +- +- mov 80(RP), D4 +- mov 88(RP), H0 +- mov D4, H4 +- mov H0, H5 +- sub H0, D4 +- sbb $0, H0 +- +- mov D4, T2 +- mov H0, H1 +- shl $32, H0 +- shr $32, T2 ++ C 2^32(B-1) B^4: Low half limb delayed until the next ++ C folding. Top 1.5 limbs subtracted and shifter now, resulting ++ C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added ++ C in. ++ ++ mov 80(RP), H4 ++ mov 88(RP), H5 ++ C Shift right 32 bits, into H1, H0 ++ mov H4, H0 ++ mov H5, H1 ++ mov H5, D5 + shr $32, H1 +- or T2, H0 ++ shl $32, D5 ++ shr $32, H0 ++ or D5, H0 ++ ++ C H1 H0 ++ C - H1 H0 ++ C -------- ++ C H1 H0 D5 ++ mov H0, D5 ++ neg D5 ++ sbb H1, H0 ++ sbb $0, H1 + + xor C2, C2 + add H4, H0 +@@ -127,118 +131,95 @@ PROLOGUE(nettle_ecc_384_modp) + adc H3, T5 + adc $0, C0 + +- C H3 H2 H1 H0 0 +- C - H4 H3 H2 H1 H0 +- C --------------- +- C H3 H2 H1 H0 D0 +- +- mov XREG(D4), XREG(D4) +- mov H0, D0 +- neg D0 +- sbb H1, H0 +- sbb H2, H1 +- sbb H3, H2 +- sbb H4, H3 +- sbb $0, D4 +- +- C Shift right. High bits are sign, to be added to C0. +- mov D4, TMP +- sar $32, TMP +- shl $32, D4 +- add TMP, C0 +- ++ C Shift left, including low half of H4 + mov H3, TMP ++ shl $32, H4 + shr $32, TMP +- shl $32, H3 +- or TMP, D4 ++ or TMP, H4 + + mov H2, TMP ++ shl $32, H3 + shr $32, TMP +- shl $32, H2 + or TMP, H3 + + mov H1, TMP ++ shl $32, H2 + shr $32, TMP +- shl $32, H1 + or TMP, H2 + + mov H0, TMP ++ shl $32, H1 + shr $32, TMP +- shl $32, H0 + or TMP, H1 + +- mov D0, TMP +- shr $32, TMP +- shl $32, D0 +- or TMP, H0 ++ shl $32, H0 ++ ++ C H4 H3 H2 H1 H0 0 ++ C - H4 H3 H2 H1 H0 ++ C --------------- ++ C H4 H3 H2 H1 H0 TMP + +- add D0, T0 ++ mov H0, TMP ++ neg TMP ++ sbb H1, H0 ++ sbb H2, H1 ++ sbb H3, H2 ++ sbb H4, H3 ++ sbb $0, H4 ++ ++ add TMP, T0 + adc H0, T1 + adc H1, T2 + adc H2, T3 + adc H3, T4 +- adc D4, T5 ++ adc H4, T5 + adc $0, C0 + + C Remains to add in C2 and C0 +- C C0 C0<<32 (-2^32+1)C0 +- C C2 C2<<32 (-2^32+1)C2 +- C where C2 is always positive, while C0 may be -1. ++ C Set H1, H0 = (2^96 - 2^32 + 1) C0 + mov C0, H0 + mov C0, H1 +- mov C0, H2 +- sar $63, C0 C Get sign + shl $32, H1 +- sub H1, H0 C Gives borrow iff C0 > 0 ++ sub H1, H0 + sbb $0, H1 +- add C0, H2 + ++ C Set H3, H2 = (2^96 - 2^32 + 1) C2 ++ mov C2, H2 ++ mov C2, H3 ++ shl $32, H3 ++ sub H3, H2 ++ sbb $0, H3 ++ add C0, H2 C No carry. Could use lea trick ++ ++ xor C0, C0 + add H0, T0 + adc H1, T1 +- adc $0, H2 +- adc $0, C0 +- +- C Set (H1 H0) <-- C2 << 96 - C2 << 32 + 1 +- mov C2, H0 +- mov C2, H1 +- shl $32, H1 +- sub H1, H0 +- sbb $0, H1 +- +- add H2, H0 +- adc C0, H1 +- adc C2, C0 +- mov C0, H2 +- sar $63, C0 +- add H0, T2 +- adc H1, T3 +- adc H2, T4 +- adc C0, T5 +- sbb C0, C0 ++ adc H2, T2 ++ adc H3, T3 ++ adc C2, T4 ++ adc D5, T5 C Value delayed from initial folding ++ adc $0, C0 C Use sbb and switch sign? + + C Final unlikely carry + mov C0, H0 + mov C0, H1 +- mov C0, H2 +- sar $63, C0 + shl $32, H1 + sub H1, H0 + sbb $0, H1 +- add C0, H2 + + pop RP + +- sub H0, T0 ++ add H0, T0 + mov T0, (RP) +- sbb H1, T1 ++ adc H1, T1 + mov T1, 8(RP) +- sbb H2, T2 ++ adc C0, T2 + mov T2, 16(RP) +- sbb C0, T3 ++ adc $0, T3 + mov T3, 24(RP) +- sbb C0, T4 ++ adc $0, T4 + mov T4, 32(RP) +- sbb C0, T5 ++ adc $0, T5 + mov T5, 40(RP) + + pop %r15 diff --git a/meta/recipes-support/nettle/nettle_3.1.1.bb b/meta/recipes-support/nettle/nettle_3.1.1.bb index 1fe3461..4a40e9a 100644 --- a/meta/recipes-support/nettle/nettle_3.1.1.bb +++ b/meta/recipes-support/nettle/nettle_3.1.1.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6 SRC_URI += "\ file://CVE-2015-8803_8805.patch \ + file://CVE-2015-8804.patch \ " SRC_URI[md5sum] = "b40fa88dc32f37a182b6b42092ebb144" -- 2.3.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 3/3] nettle: Security fix CVE-2015-8804 2016-02-09 1:29 ` [PATCH 3/3] nettle: Security fix CVE-2015-8804 Armin Kuster @ 2016-02-09 10:33 ` Alexander Kanavin 2016-02-09 14:30 ` Burton, Ross 0 siblings, 1 reply; 5+ messages in thread From: Alexander Kanavin @ 2016-02-09 10:33 UTC (permalink / raw) To: openembedded-core On 02/09/2016 03:29 AM, Armin Kuster wrote: > From: Armin Kuster <akuster@mvista.com> > > Signed-off-by: Armin Kuster <akuster@mvista.com> > --- > .../nettle/nettle-3.1.1/CVE-2015-8804.patch | 281 +++++++++++++++++++++ > meta/recipes-support/nettle/nettle_3.1.1.bb | 1 + Why not update to latest upstream (3.2) instead? Alex ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 3/3] nettle: Security fix CVE-2015-8804 2016-02-09 10:33 ` Alexander Kanavin @ 2016-02-09 14:30 ` Burton, Ross 0 siblings, 0 replies; 5+ messages in thread From: Burton, Ross @ 2016-02-09 14:30 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 620 bytes --] On 9 February 2016 at 10:33, Alexander Kanavin < alexander.kanavin@linux.intel.com> wrote: > On 02/09/2016 03:29 AM, Armin Kuster wrote: > >> From: Armin Kuster <akuster@mvista.com> >> >> Signed-off-by: Armin Kuster <akuster@mvista.com> >> --- >> .../nettle/nettle-3.1.1/CVE-2015-8804.patch | 281 >> +++++++++++++++++++++ >> meta/recipes-support/nettle/nettle_3.1.1.bb | 1 + >> > > Why not update to latest upstream (3.2) instead? Yes, if both of these CVEs are fixed in 3.2 then master should upgrade (with stable branches getting the patches if deemed severe enough). Ross [-- Attachment #2: Type: text/html, Size: 1325 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-02-09 14:30 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-02-09 1:29 [PATCH 1/3] qemu: Security fix CVE-2016-1568 Armin Kuster 2016-02-09 1:29 ` [PATCH 2/3] nettle: Security fix CVE-2015-8803 and CVE-2015-8805 Armin Kuster 2016-02-09 1:29 ` [PATCH 3/3] nettle: Security fix CVE-2015-8804 Armin Kuster 2016-02-09 10:33 ` Alexander Kanavin 2016-02-09 14:30 ` Burton, Ross
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox