qemu: Secuirty fix for CVE-2016-5403

affects qemu < 2.7.0-rc0

Signed-off-by: Armin Kuster <akuster@mvista.com>

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
new file mode 100644 (file)
index 0000000..fe084f5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
@@ -0,0 +1,67 @@
+From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 19 Jul 2016 13:07:13 +0100
+Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
+
+A broken or malicious guest can submit more requests than the virtqueue
+size permits, causing unbounded memory allocation in QEMU.
+
+The guest can submit requests without bothering to wait for completion
+and is therefore not bound by virtqueue size.  This requires reusing
+vring descriptors in more than one request, which is not allowed by the
+VIRTIO 1.0 specification.
+
+In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
+says:
+
+  1. The driver places the buffer into free descriptor(s) in the
+     descriptor table, chaining as necessary
+
+and
+
+  Note that the above code does not take precautions against the
+  available ring buffer wrapping around: this is not possible since the
+  ring buffer is the same size as the descriptor table, so step (1) will
+  prevent such a condition.
+
+This implies that placing more buffers into the virtqueue than the
+descriptor table size is not allowed.
+
+QEMU is missing the check to prevent this case.  Processing a request
+allocates a VirtQueueElement leading to unbounded memory allocation
+controlled by the guest.
+
+Exit with an error if the guest provides more requests than the
+virtqueue size permits.  This bounds memory allocation and makes the
+buggy guest visible to the user.
+
+This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
+Marvel Team, China.
+
+Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2106-5403
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/virtio/virtio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: qemu-2.4.0/hw/virtio/virtio.c
+===================================================================
+--- qemu-2.4.0.orig/hw/virtio/virtio.c
++++ qemu-2.4.0/hw/virtio/virtio.c
+@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
+ 
+     max = vq->vring.num;
+ 
++    if (vq->inuse >= vq->vring.num) {
++        error_report("Virtqueue size exceeded");
++        exit(1);
++    }
++
+     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
+     if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
+         vring_set_avail_event(vq, vq->last_avail_idx);

diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index c33eb66c89de3c0e72740e98d9a187176442584a..ad5ca89b9651b36006d104e9c2d4dc09d64d82b1 100644 (file)
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -29,6 +29,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://CVE-2016-6351_p1.patch \
             file://CVE-2016-6351_p2.patch \
             file://CVE-2016-4002.patch \
+            file://CVE-2016-5403.patch \
            "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"