Fix for CVE-2016-2538.

from Brad (maintainer)
2016-03-01 10:18:25 +00:00 · 2016-03-01 10:18:25 +00:00 · 562c51d947
commit 562c51d947
parent 9a8a0869a4
4 changed files with 98 additions and 11 deletions
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.143 2016/02/20 22:46:46 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.144 2016/03/01 10:18:25 ajacoutot Exp $

 ONLY_FOR_ARCHS=	amd64 i386 powerpc sparc64

 COMMENT=	multi system emulator

 DISTNAME=	qemu-2.2.1
-REVISION=	19
+REVISION=	20
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
--- a/emulators/qemu/patches/patch-hw_usb_core_c
+++ b/emulators/qemu/patches/patch-hw_usb_core_c
@ -0,0 +1,44 @@
+$OpenBSD: patch-hw_usb_core_c,v 1.1 2016/03/01 10:18:25 ajacoutot Exp $
+
+usb: check RNDIS message length
+
+When processing remote NDIS control message packets, the USB Net
+device emulator uses a fixed length(4096) data buffer. The incoming
+packet length could exceed this limit. Add a check to avoid it.
+
+CVE-2016-2538
+
+--- hw/usb/core.c.orig	Mon Feb 29 18:44:35 2016
+++ hw/usb/core.c	Mon Feb 29 18:47:09 2016
+@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     }
+ 
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+    s->setup_index = 0;
+     p->actual_length = 0;
+     s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    s->setup_index = 0;
+    if (s->setup_len > sizeof(s->data_buf)) {
+        fprintf(stderr,
+                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+                s->setup_len, sizeof(s->data_buf));
+        p->status = USB_RET_STALL;
+        return;
+    }
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+         }
+         s->setup_state = SETUP_STATE_DATA;
+     } else {
+-        if (s->setup_len > sizeof(s->data_buf)) {
+-            fprintf(stderr,
+-                "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
+-            p->status = USB_RET_STALL;
+-            return;
+-        }
+         if (s->setup_len == 0)
+             s->setup_state = SETUP_STATE_ACK;
+         else
--- a/emulators/qemu/patches/patch-hw_usb_dev-network_c
+++ b/emulators/qemu/patches/patch-hw_usb_dev-network_c
@ -1,4 +1,4 @@
-$OpenBSD: patch-hw_usb_dev-network_c,v 1.1 2016/02/20 22:46:46 ajacoutot Exp $
+$OpenBSD: patch-hw_usb_dev-network_c,v 1.2 2016/03/01 10:18:25 ajacoutot Exp $

 usb: check USB configuration descriptor object

@ -9,8 +9,18 @@ which leads to a null dereference error. Add check to avoid it.

 CVE-2016-2393

--- hw/usb/dev-network.c.orig	Thu Feb 18 19:21:12 2016
-+++ hw/usb/dev-network.c	Thu Feb 18 19:21:37 2016
+usb: check RNDIS buffer offsets & length
+
+When processing remote NDIS control message packets,
+the USB Net device emulator uses a fixed length(4096) data buffer.
+The incoming informationBufferOffset & Length combination could
+overflow and cross that range. Check control message buffer
+offsets and length to avoid it.
+
+CVE-2016-2538
+
+--- hw/usb/dev-network.c.orig	Tue Mar 10 13:38:27 2015
+++ hw/usb/dev-network.c	Mon Feb 29 18:49:32 2016
@@ -650,7 +650,8 @@ typedef struct USBNetState {
 
 static int is_rndis(USBNetState *s)
@ -21,3 +31,36 @@ CVE-2016-2393
 }
 
 static int ndis_query(USBNetState *s, uint32_t oid,
+@@ -911,8 +912,9 @@ static int rndis_query_response(USBNetState *s,
+ 
+     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+     buflen = le32_to_cpu(buf->InformationBufferLength);
+-    if (bufoffs + buflen > length)
+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+         return USB_RET_STALL;
+    }
+ 
+     infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
+                             bufoffs + (uint8_t *) buf, buflen, infobuf,
+@@ -957,8 +959,9 @@ static int rndis_set_response(USBNetState *s,
+ 
+     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+     buflen = le32_to_cpu(buf->InformationBufferLength);
+-    if (bufoffs + buflen > length)
+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+         return USB_RET_STALL;
+    }
+ 
+     ret = ndis_set(s, le32_to_cpu(buf->OID),
+                     bufoffs + (uint8_t *) buf, buflen);
+@@ -1208,8 +1211,9 @@ static void usb_net_handle_dataout(USBNetState *s, USB
+     if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
+         uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
+         uint32_t size = le32_to_cpu(msg->DataLength);
+-        if (offs + size <= len)
+        if (offs < len && size < len && offs + size <= len) {
+             qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
+        }
+     }
+     s->out_ptr -= len;
+     memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
--- a/emulators/qemu/patches/patch-hw_usb_hcd-ohci_c
+++ b/emulators/qemu/patches/patch-hw_usb_hcd-ohci_c
@ -1,11 +1,11 @@
-$OpenBSD: patch-hw_usb_hcd-ohci_c,v 1.1 2016/02/20 22:46:46 ajacoutot Exp $
+$OpenBSD: patch-hw_usb_hcd-ohci_c,v 1.2 2016/03/01 10:18:25 ajacoutot Exp $

-usb: ohci avoid multiple eof timers
+ohci: allocate timer only once.

-When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
-state, it creates an eof timer object in 'ohci_bus_start'.
-It does not check if one already exists. This results in memory
-leakage and null dereference issue. Add a check to avoid it.
+Allocate timer once, at init time, instead of allocating/freeing
+it all the time when starting/stopping the bus.  Simplifies the
+code, also fixes bugs (memory leak) due to missing checks whenever
+the time is already allocated or not.

 CVE-2016-2391