Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package qemu. The current package in unstable, 2.1+dfsg-9, is one release ahead of previously unblocked version, 2.1+dfsg-8, see #771771 . This newly uploaded release fixes a newly discovered security issue in qemu-system, which is CVE-2014-8106 #772025 -- the bug is serious enough to warrant a quick fix. Stable (wheezy) already received the same fix, and I'm waiting for unstable to migrate to testing to fix this in bpo70 too, which is already uploaded early today. Since 2.1+dfsg-8 has already been unblocked, I'm attaching debdiff against that one, not against the version in testing. The debdiff contains 2 added patches from upstream plus the corresponding debian files changes. If this is not enough please indicate as such, I'll include complete debdiff. Setting severity to important because the security problem is really serious and needs urgent action, especially for bpo70. Thank you! /mjt unblock qemu/2.1+dfsg-9 diff -Nru qemu-2.1+dfsg/debian/changelog qemu-2.1+dfsg/debian/changelog --- qemu-2.1+dfsg/debian/changelog 2014-11-27 18:32:45.000000000 +0300 +++ qemu-2.1+dfsg/debian/changelog 2014-12-04 16:57:09.000000000 +0300 @@ -1,3 +1,11 @@ +qemu (2.1+dfsg-9) unstable; urgency=high + + * apply upstream patches for CVE-2014-8106 + (cirrus: insufficient blit region checks) + (Closes: #772025 CVE-2014-8106) + + -- Michael Tokarev <m...@tls.msk.ru> Thu, 04 Dec 2014 00:10:43 +0300 + qemu (2.1+dfsg-8) unstable; urgency=low [ Michael Tokarev ] diff -Nru qemu-2.1+dfsg/debian/patches/cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf-CVE-2014-8106.patch qemu-2.1+dfsg/debian/patches/cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf-CVE-2014-8106.patch --- qemu-2.1+dfsg/debian/patches/cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf-CVE-2014-8106.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-2.1+dfsg/debian/patches/cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf-CVE-2014-8106.patch 2014-12-04 16:53:22.000000000 +0300 @@ -0,0 +1,31 @@ +From bf25983345ca44aec3dd92c57142be45452bd38a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kra...@redhat.com> +Date: Wed, 19 Nov 2014 13:27:28 +0100 +Subject: cirrus: don't overflow CirrusVGAState->cirrus_bltbuf +Bug-Debian: http://bugs.debian.org/772025 + +This is CVE-2014-8106. + +Signed-off-by: Gerd Hoffmann <kra...@redhat.com> +--- + hw/display/cirrus_vga.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index d54fb06..2725264 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -293,6 +293,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + assert(s->cirrus_blt_width > 0); + assert(s->cirrus_blt_height > 0); + ++ if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) { ++ return true; ++ } ++ + if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; +-- +1.7.10.4 + diff -Nru qemu-2.1+dfsg/debian/patches/cirrus-fix-blit-region-check-CVE-2014-8106.patch qemu-2.1+dfsg/debian/patches/cirrus-fix-blit-region-check-CVE-2014-8106.patch --- qemu-2.1+dfsg/debian/patches/cirrus-fix-blit-region-check-CVE-2014-8106.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-2.1+dfsg/debian/patches/cirrus-fix-blit-region-check-CVE-2014-8106.patch 2014-12-04 16:53:22.000000000 +0300 @@ -0,0 +1,126 @@ +From d3532a0db02296e687711b8cdc7791924efccea0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kra...@redhat.com> +Date: Wed, 19 Nov 2014 11:37:42 +0100 +Subject: cirrus: fix blit region check +Bug-Debian: http://bugs.debian.org/772025 + +Issues: + * Doesn't check pitches correctly in case it is negative. + * Doesn't check width at all. + +Turn macro into functions while being at it, also factor out the check +for one region which we then can simply call twice for src + dst. + +This is CVE-2014-8106. + +Reported-by: Paolo Bonzini <pbonz...@redhat.com> +Signed-off-by: Gerd Hoffmann <kra...@redhat.com> +Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> +--- + hw/display/cirrus_vga.c | 61 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 44 insertions(+), 17 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 8a5b76c..d54fb06 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -173,20 +173,6 @@ + + #define CIRRUS_PNPMMIO_SIZE 0x1000 + +-#define BLTUNSAFE(s) \ +- ( \ +- ( /* check dst is within bounds */ \ +- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \ +- + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \ +- (s)->vga.vram_size \ +- ) || \ +- ( /* check src is within bounds */ \ +- (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \ +- + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \ +- (s)->vga.vram_size \ +- ) \ +- ) +- + struct CirrusVGAState; + typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s, + uint8_t * dst, const uint8_t * src, +@@ -279,6 +265,46 @@ static void cirrus_update_memory_access(CirrusVGAState *s); + * + ***************************************/ + ++static bool blit_region_is_unsafe(struct CirrusVGAState *s, ++ int32_t pitch, int32_t addr) ++{ ++ if (pitch < 0) { ++ int64_t min = addr ++ + ((int64_t)s->cirrus_blt_height-1) * pitch; ++ int32_t max = addr ++ + s->cirrus_blt_width; ++ if (min < 0 || max >= s->vga.vram_size) { ++ return true; ++ } ++ } else { ++ int64_t max = addr ++ + ((int64_t)s->cirrus_blt_height-1) * pitch ++ + s->cirrus_blt_width; ++ if (max >= s->vga.vram_size) { ++ return true; ++ } ++ } ++ return false; ++} ++ ++static bool blit_is_unsafe(struct CirrusVGAState *s) ++{ ++ /* should be the case, see cirrus_bitblt_start */ ++ assert(s->cirrus_blt_width > 0); ++ assert(s->cirrus_blt_height > 0); ++ ++ if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, ++ s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { ++ return true; ++ } ++ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, ++ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { ++ return true; ++ } ++ ++ return false; ++} ++ + static void cirrus_bitblt_rop_nop(CirrusVGAState *s, + uint8_t *dst,const uint8_t *src, + int dstpitch,int srcpitch, +@@ -636,7 +662,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (BLTUNSAFE(s)) ++ if (blit_is_unsafe(s)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -654,8 +680,9 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (BLTUNSAFE(s)) ++ if (blit_is_unsafe(s)) { + return 0; ++ } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; + rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->cirrus_blt_dstpitch, +@@ -752,7 +779,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (BLTUNSAFE(s)) ++ if (blit_is_unsafe(s)) + return 0; + + cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +1.7.10.4 + diff -Nru qemu-2.1+dfsg/debian/patches/series qemu-2.1+dfsg/debian/patches/series --- qemu-2.1+dfsg/debian/patches/series 2014-11-27 18:31:16.000000000 +0300 +++ qemu-2.1+dfsg/debian/patches/series 2014-12-04 16:53:22.000000000 +0300 @@ -29,3 +29,6 @@ usb-host-fix-usb_host_speed_compat-tyops.patch xen_disk-fix-unmapping-of-persistent-grants.patch qdev-monitor-fix-segmentation-fault-on-qdev_device_h.patch + +cirrus-fix-blit-region-check-CVE-2014-8106.patch +cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf-CVE-2014-8106.patch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
