diff options
| -rw-r--r-- | gnu/local.mk | 12 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10664.patch | 27 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10806.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10911.patch | 106 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11334.patch | 52 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11434.patch | 25 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-12809.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-7493.patch | 182 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8112.patch | 41 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8309.patch | 46 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8379.patch | 98 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8380.patch | 53 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-9524.patch | 287 | ||||
| -rw-r--r-- | gnu/packages/virtualization.scm | 18 |
14 files changed, 3 insertions, 1020 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 306a16911d..9207966859 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -971,18 +971,6 @@ dist_patch_DATA = \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ - %D%/packages/patches/qemu-CVE-2017-7493.patch \ - %D%/packages/patches/qemu-CVE-2017-8112.patch \ - %D%/packages/patches/qemu-CVE-2017-8309.patch \ - %D%/packages/patches/qemu-CVE-2017-8379.patch \ - %D%/packages/patches/qemu-CVE-2017-8380.patch \ - %D%/packages/patches/qemu-CVE-2017-9524.patch \ - %D%/packages/patches/qemu-CVE-2017-10664.patch \ - %D%/packages/patches/qemu-CVE-2017-10806.patch \ - %D%/packages/patches/qemu-CVE-2017-10911.patch \ - %D%/packages/patches/qemu-CVE-2017-11334.patch \ - %D%/packages/patches/qemu-CVE-2017-11434.patch \ - %D%/packages/patches/qemu-CVE-2017-12809.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quagga-reproducible-build.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch deleted file mode 100644 index 2b60de3dca..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10664.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix CVE-2017-10664: - -https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html -https://bugzilla.redhat.com/show_bug.cgi?id=1466190 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664 -https://security-tracker.debian.org/tracker/CVE-2017-10664 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1 - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 9464a0461c..4dd3fd4732 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -581,6 +581,10 @@ int main(int argc, char **argv) - sa_sigterm.sa_handler = termsig_handler; - sigaction(SIGTERM, &sa_sigterm, NULL); - -+#ifdef CONFIG_POSIX -+ signal(SIGPIPE, SIG_IGN); -+#endif -+ - module_call_init(MODULE_INIT_TRACE); - qcrypto_init(&error_fatal); - - diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch deleted file mode 100644 index ebf782fe7b..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10806.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix CVE-2017-10806: - -https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html -https://bugzilla.redhat.com/show_bug.cgi?id=1468496 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806 -https://security-tracker.debian.org/tracker/CVE-2017-10806 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index b001a27f05..ad5ef783a6 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) - static void usbredir_log_data(USBRedirDevice *dev, const char *desc, - const uint8_t *data, int len) - { -- int i, j, n; -- - if (dev->debug < usbredirparser_debug_data) { - return; - } -- -- for (i = 0; i < len; i += j) { -- char buf[128]; -- -- n = sprintf(buf, "%s", desc); -- for (j = 0; j < 8 && i + j < len; j++) { -- n += sprintf(buf + n, " %02X", data[i + j]); -- } -- error_report("%s", buf); -- } -+ qemu_hexdump((char *)data, stderr, desc, len); - } - - /* diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch deleted file mode 100644 index 1dcb860a2d..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10911.patch +++ /dev/null @@ -1,106 +0,0 @@ -Fix CVE-2017-10911: - -https://xenbits.xen.org/xsa/advisory-216.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911 -https://security-tracker.debian.org/tracker/CVE-2017-10911 - -Patch copied from Xen Security Advisory: - -https://xenbits.xen.org/xsa/xsa216-qemuu.patch - ---- a/hw/block/xen_blkif.h -+++ b/hw/block/xen_blkif.h -@@ -14,9 +14,6 @@ - struct blkif_common_request { - char dummy; - }; --struct blkif_common_response { -- char dummy; --}; - - /* i386 protocol version */ - #pragma pack(push, 4) -@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_32_response { -- uint64_t id; /* copied from request */ -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_32_request blkif_x86_32_request_t; --typedef struct blkif_x86_32_response blkif_x86_32_response_t; - #pragma pack(pop) - - /* x86_64 protocol version */ -@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_64_response { -- uint64_t __attribute__((__aligned__(8))) id; -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_64_request blkif_x86_64_request_t; --typedef struct blkif_x86_64_response blkif_x86_64_response_t; - - DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, -- struct blkif_common_response); -+ struct blkif_response); - DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, -- struct blkif_x86_32_response); -+ struct blkif_response QEMU_PACKED); - DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, -- struct blkif_x86_64_response); -+ struct blkif_response); - - union blkif_back_rings { - blkif_back_ring_t native; ---- a/hw/block/xen_disk.c -+++ b/hw/block/xen_disk.c -@@ -769,31 +769,30 @@ static int blk_send_response_one(struct - struct XenBlkDev *blkdev = ioreq->blkdev; - int send_notify = 0; - int have_requests = 0; -- blkif_response_t resp; -- void *dst; -- -- resp.id = ioreq->req.id; -- resp.operation = ioreq->req.operation; -- resp.status = ioreq->status; -+ blkif_response_t *resp; - - /* Place on the response ring for the relevant domain. */ - switch (blkdev->protocol) { - case BLKIF_PROTOCOL_NATIVE: -- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.native, -+ blkdev->rings.native.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_32: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -- blkdev->rings.x86_32_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -+ blkdev->rings.x86_32_part.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_64: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -- blkdev->rings.x86_64_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -+ blkdev->rings.x86_64_part.rsp_prod_pvt); - break; - default: -- dst = NULL; - return 0; - } -- memcpy(dst, &resp, sizeof(resp)); -+ -+ resp->id = ioreq->req.id; -+ resp->operation = ioreq->req.operation; -+ resp->status = ioreq->status; -+ - blkdev->rings.common.rsp_prod_pvt++; - - RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify); diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch deleted file mode 100644 index cb68c803aa..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-11334.patch +++ /dev/null @@ -1,52 +0,0 @@ -Fix CVE-2017-11334: - -https://bugzilla.redhat.com/show_bug.cgi?id=1471638 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 - -From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Wed, 12 Jul 2017 18:08:40 +0530 -Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram - -When accessing guest's ram block during DMA operation, use -'qemu_ram_ptr_length' to get ram block pointer. It ensures -that DMA operation of given length is possible; And avoids -any OOB memory access situations. - -Reported-by: Alex <broscutamaker@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20170712123840.29328-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - exec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/exec.c b/exec.c -index a083ff89ad..ad103ce483 100644 ---- a/exec.c -+++ b/exec.c -@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, - } - } else { - /* RAM case */ -- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); -+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); - memcpy(ptr, buf, l); - invalidate_and_set_dirty(mr, addr1, l); - } -@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, - } - } else { - /* RAM case */ -- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); -+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); - memcpy(buf, ptr, l); - } - --- -2.13.3 - diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch deleted file mode 100644 index 4da701a73d..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-11434.patch +++ /dev/null @@ -1,25 +0,0 @@ -Fix CVE-2017-11434: - -https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html -https://bugzilla.redhat.com/show_bug.cgi?id=1472611 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434 -https://security-tracker.debian.org/tracker/CVE-2017-11434 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0 - -diff --git a/slirp/bootp.c b/slirp/bootp.c -index 5a4646c182..5dd1a415b5 100644 ---- a/slirp/bootp.c -+++ b/slirp/bootp.c -@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, - if (p >= p_end) - break; - len = *p++; -+ if (p + len > p_end) { -+ break; -+ } - DPRINTF("dhcp: tag=%d len=%d\n", tag, len); - - switch(tag) { diff --git a/gnu/packages/patches/qemu-CVE-2017-12809.patch b/gnu/packages/patches/qemu-CVE-2017-12809.patch deleted file mode 100644 index e40a14b4e0..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-12809.patch +++ /dev/null @@ -1,38 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/21/2 -https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html - -The block backend changed in a way that flushing empty CDROM drives now -crashes. Amend IDE to avoid doing so until the root problem can be -addressed for 2.11. - -Original patch by John Snow <address@hidden>. - -Reported-by: Kieron Shorrock <address@hidden> -Signed-off-by: Stefan Hajnoczi <address@hidden> ---- - hw/ide/core.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 0b48b64d3a..bea39536b0 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s) - s->status |= BUSY_STAT; - ide_set_retry(s); - block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH); -- s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); -+ -+ if (blk_bs(s->blk)) { -+ s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); -+ } else { -+ /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this -+ * temporary workaround when blk_aio_*() functions handle NULL blk_bs. -+ */ -+ ide_flush_cb(s, 0); -+ } - } - - static void ide_cfata_metadata_inquiry(IDEState *s) --- -2.13.3 diff --git a/gnu/packages/patches/qemu-CVE-2017-7493.patch b/gnu/packages/patches/qemu-CVE-2017-7493.patch deleted file mode 100644 index 67b26fad81..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-7493.patch +++ /dev/null @@ -1,182 +0,0 @@ -Fix CVE-2017-7493: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b - -From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Fri, 5 May 2017 14:48:08 +0200 -Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) - -When using the mapped-file security mode, we shouldn't let the client mess -with the metadata. The current code already tries to hide the metadata dir -from the client by skipping it in local_readdir(). But the client can still -access or modify it through several other operations. This can be used to -escalate privileges in the guest. - -Affected backend operations are: -- local_mknod() -- local_mkdir() -- local_open2() -- local_symlink() -- local_link() -- local_unlinkat() -- local_renameat() -- local_rename() -- local_name_to_path() - -Other operations are safe because they are only passed a fid path, which -is computed internally in local_name_to_path(). - -This patch converts all the functions listed above to fail and return -EINVAL when being passed the name of the metadata dir. This may look -like a poor choice for errno, but there's no such thing as an illegal -path name on Linux and I could not think of anything better. - -This fixes CVE-2017-7493. - -Reported-by: Leo Gaspard <leo@gaspard.io> -Signed-off-by: Greg Kurz <groug@kaod.org> -Reviewed-by: Eric Blake <eblake@redhat.com> ---- - hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 56 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index f3ebca4f7a..a2486566af 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) - return telldir(fs->dir.stream); - } - -+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) -+{ -+ return !strcmp(name, VIRTFS_META_DIR); -+} -+ - static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) - { - struct dirent *entry; -@@ -465,8 +470,8 @@ again: - if (ctx->export_flags & V9FS_SM_MAPPED) { - entry->d_type = DT_UNKNOWN; - } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { -- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { -- /* skp the meta data directory */ -+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { -+ /* skip the meta data directory */ - goto again; - } - entry->d_type = DT_UNKNOWN; -@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - /* - * Mark all the open to not follow symlinks - */ -@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, - int ret = -1; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, odirpath); - if (odirfd == -1) { - goto out; -@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, - static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - const char *name, V9fsPath *target) - { -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); - } else if (strcmp(name, "/")) { -@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, - int ret; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ (local_is_mapped_file_metadata(ctx, old_name) || -+ local_is_mapped_file_metadata(ctx, new_name))) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, olddir->data); - if (odirfd == -1) { - return -1; -@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, - int ret; - int dirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(ctx, dir->data); - if (dirfd == -1) { - return -1; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch deleted file mode 100644 index 88b33aa2f0..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8112.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix CVE-2017-8112: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e - -From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Tue, 25 Apr 2017 18:36:23 +0530 -Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation - -A guest could set the message ring page count to zero, resulting in -infinite loop. Add check to avoid it. - -Reported-by: YY Z <bigbird475958471@gmail.com> -Signed-off-by: P J P <ppandit@redhat.com> -Message-Id: <20170425130623.3649-1-ppandit@redhat.com> -Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/vmw_pvscsi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 75575461e2..4a106da856 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - uint32_t len_log2; - uint32_t ring_size; - -- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { - return -1; - } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch deleted file mode 100644 index dc4b4006b7..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8309.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix CVE-2017-8309: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a - -From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 28 Apr 2017 09:56:12 +0200 -Subject: [PATCH] audio: release capture buffers - -AUD_add_capture() allocates two buffers which are never released. -Add the missing calls to AUD_del_capture(). - -Impact: Allows vnc clients to exhaust host memory by repeatedly -starting and stopping audio capture. - -Fixes: CVE-2017-8309 -Cc: P J P <ppandit@redhat.com> -Cc: Huawei PSIRT <PSIRT@huawei.com> -Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20170428075612.9997-1-kraxel@redhat.com ---- - audio/audio.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/audio/audio.c b/audio/audio.c -index c8898d8422..beafed209b 100644 ---- a/audio/audio.c -+++ b/audio/audio.c -@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) - sw = sw1; - } - QLIST_REMOVE (cap, entries); -+ g_free (cap->hw.mix_buf); -+ g_free (cap->buf); - g_free (cap); - } - return; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch deleted file mode 100644 index 200b133d3e..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8379.patch +++ /dev/null @@ -1,98 +0,0 @@ -Fix CVE-2017-8379: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc - -From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 28 Apr 2017 10:42:37 +0200 -Subject: [PATCH] input: limit kbd queue depth - -Apply a limit to the number of items we accept into the keyboard queue. - -Impact: Without this limit vnc clients can exhaust host memory by -sending keyboard events faster than qemu feeds them to the guest. - -Fixes: CVE-2017-8379 -Cc: P J P <ppandit@redhat.com> -Cc: Huawei PSIRT <PSIRT@huawei.com> -Reported-by: jiangxin1@huawei.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 20170428084237.23960-1-kraxel@redhat.com ---- - ui/input.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ui/input.c b/ui/input.c -index ed88cda6d6..fb1f404095 100644 ---- a/ui/input.c -+++ b/ui/input.c -@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = - QTAILQ_HEAD_INITIALIZER(kbd_queue); - static QEMUTimer *kbd_timer; - static uint32_t kbd_default_delay_ms = 10; -+static uint32_t queue_count; -+static uint32_t queue_limit = 1024; - - QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, - QemuInputHandler *handler) -@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) - break; - } - QTAILQ_REMOVE(queue, item, node); -+ queue_count--; - g_free(item); - } - } -@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, - item->delay_ms = delay_ms; - item->timer = timer; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - - if (start_timer) { - timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) -@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, - item->src = src; - item->evt = evt; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) -@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) - - item->type = QEMU_INPUT_QUEUE_SYNC; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) -@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) - qemu_input_event_send(src, evt); - qemu_input_event_sync(); - qapi_free_InputEvent(evt); -- } else { -+ } else if (queue_count < queue_limit) { - qemu_input_queue_event(&kbd_queue, src, evt); - qemu_input_queue_sync(&kbd_queue); - } -@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) - kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, - &kbd_queue); - } -- qemu_input_queue_delay(&kbd_queue, kbd_timer, -- delay_ms ? delay_ms : kbd_default_delay_ms); -+ if (queue_count < queue_limit) { -+ qemu_input_queue_delay(&kbd_queue, kbd_timer, -+ delay_ms ? delay_ms : kbd_default_delay_ms); -+ } - } - - InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch deleted file mode 100644 index 65e49fc885..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8380.patch +++ /dev/null @@ -1,53 +0,0 @@ -Fix CVE-2017-8380: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f - -From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 24 Apr 2017 17:36:34 +0530 -Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write - -While reading magic sequence(MFI_SEQ) in megasas_mmio_write, -an off-by-one error could occur as 's->adp_reset' index is not -reset after reading the last sequence. - -Reported-by: YY Z <bigbird475958471@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20170424120634.12268-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 84b8caf901..804122ab05 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, - case MFI_SEQ: - trace_megasas_mmio_writel("MFI_SEQ", val); - /* Magic sequence to start ADP reset */ -- if (adp_reset_seq[s->adp_reset] == val) { -- s->adp_reset++; -+ if (adp_reset_seq[s->adp_reset++] == val) { -+ if (s->adp_reset == 6) { -+ s->adp_reset = 0; -+ s->diag = MFI_DIAG_WRITE_ENABLE; -+ } - } else { - s->adp_reset = 0; - s->diag = 0; - } -- if (s->adp_reset == 6) { -- s->diag = MFI_DIAG_WRITE_ENABLE; -- } - break; - case MFI_DIAG: - trace_megasas_mmio_writel("MFI_DIAG", val); --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-9524.patch b/gnu/packages/patches/qemu-CVE-2017-9524.patch deleted file mode 100644 index 57160055e3..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-9524.patch +++ /dev/null @@ -1,287 +0,0 @@ -Fix CVE-2017-9524: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9524 -http://seclists.org/oss-sec/2017/q2/454 - -Patches copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0c9390d978cbf61e8f16c9f580fa96b305c43568 - -From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Fri, 26 May 2017 22:04:21 -0500 -Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation - -If a non-NBD client connects to qemu-nbd, we would end up with -a SIGSEGV in nbd_client_put() because we were trying to -unregister the client's association to the export, even though -we skipped inserting the client into that list. Easy trigger -in two terminals: - -$ qemu-nbd -p 30001 --format=raw file -$ nmap 127.0.0.1 -p 30001 - -nmap claims that it thinks it connected to a pago-services1 -server (which probably means nmap could be updated to learn the -NBD protocol and give a more accurate diagnosis of the open -port - but that's not our problem), then terminates immediately, -so our call to nbd_negotiate() fails. The fix is to reorder -nbd_co_client_start() to ensure that all initialization occurs -before we ever try talking to a client in nbd_negotiate(), so -that the teardown sequence on negotiation failure doesn't fault -while dereferencing a half-initialized object. - -While debugging this, I also noticed that nbd_update_server_watch() -called by nbd_client_closed() was still adding a channel to accept -the next client, even when the state was no longer RUNNING. That -is fixed by making nbd_can_accept() pay attention to the current -state. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake <eblake@redhat.com> -Message-Id: <20170527030421.28366-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - nbd/server.c | 8 +++----- - qemu-nbd.c | 2 +- - 2 files changed, 4 insertions(+), 6 deletions(-) - -diff --git a/nbd/server.c b/nbd/server.c -index ee59e5d234..49b55f6ede 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - - if (exp) { - nbd_export_get(exp); -+ QTAILQ_INSERT_TAIL(&exp->clients, client, next); - } -+ qemu_co_mutex_init(&client->send_lock); -+ - if (nbd_negotiate(data)) { - client_close(client); - goto out; - } -- qemu_co_mutex_init(&client->send_lock); -- -- if (exp) { -- QTAILQ_INSERT_TAIL(&exp->clients, client, next); -- } - - nbd_client_receive_next_request(client); - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index f60842fd86..651f85ecc1 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -325,7 +325,7 @@ out: - - static int nbd_can_accept(void) - { -- return nb_fds < shared; -+ return state == RUNNING && nb_fds < shared; - } - - static void nbd_export_closed(NBDExport *exp) --- -2.13.1 - -From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Thu, 8 Jun 2017 17:26:17 -0500 -Subject: [PATCH] nbd: Fix regression on resiliency to port scan - -Back in qemu 2.5, qemu-nbd was immune to port probes (a transient -server would not quit, regardless of how many probe connections -came and went, until a connection actually negotiated). But we -broke that in commit ee7d7aa when removing the return value to -nbd_client_new(), although that patch also introduced a bug causing -an assertion failure on a client that fails negotiation. We then -made it worse during refactoring in commit 1a6245a (a segfault -before we could even assert); the (masked) assertion was cleaned -up in d3780c2 (still in 2.6), and just recently we finally fixed -the segfault ("nbd: Fully intialize client in case of failed -negotiation"). But that still means that ever since we added -TLS support to qemu-nbd, we have been vulnerable to an ill-timed -port-scan being able to cause a denial of service by taking down -qemu-nbd before a real client has a chance to connect. - -Since negotiation is now handled asynchronously via coroutines, -we no longer have a synchronous point of return by re-adding a -return value to nbd_client_new(). So this patch instead wires -things up to pass the negotiation status through the close_fn -callback function. - -Simple test across two terminals: -$ qemu-nbd -f raw -p 30001 file -$ nmap 127.0.0.1 -p 30001 && \ - qemu-io -c 'r 0 512' -f raw nbd://localhost:30001 - -Note that this patch does not change what constitutes successful -negotiation (thus, a client must enter transmission phase before -that client can be considered as a reason to terminate the server -when the connection ends). Perhaps we may want to tweak things -in a later patch to also treat a client that uses NBD_OPT_ABORT -as being a 'successful' negotiation (the client correctly talked -the NBD protocol, and informed us it was not going to use our -export after all), but that's a discussion for another day. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake <eblake@redhat.com> -Message-Id: <20170608222617.20376-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - blockdev-nbd.c | 6 +++++- - include/block/nbd.h | 2 +- - nbd/server.c | 24 +++++++++++++++--------- - qemu-nbd.c | 4 ++-- - 4 files changed, 23 insertions(+), 13 deletions(-) - -diff --git a/blockdev-nbd.c b/blockdev-nbd.c -index dd0860f4a6..28f551a7b0 100644 ---- a/blockdev-nbd.c -+++ b/blockdev-nbd.c -@@ -27,6 +27,10 @@ typedef struct NBDServerData { - - static NBDServerData *nbd_server; - -+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) -+{ -+ nbd_client_put(client); -+} - - static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - gpointer opaque) -@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); - nbd_client_new(NULL, cioc, - nbd_server->tlscreds, NULL, -- nbd_client_put); -+ nbd_blockdev_client_closed); - object_unref(OBJECT(cioc)); - return TRUE; - } -diff --git a/include/block/nbd.h b/include/block/nbd.h -index 416257abca..8fa5ce51f3 100644 ---- a/include/block/nbd.h -+++ b/include/block/nbd.h -@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close)(NBDClient *)); -+ void (*close_fn)(NBDClient *, bool)); - void nbd_client_get(NBDClient *client); - void nbd_client_put(NBDClient *client); - -diff --git a/nbd/server.c b/nbd/server.c -index 49b55f6ede..f2b1aa47ce 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); - - struct NBDClient { - int refcount; -- void (*close)(NBDClient *client); -+ void (*close_fn)(NBDClient *client, bool negotiated); - - bool no_zeroes; - NBDExport *exp; -@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client) - } - } - --static void client_close(NBDClient *client) -+static void client_close(NBDClient *client, bool negotiated) - { - if (client->closing) { - return; -@@ -793,8 +793,8 @@ static void client_close(NBDClient *client) - NULL); - - /* Also tell the client, so that they release their reference. */ -- if (client->close) { -- client->close(client); -+ if (client->close_fn) { -+ client->close_fn(client, negotiated); - } - } - -@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp) - - nbd_export_get(exp); - QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) { -- client_close(client); -+ client_close(client, true); - } - nbd_export_set_name(exp, NULL); - nbd_export_set_description(exp, NULL); -@@ -1337,7 +1337,7 @@ done: - - out: - nbd_request_put(req); -- client_close(client); -+ client_close(client, true); - nbd_client_put(client); - } - -@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - qemu_co_mutex_init(&client->send_lock); - - if (nbd_negotiate(data)) { -- client_close(client); -+ client_close(client, false); - goto out; - } - -@@ -1373,11 +1373,17 @@ out: - g_free(data); - } - -+/* -+ * Create a new client listener on the given export @exp, using the -+ * given channel @sioc. Begin servicing it in a coroutine. When the -+ * connection closes, call @close_fn with an indication of whether the -+ * client completed negotiation. -+ */ - void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close_fn)(NBDClient *)) -+ void (*close_fn)(NBDClient *, bool)) - { - NBDClient *client; - NBDClientNewData *data = g_new(NBDClientNewData, 1); -@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp, - object_ref(OBJECT(client->sioc)); - client->ioc = QIO_CHANNEL(sioc); - object_ref(OBJECT(client->ioc)); -- client->close = close_fn; -+ client->close_fn = close_fn; - - data->client = client; - data->co = qemu_coroutine_create(nbd_co_client_start, data); -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 651f85ecc1..9464a0461c 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp) - - static void nbd_update_server_watch(void); - --static void nbd_client_closed(NBDClient *client) -+static void nbd_client_closed(NBDClient *client, bool negotiated) - { - nb_fds--; -- if (nb_fds == 0 && !persistent && state == RUNNING) { -+ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) { - state = TERMINATE; - } - nbd_update_server_watch(); --- -2.13.1 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index d06c55bd57..32d10dcf82 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -72,26 +72,14 @@ (define-public qemu (package (name "qemu") - (version "2.9.0") + (version "2.10.0") (source (origin (method url-fetch) - (uri (string-append "http://wiki.qemu-project.org/download/qemu-" + (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2017-7493.patch" - "qemu-CVE-2017-8112.patch" - "qemu-CVE-2017-8309.patch" - "qemu-CVE-2017-8379.patch" - "qemu-CVE-2017-8380.patch" - "qemu-CVE-2017-9524.patch" - "qemu-CVE-2017-10664.patch" - "qemu-CVE-2017-10806.patch" - "qemu-CVE-2017-10911.patch" - "qemu-CVE-2017-11334.patch" - "qemu-CVE-2017-11434.patch" - "qemu-CVE-2017-12809.patch")) (sha256 (base32 - "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) + "0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: |