Merge branch 'master' into staging

author: Marius Bakke <mbakke@fastmail.com> 2020-02-05 22:08:06 +0100
committer: Marius Bakke <mbakke@fastmail.com> 2020-02-05 22:08:06 +0100
commit: f10921c5ade56534633eae0da94da6e81aacc2aa (patch)
tree: 599d0256cc509f47a3e75ea1214d5374de51eee8 /gnu/packages/patches
parent: 0a83339bb1429332ee889e9a976aa214ae2ac0db (diff)
parent: 9d0dfd9a9a7c43363a4e140c20d49f119fe6f2e3 (diff)
download: guix-f10921c5ade56534633eae0da94da6e81aacc2aa.tar
guix-f10921c5ade56534633eae0da94da6e81aacc2aa.tar.gz
2 files changed, 75 insertions, 6 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2020-1711.patch b/gnu/packages/patches/qemu-CVE-2020-1711.patch
new file mode 100644
index 0000000000..32d04f61dd
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2020-1711.patch
@@ -0,0 +1,69 @@
+Fix CVE-2020-1711:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc
+
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
++    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
++    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+2.25.0
+
diff --git a/gnu/packages/patches/sbcl-graph-asdf-definitions.patch b/gnu/packages/patches/sbcl-graph-asdf-definitions.patch
index a528ccfcc6..ec17949675 100644
--- a/gnu/packages/patches/sbcl-graph-asdf-definitions.patch
+++ b/gnu/packages/patches/sbcl-graph-asdf-definitions.patch
@@ -24,11 +24,11 @@ index 193b6e3..56afc8f 100644
 -(register-system-packages "femlisp-matlisp" '(:fl.matlisp))
 +               cl-heap)
 +  :components ((:file "graph")))
-diff --git a/graph.dot.asd b/graph.dot.asd
+diff --git a/graph-dot.asd b/graph-dot.asd
 new file mode 100644
 index 0000000..12aec7e
 --- /dev/null
-+++ b/graph.dot.asd
++++ b/graph-dot.asd
 @@ -0,0 +1,8 @@
 +(defsystem :graph-dot
 +  :depends-on (alexandria
@@ -38,11 +38,11 @@ index 0000000..12aec7e
 +               cl-ppcre
 +               graph)
 +  :components ((:file "dot")))
-diff --git a/graph.json.asd b/graph.json.asd
+diff --git a/graph-json.asd b/graph-json.asd
 new file mode 100644
 index 0000000..e7d091f
 --- /dev/null
-+++ b/graph.json.asd
++++ b/graph-json.asd
 @@ -0,0 +1,8 @@
 +(defsystem :graph-json
 +  :depends-on (alexandria
@@ -52,11 +52,11 @@ index 0000000..e7d091f
 +               yason
 +               graph)
 +  :components ((:file "json")))
-diff --git a/graph.test.asd b/graph.test.asd
+diff --git a/graph-test.asd b/graph-test.asd
 new file mode 100644
 index 0000000..1e811e1
 --- /dev/null
-+++ b/graph.test.asd
++++ b/graph-test.asd
 @@ -0,0 +1,10 @@
 +(defsystem :graph-test
 +  :depends-on (alexandria
author	Marius Bakke <mbakke@fastmail.com>	2020-02-05 22:08:06 +0100
committer	Marius Bakke <mbakke@fastmail.com>	2020-02-05 22:08:06 +0100
commit	f10921c5ade56534633eae0da94da6e81aacc2aa (patch)
tree	599d0256cc509f47a3e75ea1214d5374de51eee8 /gnu/packages/patches
parent	0a83339bb1429332ee889e9a976aa214ae2ac0db (diff)
parent	9d0dfd9a9a7c43363a4e140c20d49f119fe6f2e3 (diff)
download	guix-f10921c5ade56534633eae0da94da6e81aacc2aa.tar guix-f10921c5ade56534633eae0da94da6e81aacc2aa.tar.gz