diff options
-rw-r--r-- | gnu/local.mk | 5 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-1711.patch | 69 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-7039.patch | 173 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-7211.patch | 49 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-8608.patch | 269 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-fix-documentation-build-failure.patch | 43 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 38 |
7 files changed, 22 insertions, 624 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 722ccba746..a7ccec5e0b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1434,11 +1434,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ - %D%/packages/patches/qemu-CVE-2020-1711.patch \ - %D%/packages/patches/qemu-CVE-2020-7039.patch \ - %D%/packages/patches/qemu-CVE-2020-7211.patch \ - %D%/packages/patches/qemu-CVE-2020-8608.patch \ - %D%/packages/patches/qemu-fix-documentation-build-failure.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-moc-ignore-gcc-macro.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2020-1711.patch b/gnu/packages/patches/qemu-CVE-2020-1711.patch deleted file mode 100644 index 32d04f61dd..0000000000 --- a/gnu/packages/patches/qemu-CVE-2020-1711.patch +++ /dev/null @@ -1,69 +0,0 @@ -Fix CVE-2020-1711: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc - -From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 -From: Felipe Franciosi <felipe@nutanix.com> -Date: Thu, 23 Jan 2020 12:44:59 +0000 -Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - -When querying an iSCSI server for the provisioning status of blocks (via -GET LBA STATUS), Qemu only validates that the response descriptor zero's -LBA matches the one requested. Given the SCSI spec allows servers to -respond with the status of blocks beyond the end of the LUN, Qemu may -have its heap corrupted by clearing/setting too many bits at the end of -its allocmap for the LUN. - -A malicious guest in control of the iSCSI server could carefully program -Qemu's heap (by selectively setting the bitmap) and then smash it. - -This limits the number of bits that iscsi_co_block_status() will try to -update in the allocmap so it can't overflow the bitmap. - -Fixes: CVE-2020-1711 -Cc: qemu-stable@nongnu.org -Signed-off-by: Felipe Franciosi <felipe@nutanix.com> -Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> -Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - block/iscsi.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/block/iscsi.c b/block/iscsi.c -index 2aea7e3f13..cbd57294ab 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - struct scsi_get_lba_status *lbas = NULL; - struct scsi_lba_status_descriptor *lbasd = NULL; - struct IscsiTask iTask; -- uint64_t lba; -+ uint64_t lba, max_bytes; - int ret; - - iscsi_co_init_iscsitask(iscsilun, &iTask); -@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - } - - lba = offset / iscsilun->block_size; -+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; - - qemu_mutex_lock(&iscsilun->mutex); - retry: -@@ -764,7 +765,7 @@ retry: - goto out_unlock; - } - -- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; -+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); - - if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || - lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { --- -2.25.0 - diff --git a/gnu/packages/patches/qemu-CVE-2020-7039.patch b/gnu/packages/patches/qemu-CVE-2020-7039.patch deleted file mode 100644 index ffebda68ab..0000000000 --- a/gnu/packages/patches/qemu-CVE-2020-7039.patch +++ /dev/null @@ -1,173 +0,0 @@ -Fix CVE-2020-7039: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039 - -Patches copied from upstream dependency repository: - -https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 -https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 -https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 - -From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault <samuel.thibault@ens-lyon.org> -Date: Wed, 8 Jan 2020 00:58:48 +0100 -Subject: [PATCH] tcp_emu: Fix oob access - -The main loop only checks for one available byte, while we sometimes -need two bytes. ---- - CHANGELOG.md | 1 + - src/tcp_subr.c | 7 +++++++ - 2 files changed, 8 insertions(+) - -#diff --git a/CHANGELOG.md b/CHANGELOG.md -#index 00d0ce2..5cf94a8 100644 -#--- a/CHANGELOG.md -#+++ b/CHANGELOG.md -#@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 -# ### Fixed -# -# - ncsi: fix checksum OOB memory access -#+ - `tcp_emu()`: fix OOB accesses -# -# ## [4.1.0] - 2019-12-02 -# -diff --git a/src/tcp_subr.c b/src/tcp_subr.c -index 382aa38..9c1bdec 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m) - break; - - case 5: -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - /* - * The difference between versions 1.0 and - * 2.0 is here. For future versions of -@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - /* This is the field containing the port - * number that RA-player is listening to. - */ -+ -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; - if (lport < 6970) - lport += 256; /* don't know why */ --- -2.24.1 - -From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 9 Jan 2020 15:12:27 +0530 -Subject: [PATCH] slirp: use correct size while emulating IRC commands - -While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size -'m->m_size' to write DCC commands via snprintf(3). This may -lead to OOB write access, because 'bptr' points somewhere in -the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) -size to avoid OOB access. - -Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200109094228.79764-2-ppandit@redhat.com> ---- - src/tcp_subr.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/src/tcp_subr.c b/src/tcp_subr.c -index 9c1bdec..ee7a938 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, -@@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, -@@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } --- -2.24.1 - -From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 9 Jan 2020 15:12:28 +0530 -Subject: [PATCH] slirp: use correct size while emulating commands - -While emulating services in tcp_emu(), it uses 'mbuf' size -'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) -size to avoid possible OOB access. - -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200109094228.79764-3-ppandit@redhat.com> ---- - src/tcp_subr.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/src/tcp_subr.c b/src/tcp_subr.c -index ee7a938..177dfd2 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, - n5, n6, x == 7 ? buff : ""); - return 1; -@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", - n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - -@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = -- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = snprintf(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)) + 1; - return 1; - - case EMU_IRC: --- -2.24.1 - diff --git a/gnu/packages/patches/qemu-CVE-2020-7211.patch b/gnu/packages/patches/qemu-CVE-2020-7211.patch deleted file mode 100644 index 2885dda411..0000000000 --- a/gnu/packages/patches/qemu-CVE-2020-7211.patch +++ /dev/null @@ -1,49 +0,0 @@ -Fix CVE-2020-7211: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211 - -Patch copied from upstream dependency repository: - -https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 - -From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 13 Jan 2020 17:44:31 +0530 -Subject: [PATCH] slirp: tftp: restrict relative path access - -tftp restricts relative or directory path access on Linux systems. -Apply same restrictions on Windows systems too. It helps to avoid -directory traversal issue. - -Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 -Reported-by: Peter Maydell <peter.maydell@linaro.org> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200113121431.156708-1-ppandit@redhat.com> ---- - src/tftp.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/tftp.c b/src/tftp.c -index 093c2e0..e52e71b 100644 ---- a/slirp/src/tftp.c -+++ b/slirp/src/tftp.c -@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, - k += 6; /* skipping octet */ - - /* do sanity checks on the filename */ -- if (!strncmp(req_fname, "../", 3) || -- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { -+ if ( -+#ifdef G_OS_WIN32 -+ strstr(req_fname, "..\\") || -+ req_fname[strlen(req_fname) - 1] == '\\' || -+#endif -+ strstr(req_fname, "../") || -+ req_fname[strlen(req_fname) - 1] == '/') { - tftp_send_error(spt, 2, "Access violation", tp); - return; - } --- -2.24.1 - diff --git a/gnu/packages/patches/qemu-CVE-2020-8608.patch b/gnu/packages/patches/qemu-CVE-2020-8608.patch deleted file mode 100644 index 4cb017c795..0000000000 --- a/gnu/packages/patches/qemu-CVE-2020-8608.patch +++ /dev/null @@ -1,269 +0,0 @@ -Fix CVE-2020-8608: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608 -https://www.openwall.com/lists/oss-security/2020/02/06/2 - -Patches copied from upstream dependency repository: - -https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843 -https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775 - -From 68ccb8021a838066f0951d4b2817eb6b6f10a843 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> -Date: Mon, 27 Jan 2020 10:24:14 +0100 -Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Various calls to snprintf() assume that snprintf() returns "only" the -number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Before patch ce131029, if there isn't enough room in "m_data" for the -"DCC ..." message, we overflow "m_data". - -After the patch, if there isn't enough room for the same, we don't -overflow "m_data", but we set "m_len" out-of-bounds. The next time an -access is bounded by "m_len", we'll have a buffer overflow then. - -Use slirp_fmt*() to fix potential OOB memory access. - -Reported-by: Laszlo Ersek <lersek@redhat.com> -Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> ---- - src/tcp_subr.c | 44 +++++++++++++++++++++----------------------- - 1 file changed, 21 insertions(+), 23 deletions(-) - -diff --git a/src/tcp_subr.c b/src/tcp_subr.c -index a699117..a72c86b 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -643,8 +643,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) - NTOHS(n1); - NTOHS(n2); - m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); -- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); -- assert(m->m_len < M_ROOM(m)); -+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); - } else { - *eol = '\r'; - } -@@ -684,9 +683,9 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, -- n5, n6, x == 7 ? buff : ""); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "ORT %d,%d,%d,%d,%d,%d\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { - /* -@@ -719,10 +718,9 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -- n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); -- -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } - -@@ -745,8 +743,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = snprintf(m->m_data, M_ROOM(m), -- "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)); - return 1; - - case EMU_IRC: -@@ -765,10 +763,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC CHAT chat %lu %u%c\n", -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, - &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), -@@ -776,10 +774,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC SEND %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, - &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr), -@@ -787,10 +785,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC MOVE %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } - return 1; - --- -2.25.1 - -From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> -Date: Mon, 27 Jan 2020 10:24:09 +0100 -Subject: [PATCH] util: add slirp_fmt() helpers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Various calls to snprintf() in libslirp assume that snprintf() returns -"only" the number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Introduce slirp_fmt() that handles several pathological cases the -way libslirp usually expect: - -- treat error as fatal (instead of silently returning -1) - -- fmt0() will always \0 end - -- return the number of bytes actually written (instead of what would -have been written, which would usually result in OOB later), including -the ending \0 for fmt0() - -- warn if truncation happened (instead of ignoring) - -Other less common cases can still be handled with strcpy/snprintf() etc. - -Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> ---- - src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - src/util.h | 3 +++ - 2 files changed, 65 insertions(+) - -diff --git a/src/util.c b/src/util.c -index e596087..e3b6257 100644 ---- a/slirp/src/util.c -+++ b/slirp/src/util.c -@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str) - } - *q = '\0'; - } -+ -+static int slirp_vsnprintf(char *str, size_t size, -+ const char *format, va_list args) -+{ -+ int rv = vsnprintf(str, size, format, args); -+ -+ if (rv < 0) { -+ g_error("vsnprintf() failed: %s", g_strerror(errno)); -+ } -+ -+ return rv; -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - returns the number of bytes written (excluding optional \0-ending) -+ * - dies on error -+ * - warn on truncation -+ */ -+int slirp_fmt(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv > size) { -+ g_critical("vsnprintf() truncation"); -+ } -+ -+ return MIN(rv, size); -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - always \0-end (unless size == 0) -+ * - returns the number of bytes actually written, including \0 ending -+ * - dies on error -+ * - warn on truncation -+ */ -+int slirp_fmt0(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv >= size) { -+ g_critical("vsnprintf() truncation"); -+ if (size > 0) -+ str[size - 1] = '\0'; -+ rv = size; -+ } else { -+ rv += 1; /* include \0 */ -+ } -+ -+ return rv; -+} -diff --git a/src/util.h b/src/util.h -index e9c3073..5530c46 100644 ---- a/slirp/src/util.h -+++ b/slirp/src/util.h -@@ -181,4 +181,7 @@ static inline int slirp_socket_set_fast_reuse(int fd) - - void slirp_pstrcpy(char *buf, int buf_size, const char *str); - -+int slirp_fmt(char *str, size_t size, const char *format, ...); -+int slirp_fmt0(char *str, size_t size, const char *format, ...); -+ - #endif --- -2.25.1 - diff --git a/gnu/packages/patches/qemu-fix-documentation-build-failure.patch b/gnu/packages/patches/qemu-fix-documentation-build-failure.patch deleted file mode 100644 index c913c553b2..0000000000 --- a/gnu/packages/patches/qemu-fix-documentation-build-failure.patch +++ /dev/null @@ -1,43 +0,0 @@ -Fix a build failure caused by a texinfo bug: - -qemu-doc.texi:41: @menu reference to nonexistent node `QEMU Guest Agent' - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=80bc935eaaf93e5b9a4efe97abd7c51d645f2612 - -From 80bc935eaaf93e5b9a4efe97abd7c51d645f2612 Mon Sep 17 00:00:00 2001 -From: Thomas Huth <thuth@redhat.com> -Date: Mon, 16 Dec 2019 14:29:41 +0100 -Subject: [PATCH] qemu-doc: Remove the unused "Guest Agent" node -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The node has been removed from the texi file some months ago, so we -should remove it from the menu section, too. - -Fixes: 27a296fce982 ("qemu-ga: Convert invocation documentation to rST") -Signed-off-by: Thomas Huth <thuth@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-Id: <20191216132941.25729-1-thuth@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> ---- - qemu-doc.texi | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/qemu-doc.texi b/qemu-doc.texi -index eea91a2d1e..39f950471f 100644 ---- a/qemu-doc.texi -+++ b/qemu-doc.texi -@@ -38,7 +38,6 @@ - * Introduction:: - * QEMU PC System emulator:: - * QEMU System emulator for non PC targets:: --* QEMU Guest Agent:: - * QEMU User space emulator:: - * System requirements:: - * Security:: --- -2.24.1 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index b098ef36e0..18b0992dec 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -14,6 +14,7 @@ ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re> ;;; Copyright © 2020 Mathieu Othacehe <m.othacehe@gmail.com> +;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -115,19 +116,14 @@ (define-public qemu (package (name "qemu") - (version "4.2.0") + (version "5.0.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2020-1711.patch" - "qemu-CVE-2020-7039.patch" - "qemu-CVE-2020-7211.patch" - "qemu-CVE-2020-8608.patch" - "qemu-fix-documentation-build-failure.patch")) (sha256 (base32 - "1w38hzlw7xp05gcq1nhga7hxvndxy6dfcnzi7q2il8ff110isj6k")))) + "1dlcwyshdp94fwd30pddxf9bn2q8dfw5jsvry2gvdj551wmaj4rg")))) (build-system gnu-build-system) (arguments `(;; Running tests in parallel can occasionally lead to failures, like: @@ -169,6 +165,14 @@ '("include") input-directories) #t))) + (add-after 'patch-source-shebangs 'patch-/bin/sh-references + (lambda _ + ;; Ensure the executables created by these source files reference + ;; /bin/sh from the store so they work inside the build container. + (substitute* '("block/cloop.c" "migration/exec.c" + "net/tap.c" "tests/qtest/libqtest.c") + (("/bin/sh") (which "sh"))) + #t)) (replace 'configure (lambda* (#:key inputs outputs (configure-flags '()) #:allow-other-keys) @@ -178,8 +182,16 @@ (setenv "SHELL" (which "bash")) ;; While we're at it, patch for tests. - (substitute* "tests/libqtest.c" - (("/bin/sh") (which "sh"))) + (substitute* "tests/qemu-iotests/check" + (("#!/usr/bin/env python3") + (string-append "#!" (which "python3")))) + + ;; Ensure config.status gets the correct shebang off the bat. + ;; The build system gets confused if we change it later and + ;; attempts to re-run the whole configury, and fails. + (substitute* "configure" + (("#!/bin/sh") + (string-append "#!" (which "sh")))) ;; The binaries need to be linked against -lrt. (setenv "LDFLAGS" "-lrt") @@ -218,12 +230,6 @@ exec smbd $@"))) (chmod "samba-wrapper" #o755) (install-file "samba-wrapper" libexec)) #t)) - (add-before 'configure 'prevent-network-configuration - (lambda _ - ;; Prevent the build from trying to use git to fetch from the net. - (substitute* "Makefile" - (("@./config.status") - "")) #t)) (add-before 'check 'disable-unusable-tests (lambda* (#:key inputs outputs #:allow-other-keys) (substitute* "tests/Makefile.include" @@ -245,7 +251,7 @@ exec smbd $@"))) ("libaio" ,libaio) ("libattr" ,attr) ("libcacard" ,libcacard) ; smartcard support - ("libcap" ,libcap) ; virtfs support requires libcap & libattr + ("libcap-ng" ,libcap-ng) ; virtfs support requires libcap-ng & libattr ("libdrm" ,libdrm) ("libepoxy" ,libepoxy) ("libjpeg" ,libjpeg-turbo) |