From 4849ea9f140e6ddc7df493614b258b3d1e9647bc1b99d324589f6a3f4ae7404a Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 21 Jun 2017 01:27:18 +0000 Subject: [PATCH] Accepting request 505145 from home:bfrogers:branches:Virtualization Latest security fixes, a fix to a security fix, and a tweak to how we select the compiler where size is critical. Also found we need --no-renames for git format-patch as we do our git patch workflow. OBS-URL: https://build.opensuse.org/request/show/505145 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=345 --- ...-9pfs-local-fix-unlink-of-alien-file.patch | 102 +++++++++++++++ ...-megasas-do-not-read-DCMD-opcode-mor.patch | 113 ++++++++++++++++ ...-megasas-always-store-SCSIRequest-in.patch | 123 ++++++++++++++++++ ...-nbd-Fully-initialize-client-in-case.patch | 80 ++++++++++++ ...-9pfs-local-remove-use-correct-path-.patch | 28 ++++ ipxe-ath-Add-missing-break-statements.patch | 32 +++++ ...es-Fix-erroneous-__nonnull-attribute.patch | 28 ++++ qemu-linux-user.changes | 13 ++ qemu-linux-user.spec | 10 ++ qemu-testsuite.changes | 23 ++++ qemu-testsuite.spec | 18 +++ qemu.changes | 23 ++++ qemu.spec | 18 +++ qemu.spec.in | 10 ++ update_git.sh | 2 +- 15 files changed, 622 insertions(+), 1 deletion(-) create mode 100644 0060-9pfs-local-fix-unlink-of-alien-file.patch create mode 100644 0061-megasas-do-not-read-DCMD-opcode-mor.patch create mode 100644 0062-megasas-always-store-SCSIRequest-in.patch create mode 100644 0063-nbd-Fully-initialize-client-in-case.patch create mode 100644 0064-9pfs-local-remove-use-correct-path-.patch create mode 100644 ipxe-ath-Add-missing-break-statements.patch create mode 100644 ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch diff --git a/0060-9pfs-local-fix-unlink-of-alien-file.patch b/0060-9pfs-local-fix-unlink-of-alien-file.patch new file mode 100644 index 00000000..8563d6f5 --- /dev/null +++ b/0060-9pfs-local-fix-unlink-of-alien-file.patch @@ -0,0 +1,102 @@ +From 85bc346e1f5d90e1be7147f982e18511304daaeb Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Thu, 25 May 2017 10:30:13 +0200 +Subject: [PATCH] 9pfs: local: fix unlink of alien files in mapped-file mode + +When trying to remove a file from a directory, both created in non-mapped +mode, the file remains and EBADF is returned to the guest. + +This is a regression introduced by commit "df4938a6651b 9pfs: local: +unlinkat: don't follow symlinks" when fixing CVE-2016-9602. It changed the +way we unlink the metadata file from + + ret = remove("$dir/.virtfs_metadata/$name"); + if (ret < 0 && errno != ENOENT) { + /* Error out */ + } + /* Ignore absence of metadata */ + +to + + fd = openat("$dir/.virtfs_metadata") + unlinkat(fd, "$name") + if (ret < 0 && errno != ENOENT) { + /* Error out */ + } + /* Ignore absence of metadata */ + +If $dir was created in non-mapped mode, openat() fails with ENOENT and +we pass -1 to unlinkat(), which fails in turn with EBADF. + +We just need to check the return of openat() and ignore ENOENT, in order +to restore the behaviour we had with remove(). + +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +[groug: rewrote the comments as suggested by Eric] +(cherry picked from commit 6a87e7929f97b86c5823d4616fa1aa7636b2f116) +[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p-local.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index a2486566af..226234d386 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -992,6 +992,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, + if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { + int map_dirfd; + ++ /* We need to remove the metadata as well: ++ * - the metadata directory if we're removing a directory ++ * - the metadata file in the parent's metadata directory ++ * ++ * If any of these are missing (ie, ENOENT) then we're probably ++ * trying to remove something that wasn't created in mapped-file ++ * mode. We just ignore the error. ++ */ + if (flags == AT_REMOVEDIR) { + int fd; + +@@ -999,32 +1007,20 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, + if (fd == -1) { + goto err_out; + } +- /* +- * If directory remove .virtfs_metadata contained in the +- * directory +- */ + ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); + close_preserve_errno(fd); + if (ret < 0 && errno != ENOENT) { +- /* +- * We didn't had the .virtfs_metadata file. May be file created +- * in non-mapped mode ?. Ignore ENOENT. +- */ + goto err_out; + } + } +- /* +- * Now remove the name from parent directory +- * .virtfs_metadata directory. +- */ + map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR); +- ret = unlinkat(map_dirfd, name, 0); +- close_preserve_errno(map_dirfd); +- if (ret < 0 && errno != ENOENT) { +- /* +- * We didn't had the .virtfs_metadata file. May be file created +- * in non-mapped mode ?. Ignore ENOENT. +- */ ++ if (map_dirfd != -1) { ++ ret = unlinkat(map_dirfd, name, 0); ++ close_preserve_errno(map_dirfd); ++ if (ret < 0 && errno != ENOENT) { ++ goto err_out; ++ } ++ } else if (errno != ENOENT) { + goto err_out; + } + } diff --git a/0061-megasas-do-not-read-DCMD-opcode-mor.patch b/0061-megasas-do-not-read-DCMD-opcode-mor.patch new file mode 100644 index 00000000..28c5bbb0 --- /dev/null +++ b/0061-megasas-do-not-read-DCMD-opcode-mor.patch @@ -0,0 +1,113 @@ +From e0653c80373f056fa0bd72fb9aef161dac13b1cf Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 19 Jun 2017 16:36:08 -0600 +Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame + +Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd + +Signed-off-by: Paolo Bonzini +[BR: BSC#1043296 CVE-2017-9503] +Signed-off-by: Bruce Rogers +--- + hw/scsi/megasas.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 804122ab05..887958481b 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -63,6 +63,7 @@ typedef struct MegasasCmd { + + hwaddr pa; + hwaddr pa_size; ++ uint32_t dcmd_opcode; + union mfi_frame *frame; + SCSIRequest *req; + QEMUSGList qsg; +@@ -511,6 +512,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + cmd->context &= (uint64_t)0xFFFFFFFF; + } + cmd->count = count; ++ cmd->dcmd_opcode = -1; + s->busy++; + + if (s->consumer_pa) { +@@ -1559,22 +1561,21 @@ static const struct dcmd_cmd_tbl_t { + + static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + { +- int opcode; + int retval = 0; + size_t len; + const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; + +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- trace_megasas_handle_dcmd(cmd->index, opcode); ++ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode); ++ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode); + if (megasas_map_dcmd(s, cmd) < 0) { + return MFI_STAT_MEMORY_NOT_AVAILABLE; + } +- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { ++ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) { + cmdptr++; + } + len = cmd->iov_size; + if (cmdptr->opcode == -1) { +- trace_megasas_dcmd_unhandled(cmd->index, opcode, len); ++ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len); + retval = megasas_dcmd_dummy(s, cmd); + } else { + trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len); +@@ -1589,13 +1590,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + static int megasas_finish_internal_dcmd(MegasasCmd *cmd, + SCSIRequest *req) + { +- int opcode; + int retval = MFI_STAT_OK; + int lun = req->lun; + +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun); +- switch (opcode) { ++ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); ++ switch (cmd->dcmd_opcode) { + case MFI_DCMD_PD_GET_INFO: + retval = megasas_pd_get_info_submit(req->dev, lun, cmd); + break; +@@ -1603,7 +1602,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd, + retval = megasas_ld_get_info_submit(req->dev, lun, cmd); + break; + default: +- trace_megasas_dcmd_internal_invalid(cmd->index, opcode); ++ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode); + retval = MFI_STAT_INVALID_DCMD; + break; + } +@@ -1824,7 +1823,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + { + MegasasCmd *cmd = req->hba_private; + uint8_t *buf; +- uint32_t opcode; + + trace_megasas_io_complete(cmd->index, len); + +@@ -1834,8 +1832,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + } + + buf = scsi_req_get_buf(req); +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { ++ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { + struct mfi_pd_info *info = cmd->iov_buf; + + if (info->inquiry_data[0] == 0x7f) { +@@ -1846,7 +1843,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + memcpy(info->vpd_page83, buf, len); + } + scsi_req_continue(req); +- } else if (opcode == MFI_DCMD_LD_GET_INFO) { ++ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) { + struct mfi_ld_info *info = cmd->iov_buf; + + if (cmd->iov_buf) { diff --git a/0062-megasas-always-store-SCSIRequest-in.patch b/0062-megasas-always-store-SCSIRequest-in.patch new file mode 100644 index 00000000..85878cd0 --- /dev/null +++ b/0062-megasas-always-store-SCSIRequest-in.patch @@ -0,0 +1,123 @@ +From 0199dd521a16bff213ee66fe1fb257790006237f Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 10 Jun 2017 14:04:51 -0600 +Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd + +This ensures that the request is unref'ed properly, and avoids a +segmentation fault in the new qtest testcase that is added. + +Reported-by: Zhangyanyu +Signed-off-by: Paolo Bonzini +[BR: BSC#1043296 CVE-2017-9503, dropped testcase from patch] +Signed-off-by: Bruce Rogers +--- + hw/scsi/megasas.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 887958481b..a0cafe3010 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -607,6 +607,9 @@ static void megasas_reset_frames(MegasasState *s) + static void megasas_abort_command(MegasasCmd *cmd) + { + /* Never abort internal commands. */ ++ if (cmd->dcmd_opcode != -1) { ++ return; ++ } + if (cmd->req != NULL) { + scsi_req_cancel(cmd->req); + } +@@ -1014,7 +1017,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + uint64_t pd_size; + uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); + uint8_t cmdbuf[6]; +- SCSIRequest *req; + size_t len, resid; + + if (!cmd->iov_buf) { +@@ -1023,8 +1025,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */ + info->vpd_page83[0] = 0x7f; + megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); +- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "PD get info std inquiry"); + g_free(cmd->iov_buf); +@@ -1033,26 +1035,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + } + trace_megasas_dcmd_internal_submit(cmd->index, + "PD get info std inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) { + megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); +- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "PD get info vpd inquiry"); + return MFI_STAT_FLASH_ALLOC_FAIL; + } + trace_megasas_dcmd_internal_submit(cmd->index, + "PD get info vpd inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } +@@ -1214,7 +1216,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + struct mfi_ld_info *info = cmd->iov_buf; + size_t dcmd_size = sizeof(struct mfi_ld_info); + uint8_t cdb[6]; +- SCSIRequest *req; + ssize_t len, resid; + uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); + uint64_t ld_size; +@@ -1223,8 +1224,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + cmd->iov_buf = g_malloc0(dcmd_size); + info = cmd->iov_buf; + megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); +- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "LD get info vpd inquiry"); + g_free(cmd->iov_buf); +@@ -1233,10 +1234,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + } + trace_megasas_dcmd_internal_submit(cmd->index, + "LD get info vpd inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } +@@ -1865,7 +1866,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status, + return; + } + +- if (cmd->req == NULL) { ++ if (cmd->dcmd_opcode != -1) { + /* + * Internal command complete + */ diff --git a/0063-nbd-Fully-initialize-client-in-case.patch b/0063-nbd-Fully-initialize-client-in-case.patch new file mode 100644 index 00000000..5aa46662 --- /dev/null +++ b/0063-nbd-Fully-initialize-client-in-case.patch @@ -0,0 +1,80 @@ +From 94301dd6735f540dc9f6e01943fda914c4bbef8a Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Fri, 26 May 2017 22:04:21 -0500 +Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation + +If a non-NBD client connects to qemu-nbd, we would end up with +a SIGSEGV in nbd_client_put() because we were trying to +unregister the client's association to the export, even though +we skipped inserting the client into that list. Easy trigger +in two terminals: + +$ qemu-nbd -p 30001 --format=raw file +$ nmap 127.0.0.1 -p 30001 + +nmap claims that it thinks it connected to a pago-services1 +server (which probably means nmap could be updated to learn the +NBD protocol and give a more accurate diagnosis of the open +port - but that's not our problem), then terminates immediately, +so our call to nbd_negotiate() fails. The fix is to reorder +nbd_co_client_start() to ensure that all initialization occurs +before we ever try talking to a client in nbd_negotiate(), so +that the teardown sequence on negotiation failure doesn't fault +while dereferencing a half-initialized object. + +While debugging this, I also noticed that nbd_update_server_watch() +called by nbd_client_closed() was still adding a channel to accept +the next client, even when the state was no longer RUNNING. That +is fixed by making nbd_can_accept() pay attention to the current +state. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 + +Signed-off-by: Eric Blake +Message-Id: <20170527030421.28366-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af) +[BR: BSC#1043808 CVE-2017-9524] +Signed-off-by: Bruce Rogers +--- + nbd/server.c | 8 +++----- + qemu-nbd.c | 2 +- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/nbd/server.c b/nbd/server.c +index 924a1fe2db..edfda84d43 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -1376,16 +1376,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) + + if (exp) { + nbd_export_get(exp); ++ QTAILQ_INSERT_TAIL(&exp->clients, client, next); + } ++ qemu_co_mutex_init(&client->send_lock); ++ + if (nbd_negotiate(data)) { + client_close(client); + goto out; + } +- qemu_co_mutex_init(&client->send_lock); +- +- if (exp) { +- QTAILQ_INSERT_TAIL(&exp->clients, client, next); +- } + + nbd_client_receive_next_request(client); + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index e080fb7c75..b44764eb87 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -324,7 +324,7 @@ out: + + static int nbd_can_accept(void) + { +- return nb_fds < shared; ++ return state == RUNNING && nb_fds < shared; + } + + static void nbd_export_closed(NBDExport *exp) diff --git a/0064-9pfs-local-remove-use-correct-path-.patch b/0064-9pfs-local-remove-use-correct-path-.patch new file mode 100644 index 00000000..c6655d96 --- /dev/null +++ b/0064-9pfs-local-remove-use-correct-path-.patch @@ -0,0 +1,28 @@ +From d8ebbbc6a85bc9a6a6e194564719e43a51ec2e86 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Mon, 19 Jun 2017 14:48:02 -0600 +Subject: [PATCH] 9pfs: local: remove: use correct path component + +Commit a0e640a8 introduced a path processing error. +Pass fstatat the dirpath based path component instead +of the entire path. + +[BR: BSC#1045035] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p-local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index 226234d386..47f6d9ec99 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -1044,7 +1044,7 @@ static int local_remove(FsContext *ctx, const char *path) + goto out; + } + +- if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { ++ if (fstatat(dirfd, name, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + goto err_out; + } + diff --git a/ipxe-ath-Add-missing-break-statements.patch b/ipxe-ath-Add-missing-break-statements.patch new file mode 100644 index 00000000..61608499 --- /dev/null +++ b/ipxe-ath-Add-missing-break-statements.patch @@ -0,0 +1,32 @@ +From 45f2265bfcbbf2afd7fac24372ae26e453f2b52d Mon Sep 17 00:00:00 2001 +From: Michael Brown +Date: Wed, 22 Mar 2017 11:52:09 +0200 +Subject: [PATCH] [ath] Add missing break statements + +Signed-off-by: Michael Brown +Signed-off-by: Bruce Rogers +--- + src/drivers/net/ath/ath5k/ath5k_desc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/drivers/net/ath/ath5k/ath5k_desc.c b/src/drivers/net/ath/ath5k/ath5k_desc.c +index 30fe1c77..816d26ed 100644 +--- a/src/drivers/net/ath/ath5k/ath5k_desc.c ++++ b/src/drivers/net/ath/ath5k/ath5k_desc.c +@@ -104,10 +104,13 @@ ath5k_hw_setup_2word_tx_desc(struct ath5k_hw *ah, struct ath5k_desc *desc, + case AR5K_PKT_TYPE_BEACON: + case AR5K_PKT_TYPE_PROBE_RESP: + frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_NO_DELAY; ++ break; + case AR5K_PKT_TYPE_PIFS: + frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_PIFS; ++ break; + default: + frame_type = type /*<< 2 ?*/; ++ break; + } + + tx_ctl->tx_control_0 |= +-- +2.12.2 + diff --git a/ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch b/ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch new file mode 100644 index 00000000..945a5a07 --- /dev/null +++ b/ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch @@ -0,0 +1,28 @@ +From 28e26dd2503e6006fabb26f8c33050ba93a99623 Mon Sep 17 00:00:00 2001 +From: Michael Brown +Date: Wed, 29 Mar 2017 10:35:05 +0300 +Subject: [PATCH] [mucurses] Fix erroneous __nonnull attribute + +Signed-off-by: Michael Brown +Signed-off-by: Bruce Rogers +--- + src/include/curses.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/include/curses.h b/src/include/curses.h +index 04060fe2..1f6fe029 100644 +--- a/src/include/curses.h ++++ b/src/include/curses.h +@@ -443,7 +443,8 @@ extern int wborder ( WINDOW *, chtype, chtype, chtype, chtype, chtype, chtype, + extern int wclrtobot ( WINDOW * ) __nonnull; + extern int wclrtoeol ( WINDOW * ) __nonnull; + extern void wcursyncup ( WINDOW * ); +-extern int wcolour_set ( WINDOW *, short, void * ) __nonnull; ++extern int wcolour_set ( WINDOW *, short, void * ) ++ __attribute__ (( nonnull (1))); + #define wcolor_set(w,s,v) wcolour_set((w),(s),(v)) + extern int wdelch ( WINDOW * ) __nonnull; + extern int wdeleteln ( WINDOW * ) __nonnull; +-- +2.12.2 + diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 5292a1c4..7532e87a 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Jun 20 14:14:17 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 +* Patches added: + 0060-9pfs-local-fix-unlink-of-alien-file.patch + 0061-megasas-do-not-read-DCMD-opcode-mor.patch + 0062-megasas-always-store-SCSIRequest-in.patch + 0063-nbd-Fully-initialize-client-in-case.patch + 0064-9pfs-local-remove-use-correct-path-.patch +- Add --no-renames to the git format-patch command in the git + workflow script for better patch compatibility + ------------------------------------------------------------------- Mon May 22 23:52:15 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 6b681771..94b827d6 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -85,6 +85,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch Patch0058: 0058-altera_timer-fix-incorrect-memset.patch Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch +Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch +Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch +Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch +Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch +Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -197,6 +202,11 @@ run cross-architecture builds. %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 01b0bd4d..5593131e 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Jun 20 14:14:14 UTC 2017 - brogers@suse.com + +- Use most recent compiler to build size-critical firmware, instead + of hard-coding gcc6 for all target versions (bsc#1043390) +* A few upstream ipxe patches were needed for gcc7 compatibility: + ipxe-ath-Add-missing-break-statements.patch + ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch +- Add --no-renames to the git format-patch command in the git + workflow script for better patch compatibility +- Address various security/stability issues +* Fix potential privilege escalation in virtfs (CVE-2016-9602 + bsc#1020427) + 0060-9pfs-local-fix-unlink-of-alien-file.patch +* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296) + 0061-megasas-do-not-read-DCMD-opcode-mor.patch + 0062-megasas-always-store-SCSIRequest-in.patch +* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808) + 0063-nbd-Fully-initialize-client-in-case.patch +* Fix regression introduced by recent virtfs security fixes (bsc#1045035) + 0064-9pfs-local-remove-use-correct-path-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + ------------------------------------------------------------------- Tue Jun 6 21:21:53 UTC 2017 - lyan@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index fefd71cd..9c837626 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -189,6 +189,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch Patch0058: 0058-altera_timer-fix-incorrect-memset.patch Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch +Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch +Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch +Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch +Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch +Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -200,6 +205,8 @@ Patch1100: ipxe-stable-buildid.patch Patch1101: ipxe-use-gcc6-for-more-compact-code.patch Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch +Patch1104: ipxe-ath-Add-missing-break-statements.patch +Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch # sgabios # PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds @@ -238,8 +245,10 @@ BuildRequires: e2fsprogs-devel BuildRequires: fdupes BuildRequires: gcc-c++ %if %{build_x86_firmware_from_source} +%if 0%{?suse_version} <= 1320 BuildRequires: gcc6 %endif +%endif BuildRequires: glib2-devel %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: glusterfs-devel @@ -895,12 +904,21 @@ This package provides a service file for starting and stopping KSM. %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 pushd roms/ipxe %patch1100 -p1 +%if 0%{?suse_version} <= 1320 %patch1101 -p1 +%endif %patch1102 -p1 %patch1103 -p1 +%patch1104 -p1 +%patch1105 -p1 popd pushd roms/sgabios diff --git a/qemu.changes b/qemu.changes index 01b0bd4d..5593131e 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Jun 20 14:14:14 UTC 2017 - brogers@suse.com + +- Use most recent compiler to build size-critical firmware, instead + of hard-coding gcc6 for all target versions (bsc#1043390) +* A few upstream ipxe patches were needed for gcc7 compatibility: + ipxe-ath-Add-missing-break-statements.patch + ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch +- Add --no-renames to the git format-patch command in the git + workflow script for better patch compatibility +- Address various security/stability issues +* Fix potential privilege escalation in virtfs (CVE-2016-9602 + bsc#1020427) + 0060-9pfs-local-fix-unlink-of-alien-file.patch +* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296) + 0061-megasas-do-not-read-DCMD-opcode-mor.patch + 0062-megasas-always-store-SCSIRequest-in.patch +* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808) + 0063-nbd-Fully-initialize-client-in-case.patch +* Fix regression introduced by recent virtfs security fixes (bsc#1045035) + 0064-9pfs-local-remove-use-correct-path-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + ------------------------------------------------------------------- Tue Jun 6 21:21:53 UTC 2017 - lyan@suse.com diff --git a/qemu.spec b/qemu.spec index d870f37d..86134e72 100644 --- a/qemu.spec +++ b/qemu.spec @@ -189,6 +189,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch Patch0058: 0058-altera_timer-fix-incorrect-memset.patch Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch +Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch +Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch +Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch +Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch +Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -200,6 +205,8 @@ Patch1100: ipxe-stable-buildid.patch Patch1101: ipxe-use-gcc6-for-more-compact-code.patch Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch +Patch1104: ipxe-ath-Add-missing-break-statements.patch +Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch # sgabios # PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds @@ -238,8 +245,10 @@ BuildRequires: e2fsprogs-devel BuildRequires: fdupes BuildRequires: gcc-c++ %if %{build_x86_firmware_from_source} +%if 0%{?suse_version} <= 1320 BuildRequires: gcc6 %endif +%endif BuildRequires: glib2-devel %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: glusterfs-devel @@ -895,12 +904,21 @@ This package provides a service file for starting and stopping KSM. %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 pushd roms/ipxe %patch1100 -p1 +%if 0%{?suse_version} <= 1320 %patch1101 -p1 +%endif %patch1102 -p1 %patch1103 -p1 +%patch1104 -p1 +%patch1105 -p1 popd pushd roms/sgabios diff --git a/qemu.spec.in b/qemu.spec.in index 608c50a6..05ed6ae3 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -141,6 +141,9 @@ PATCH_FILES Patch1100: ipxe-stable-buildid.patch Patch1101: ipxe-use-gcc6-for-more-compact-code.patch Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch +Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch +Patch1104: ipxe-ath-Add-missing-break-statements.patch +Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch # sgabios # PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds @@ -179,8 +182,10 @@ BuildRequires: e2fsprogs-devel BuildRequires: fdupes BuildRequires: gcc-c++ %if %{build_x86_firmware_from_source} +%if 0%{?suse_version} <= 1320 BuildRequires: gcc6 %endif +%endif BuildRequires: glib2-devel %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: glusterfs-devel @@ -781,8 +786,13 @@ PATCH_EXEC pushd roms/ipxe %patch1100 -p1 +%if 0%{?suse_version} <= 1320 %patch1101 -p1 +%endif %patch1102 -p1 +%patch1103 -p1 +%patch1104 -p1 +%patch1105 -p1 popd pushd roms/sgabios diff --git a/update_git.sh b/update_git.sh index d4a3fed8..91ecefa6 100644 --- a/update_git.sh +++ b/update_git.sh @@ -45,7 +45,7 @@ else (cd $GIT_DIR && git remote add upstream git://git.qemu-project.org/qemu.git) (cd $GIT_DIR && git remote update) fi -(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR >/dev/null) +(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR --no-renames >/dev/null) QEMU_VERSION=`cat $GIT_DIR/VERSION` echo "QEMU version: $QEMU_VERSION"